Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Win32.Agentb.bnrb. pls help.


  • This topic is locked This topic is locked
2 replies to this topic

#1 synz

synz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 18 March 2015 - 08:57 AM

Dear all,

 

My pc is infected with Trojan.Win32.Agentb.bnrb (according to Kaspersky)

 

Kaspersky antivirus seem unable to clear it completely as the trojan keep re-appearing even after full scan while KAV keeps on disinfect or delete it everytime detected and its like never ending.

 

virus_zpshznrdnlb.jpg

 

 

Please help, below are the logs

 

DDS LOG:

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 10.0.0
Run by Ivan at 21:48:40 on 2015-03-18
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.60.1033.18.3892.1487 [GMT 8:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avp.exe
C:\windows\system32\atieclxx.exe
C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\windows\SysWOW64\svchost.exe -k MK_Safe_CB0026C_INFO
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\windows\SysWOW64\cmd.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avpui.exe
C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
C:\Program Files (x86)\AntiLogger\AntiLogger.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\windows\system32\taskeng.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uProxyOverride = local
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll
uRunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_16_0_0_305_Plugin.exe -update plugin
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [WD Drive Unlocker] C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
mRun: [WD Quick View] C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
mRun: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:60
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{2E10B7F6-593E-4EEA-874F-83DF50318884} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B84AA23E-829C-4481-AC25-EB07965F8338} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B84AA23E-829C-4481-AC25-EB07965F8338} : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: {311BA51F-64F2-439D-9A4A-772373D77312} - <orphaned>
x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
x64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-Run: [Classic Start Menu] "C:\Program Files\Classic Shell\ClassicStartMenu.exe"
x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
x64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://forum.lowyat.net
FF - prefs.js: network.proxy.http - 49.213.23.11
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\content_blocker@kaspersky.com\npcontentblocker.dll
FF - plugin: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\virtual_keyboard@kaspersky.com\npvkplugin.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Users\Ivan\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Ivan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
FF - user.js: plugin.state.npcontentblocker - 2
.
============= SERVICES / DRIVERS ===============
.
R1 AntiLog32;AntiLog32;C:\windows\System32\drivers\AntiLog64.sys [2014-10-22 45880]
R1 klhk;klhk;C:\windows\System32\drivers\klhk.sys [2014-7-12 243808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\windows\System32\drivers\klim6.sys [2014-2-25 30304]
R1 klpd;klpd;C:\windows\System32\drivers\klpd.sys [2013-4-12 15456]
R1 kltdi;kltdi;C:\windows\System32\drivers\kltdi.sys [2014-3-25 55904]
R1 kneps;kneps;C:\windows\System32\drivers\kneps.sys [2014-3-26 179296]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2010-8-31 203264]
R2 AVP15.0.0;Kaspersky Anti-Virus Service 15.0.0;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avp.exe [2014-4-20 233552]
R2 BstHdDrv;BlueStacks Hypervisor;C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [2014-12-12 122072]
R2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [2014-12-12 388824]
R2 BstHdUpdaterSvc;BlueStacks Updater Service;C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [2014-12-12 786136]
R2 cpuz133;cpuz133;C:\windows\System32\drivers\cpuz133_x64.sys [2010-4-12 20968]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-3-17 13336]
R2 MK_Safe_CB0026C_INFO;MK_Safe_CB0026C_INFO;C:\windows\System32\svchost.exe -k MK_Safe_CB0026C_INFO [2012-10-13 27648]
R2 PDFSFilter;PDFSFilter;C:\windows\System32\drivers\PDFsFilter.sys [2012-2-28 81424]
R2 TurboB;Turbo Boost UI Monitor driver;C:\windows\System32\drivers\TurboB.sys [2009-11-2 13784]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-3-17 2320920]
R2 WDBackup;WD Backup;C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [2012-6-14 1151424]
R2 WDDriveService;WD Drive Manager;C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [2012-6-13 248248]
R2 WDRulesService;WD Rules;C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [2012-6-14 1177536]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\System32\drivers\HECIx64.sys [2010-1-4 56344]
R3 Impcd;Impcd;C:\windows\System32\drivers\Impcd.sys [2009-12-17 151936]
R3 intelkmd;intelkmd;C:\windows\System32\drivers\igdpmd64.sys [2010-7-19 10603904]
R3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2010-1-20 156784]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\windows\System32\drivers\k57nd60a.sys [2009-10-16 321064]
R3 klflt;Kaspersky Lab Kernel DLL;C:\windows\System32\drivers\klflt.sys [2014-7-12 141320]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\windows\System32\drivers\klkbdflt.sys [2014-3-28 28768]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\windows\System32\drivers\klmouflt.sys [2013-8-8 29280]
R3 vm332avs;Lenovo Camera2;C:\windows\System32\drivers\vm332avs.sys [2010-1-10 214000]
S2 BstHdAndroidSvc;BlueStacks Android Service;C:\Program Files (x86)\BlueStacks\HD-Service.exe [2014-12-12 409304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2015-3-16 1871160]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2015-3-16 969016]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2014-4-3 315008]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\System32\drivers\AcpiVpc.sys [2010-3-17 28176]
S3 btusbflt;Bluetooth USB Filter;C:\windows\System32\drivers\btusbflt.sys [2010-4-14 54824]
S3 btwl2cap;Bluetooth L2CAP Service;C:\windows\System32\drivers\btwl2cap.sys [2011-1-5 35104]
S3 epmntdrv;epmntdrv;C:\windows\System32\epmntdrv.sys [2012-10-15 16776]
S3 EuGdiDrv;EuGdiDrv;C:\windows\System32\EuGdiDrv.sys [2012-10-15 9096]
S3 ggflt;SEMC USB Flash Driver Filter;C:\windows\System32\drivers\ggflt.sys [2012-1-28 13352]
S3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2010-12-29 25816]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\windows\System32\drivers\mwac.sys [2015-3-16 63704]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\System32\drivers\NETw5s64.sys [2010-1-4 6952960]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\windows\System32\drivers\netw5v64.sys [2009-6-11 5434368]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 rak;rak;C:\Program Files (x86)\Softnyx\RakionIS\Bin\rakion64.sys [2012-1-5 45176]
S3 Sony PC Companion;Sony PC Companion;C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe [2012-1-28 155320]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 usbrndis6;USB RNDIS6 Adapter;C:\windows\System32\drivers\usb80236.sys [2009-7-14 19968]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-5-6 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\windows\System32\drivers\wdcsam64.sys [2012-6-13 14464]
S3 wsvd;wsvd;C:\windows\System32\drivers\wsvd.sys [2009-7-21 121840]
.
=============== Created Last 30 ================
.
2015-03-16 16:00:02    --------    d-----w-    C:\Users\Ivan\AppData\Local\iWesoft
2015-03-16 15:59:26    --------    d-----w-    C:\Program Files (x86)\Instagram Downloader
2015-03-16 15:57:33    --------    d-----w-    C:\Users\Ivan\AppData\Roaming\RHEng
2015-03-16 09:27:21    129752    ----a-w-    C:\windows\System32\drivers\MBAMSwissArmy.sys
2015-03-16 09:26:50    93400    ----a-w-    C:\windows\System32\drivers\mbamchameleon.sys
2015-03-16 09:26:49    63704    ----a-w-    C:\windows\System32\drivers\mwac.sys
2015-03-16 09:26:49    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-03-15 13:43:51    --------    d-----w-    C:\Program Files\CCleaner
2015-03-06 10:34:59    50288    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2015-03-06 10:34:59    253952    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\components\CheckTudouVa.dll
2015-03-06 10:34:59    20592    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll
2015-03-06 10:34:59    109680    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
.
==================== Find3M  ====================
.
2015-02-05 16:28:15    71344    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-05 16:28:15    701616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 21:49:15.54 ===============
 

 

HIJACKTHIS LOG

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:50:59 PM, on 18/3/2015
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
CHROME: 8.0.552.215
FIREFOX: 36.0.1 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avpui.exe
C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
C:\Program Files (x86)\AntiLogger\AntiLogger.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
C:\Program Files (x86)\mIRC\mirc.exe
E:\Downloads\HijackThis.exe
C:\windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ContentBlockerBrowserHelperObject - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WD Drive Unlocker] C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
O4 - HKLM\..\Run: [WD Quick View] C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
O4 - HKLM\..\Run: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_16_0_0_305_Plugin.exe -update plugin
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
O9 - Extra button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B84AA23E-829C-4481-AC25-EB07965F8338}: NameServer = 8.8.8.8,8.8.4.4
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service 15.0.0 (AVP15.0.0) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avp.exe
O23 - Service: BlueStacks Android Service (BstHdAndroidSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-Service.exe
O23 - Service: BlueStacks Log Rotator Service (BstHdLogRotatorSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
O23 - Service: BlueStacks Updater Service (BstHdUpdaterSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Unknown owner - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: Sony PC Companion - Avanquest Software - C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: TurboBoost - Intel® Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: WD Backup (WDBackup) - Western Digital  - C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
O23 - Service: WD Drive Manager (WDDriveService) - Western Digital - C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
O23 - Service: WD Rules (WDRulesService) - Western Digital  - C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11897 bytes
 

 

FRST LOG

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Ivan (administrator) on IVANLNV on 18-03-2015 21:51:33
Running from E:\Downloads
Loaded Profiles: Ivan (Available profiles: Ivan)
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avp.exe
(AMD) C:\Windows\System32\atieclxx.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Raxco Software, Inc.) C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Western Digital) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avpui.exe
(Western Digital) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Zemana Ltd.) C:\Program Files (x86)\AntiLogger\AntiLogger.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Raxco Software, Inc.) C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
(Raxco Software, Inc.) C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(mIRC Co. Ltd.) C:\Program Files (x86)\mIRC\mirc.exe
(mIRC Co. Ltd.) C:\Program Files (x86)\mIRC\mirc.exe
(mIRC Co. Ltd.) C:\Program Files (x86)\mIRC\mirc.exe
(Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
(Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(mIRC Co. Ltd.) C:\Program Files (x86)\mIRC\mirc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [98816 2010-05-01] (IvoSoft)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-08-31] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1688008 2012-06-13] (Western Digital)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5235128 2012-06-14] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [AntiLogger] => C:\Program Files (x86)\AntiLogger\AntiLogger.exe [13091312 2012-11-02] (Zemana Ltd.)
Winlogon\Notify\igfxcui: C:\windows\SYSTEM32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2510227323-1821458481-1787021517-1000\...\RunOnce: [FlashPlayerUpdate] => C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_16_0_0_305_Plugin.exe [960688 2015-02-06] (Adobe Systems Incorporated)
HKU\S-1-5-21-2510227323-1821458481-1787021517-1000\...\MountPoints2: {1ce14afe-56aa-11df-961f-506313fc8b65} - G:\autorun.exe
HKU\S-1-5-21-2510227323-1821458481-1787021517-1000\...\MountPoints2: {e12204e0-5f9c-11e2-89a4-c80aa924f1ae} - "G:\WD Drive Unlock.exe" autoplay=true
ShellIconOverlayIdentifiers: [0_sxBZOverlayIcon] -> {6457FB0A-5C02-4393-909C-2139A5D5571F} =>  No File
ShellIconOverlayIdentifiers: [0_sxConfidentialOIcon] -> {871FE18B-B68D-4437-BC76-6634996CDB97} =>  No File
ShellIconOverlayIdentifiers: [0_sxForbiddenOIcon] -> {1F03249C-6AB2-4E31-8C10-86F7E31E3B4E} =>  No File
BootExecute: PDBoot.exeautocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2510227323-1821458481-1787021517-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> {1FF7973D-AB0A-496d-82C1-4EADBBA11E7B} URL = http://www.soso.com/q?sc=web&cid=th.ub&w={searchTerms}&gid=QWbWhuUeGkGIJlfpdI-bUm010wc60000&lr=&ie={inputEncoding}&unc=y400372
SearchScopes: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=utf8kb_oem_dg
BHO: No Name -> {311BA51F-64F2-439D-9A4A-772373D77312} ->  No File
BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-10-08] (Kaspersky Lab ZAO)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2011-08-19] (Oracle Corporation)
BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-10-08] (Kaspersky Lab ZAO)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files (x86)\Free Download Manager\iefdm2.dll [2014-04-29] (FreeDownloadManager.ORG)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2011-08-19] (Oracle Corporation)
BHO-x32: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll [2014-04-20] (Kaspersky Lab ZAO)
Toolbar: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
DPF: HKLM-x32 {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{B84AA23E-829C-4481-AC25-EB07965F8338}: [NameServer] 8.8.8.8,8.8.4.4

FireFox:
========
FF ProfilePath: C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default
FF DefaultSearchEngine: Google
FF SelectedSearchEngine: Google
FF Homepage: hxxp://forum.lowyat.net
FF NetworkProxy: "http", "49.213.23.11"
FF NetworkProxy: "http_port", 80
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-06] ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll [2011-08-19] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-06] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw.dll [2011-02-02] (Adobe Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2011-07-19] (Foxit Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll [2011-08-19] (Oracle Corporation)
FF Plugin-x32: @kaspersky.com/content_blocker -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\content_blocker@kaspersky.com [2014-10-08] ()
FF Plugin-x32: @kaspersky.com/virtual_keyboard -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-10-08] ()
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2010-06-01] (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll [2010-02-16] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-16] (RealNetworks, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin-x32: @xigua.com/npxgax -> C:\Program Files (x86)\xigua\2.11.0.37\npxgax.dll No File
FF Plugin HKU\S-1-5-21-2510227323-1821458481-1787021517-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Ivan\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-2510227323-1821458481-1787021517-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Ivan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2013-07-20] (Unity Technologies ApS)
FF user.js: detected! => C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\user.js [2014-07-12]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll [2011-08-19] (Oracle Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppl3260.dll [2010-02-16] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2010-04-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2010-04-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2010-04-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2010-04-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2010-04-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll [2010-04-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprpjplug.dll [2010-02-16] (RealNetworks, Inc.)
FF SearchPlugin: C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\searchplugins\google-.xml [2012-09-15]
FF SearchPlugin: C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\searchplugins\google-dictionary-.xml [2011-08-05]
FF SearchPlugin: C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\searchplugins\urban-dictionary.xml [2011-05-26]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\adblockpopups@jessehakanen.net.xpi [2013-01-21]
FF Extension: Add to Search Bar - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\add-to-searchbox@maltekraus.de.xpi [2011-08-05]
FF Extension: Status-4-Evar - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\status4evar@caligonstudios.com.xpi [2011-05-15]
FF Extension: FlashGot - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2011-05-15]
FF Extension: NoScript - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013-01-10]
FF Extension: Video DownloadHelper - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-03-15]
FF Extension: Adblock Plus - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011-05-15]
FF Extension: Greasemonkey - C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013-01-10]
FF HKLM-x32\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\content_blocker@kaspersky.com
FF Extension: Ngăn chặn trang web nguy hiểm - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\content_blocker@kaspersky.com [2014-07-12]
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Bàn phím ảo - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-07-12]
FF HKLM-x32\...\Firefox\Extensions: [url_advisor@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\url_advisor@kaspersky.com
FF Extension: Công cụ kiểm tra liên kết của Kaspersky - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\FFExt\url_advisor@kaspersky.com [2014-07-12]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======
CHR Profile: C:\Users\Ivan\AppData\Local\Google\Chrome\User Data\Default
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
StartMenuInternet: Google Chrome - C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVP15.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\avp.exe [233552 2014-04-20] (Kaspersky Lab ZAO)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [409304 2014-12-12] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [388824 2014-12-12] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [786136 2014-12-12] (BlueStack Systems, Inc.)
S3 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [864032 2009-07-01] (Broadcom Corporation.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 MK_Safe_CB0026C_INFO; C:\windows\temp\MK_Safe_0026C72058B7.dll [376664 2014-11-03] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2009-10-21] (CACE Technologies, Inc.)
S3 Sony PC Companion; C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe [155320 2012-01-18] (Avanquest Software) [File not signed]
R2 Themes; C:\Windows\system32\themeservice.dll [44544 2010-12-10] (Microsoft Corporation) [File not signed]
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1151424 2012-06-14] (Western Digital )
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [248248 2012-06-13] (Western Digital)
R2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1177536 2012-06-14] (Western Digital )
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AntiLog32; C:\windows\system32\drivers\AntiLog64.sys [45880 2014-10-22] (Zemana Ltd.)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [122072 2014-12-12] (BlueStack Systems)
R2 cpuz133; C:\windows\system32\drivers\cpuz133_x64.sys [20968 2010-03-30] (Windows ® Win 7 DDK provider)
S3 epmntdrv; C:\windows\system32\epmntdrv.sys [16776 2011-07-29] () [File not signed]
S3 epmntdrv; C:\windows\SysWOW64\epmntdrv.sys [14216 2011-07-29] () [File not signed]
S3 EuGdiDrv; C:\windows\system32\EuGdiDrv.sys [9096 2011-07-29] () [File not signed]
S3 EuGdiDrv; C:\windows\SysWOW64\EuGdiDrv.sys [8456 2011-07-29] () [File not signed]
U5 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42840 2009-06-11] (Microsoft Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [457824 2014-02-20] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [141320 2014-10-08] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [243808 2014-04-10] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [793800 2014-10-08] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [30304 2014-02-25] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [28768 2014-03-28] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [29280 2013-08-08] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [15456 2013-04-12] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [55904 2014-03-25] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [179296 2014-03-26] (Kaspersky Lab ZAO)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [47632 2009-10-21] (CACE Technologies, Inc.)
S3 rak; C:\Program Files (x86)\Softnyx\RakionIS\Bin\rakion64.sys [45176 2012-01-05] ()
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-05-03] () [File not signed]
R2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13784 2009-11-02] ()
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-02] ()
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2009-07-14] (Microsoft Corporation)
U3 BcmSqlStartupSvc; No ImagePath
S3 GarenaPEngine; \??\C:\Users\Ivan\AppData\Local\Temp\DGNA026.tmp [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\plugins\UI\safedrv.sys [X]
U2 IviRegMgr; No ImagePath
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
S1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [X]
U3 SQLWriter; No ImagePath
S3 wdmirror; system32\DRIVERS\WDMirror.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-18 21:51 - 2015-03-18 21:51 - 00000000 ____D () C:\FRST
2015-03-18 21:50 - 2015-03-18 21:50 - 00011899 _____ () C:\Users\Ivan\Documents\hijackthis.logfewrerg
2015-03-18 21:49 - 2015-03-18 21:49 - 00018741 _____ () C:\Users\Ivan\Desktop\dds.txt
2015-03-18 21:49 - 2015-03-18 21:49 - 00015392 _____ () C:\Users\Ivan\Desktop\attach.txt
2015-03-18 14:24 - 2015-03-18 14:24 - 00011600 _____ () C:\Users\Ivan\Documents\hijackthis18-3.log
2015-03-18 14:13 - 2015-03-18 14:14 - 02171392 _____ () C:\Users\Ivan\Desktop\AdwCleaner.exe
2015-03-17 21:21 - 2015-03-17 21:21 - 00262144 _____ () C:\windows\system32\config\elam
2015-03-17 00:00 - 2015-03-17 00:08 - 00000000 ____D () C:\Users\Ivan\AppData\Local\iWesoft
2015-03-16 23:59 - 2015-03-16 23:59 - 00001246 _____ () C:\Users\Ivan\Desktop\Instagram Downloader.lnk
2015-03-16 23:59 - 2015-03-16 23:59 - 00000000 ____D () C:\Users\Ivan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Instagram Downloader
2015-03-16 23:59 - 2015-03-16 23:59 - 00000000 ____D () C:\Program Files (x86)\Instagram Downloader
2015-03-16 23:57 - 2015-03-16 23:57 - 00000000 ____D () C:\Users\Ivan\AppData\Roaming\RHEng
2015-03-16 18:20 - 2015-03-16 18:23 - 00000000 ____D () C:\Users\Ivan\Desktop\ascenda
2015-03-16 17:29 - 2015-03-18 13:38 - 00006324 _____ () C:\windows\PFRO.log
2015-03-16 17:27 - 2015-03-18 21:17 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-16 17:26 - 2015-03-16 17:26 - 00001072 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-16 17:26 - 2015-03-16 17:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-16 17:26 - 2015-03-16 17:26 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-03-16 17:26 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-03-16 17:26 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-03-16 15:47 - 2015-03-18 14:56 - 00010466 _____ () C:\windows\WindowsUpdate.log
2015-03-15 21:49 - 2015-03-18 20:58 - 00000896 _____ () C:\windows\setupact.log
2015-03-15 21:49 - 2015-03-15 21:49 - 00475592 _____ () C:\windows\system32\FNTCACHE.DAT
2015-03-15 21:49 - 2015-03-15 21:49 - 00000000 _____ () C:\windows\setuperr.log
2015-03-15 21:45 - 2015-03-15 21:46 - 00122152 _____ () C:\Users\Ivan\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-15 21:43 - 2015-03-15 21:43 - 00002770 _____ () C:\windows\System32\Tasks\CCleanerSkipUAC
2015-03-15 21:43 - 2015-03-15 21:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-03-15 21:43 - 2015-03-15 21:43 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-14 15:20 - 2015-03-14 15:20 - 00000000 ____D () C:\Users\Ivan\Desktop\bills
2015-03-12 23:00 - 2015-03-12 23:00 - 00225821 _____ () C:\Users\Ivan\Downloads\D34A.tmp
2015-03-12 22:57 - 2015-03-12 22:57 - 00226150 _____ () C:\Users\Ivan\Downloads\E4DE.tmp
2015-03-12 21:49 - 2015-03-12 21:49 - 00003075 _____ () C:\Users\Ivan\Downloads\8D1A.tmp
2015-03-06 18:34 - 2015-03-15 21:41 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-17 17:13 - 2015-02-17 17:26 - 00000000 ____D () C:\Users\Ivan\Desktop\New folder (7)

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-18 21:45 - 2012-05-03 00:35 - 00000924 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2510227323-1821458481-1787021517-1000UA.job
2015-03-18 21:45 - 2012-05-03 00:35 - 00000902 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2510227323-1821458481-1787021517-1000Core.job
2015-03-18 21:42 - 2010-04-14 16:29 - 00000000 ____D () C:\Users\Ivan\AppData\Roaming\mIRC
2015-03-18 21:41 - 2010-11-10 11:07 - 00000000 ____D () C:\Program Files (x86)\mIRC
2015-03-18 21:28 - 2013-06-29 13:15 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-03-18 21:13 - 2014-07-12 16:53 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2015-03-18 21:13 - 2011-08-17 15:54 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-18 21:12 - 2009-07-14 12:45 - 00019520 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-18 21:12 - 2009-07-14 12:45 - 00019520 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-18 21:10 - 2012-05-01 19:38 - 00003486 _____ () C:\windows\System32\Tasks\AutoKMS
2015-03-18 20:58 - 2011-08-17 15:54 - 00000890 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-18 20:58 - 2009-07-14 13:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-03-18 14:32 - 2014-11-02 23:28 - 00000000 ____D () C:\AdwCleaner
2015-03-18 14:29 - 2009-07-14 13:13 - 00779266 _____ () C:\windows\system32\PerfStringBackup.INI
2015-03-18 13:38 - 2014-07-12 17:10 - 00000000 ____D () C:\windows\ELAMBKUP
2015-03-17 00:04 - 2010-12-29 14:55 - 00000000 ___RD () C:\Users\Ivan\Desktop\rename
2015-03-17 00:04 - 2010-12-27 14:10 - 00000059 _____ () C:\Users\Ivan\Desktop\rename.bat
2015-03-16 17:26 - 2010-12-29 15:39 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-16 17:25 - 2013-05-21 23:32 - 00000000 ____D () C:\Users\Ivan\AppData\Roaming\Cogniview
2015-03-16 17:25 - 2011-12-29 17:54 - 00000000 ____D () C:\Program Files (x86)\eRightSoft
2015-03-16 01:29 - 2014-01-28 23:10 - 00000000 ____D () C:\Users\Ivan\Desktop\wanimal
2015-03-16 00:11 - 2011-08-29 00:59 - 00000000 ____D () C:\Users\Ivan\AppData\Roaming\Skype
2015-03-15 21:47 - 2015-01-17 15:43 - 00000000 ____D () C:\ProgramData\BlueStacksSetup
2015-03-15 21:47 - 2010-10-28 11:35 - 00000000 ____D () C:\Users\Ivan\AppData\Roaming\Vso
2015-03-15 21:41 - 2014-07-13 23:17 - 00000000 ____D () C:\Users\Ivan\AppData\Roaming\Free Download Manager
2015-03-15 21:41 - 2010-04-12 20:26 - 00000000 ____D () C:\Users\Ivan\Tracing
2015-03-15 21:35 - 2010-04-14 17:11 - 00000000 ___RD () C:\Users\Ivan\Desktop\Utilities
2015-03-14 17:01 - 2010-04-25 21:09 - 00000000 ____D () C:\Users\Ivan\dwhelper
2015-03-11 22:28 - 2013-08-19 23:50 - 00000000 ____D () C:\Users\Ivan\Desktop\New folder (6)
2015-03-08 23:18 - 2009-07-14 11:20 - 00000000 ____D () C:\windows\system32\NDF
2015-03-07 18:01 - 2010-06-26 17:52 - 00000000 ____D () C:\Users\Ivan\AppData\Local\Paint.NET
2015-03-07 15:34 - 2012-05-03 20:04 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-22 21:48 - 2010-04-13 12:52 - 00051496 _____ () C:\Users\Ivan\Desktop\New Text Document.txt
2015-02-16 21:55 - 2014-09-27 16:53 - 00000721 _____ () C:\Users\Ivan\Desktop\New Text Document (2).txt

==================== Files in the root of some directories =======

2010-06-21 15:00 - 2014-11-04 22:32 - 0001042 _____ () C:\Users\Ivan\AppData\Roaming\coreavc.ini
2011-02-28 11:32 - 2011-02-28 11:32 - 0099384 _____ () C:\Users\Ivan\AppData\Roaming\inst.exe
2013-05-21 23:33 - 2013-05-21 23:33 - 0000288 _____ () C:\Users\Ivan\AppData\Roaming\MSMtch.dat
2011-02-28 11:32 - 2011-02-28 11:32 - 0007859 _____ () C:\Users\Ivan\AppData\Roaming\pcouffin.cat
2011-02-28 11:32 - 2011-02-28 11:32 - 0001167 _____ () C:\Users\Ivan\AppData\Roaming\pcouffin.inf
2011-02-28 11:32 - 2011-02-28 11:32 - 0000055 _____ () C:\Users\Ivan\AppData\Roaming\pcouffin.log
2011-02-28 11:32 - 2011-02-28 11:32 - 0082816 _____ (VSO Software) C:\Users\Ivan\AppData\Roaming\pcouffin.sys
2010-10-28 11:35 - 2012-11-23 14:04 - 0027985 _____ () C:\Users\Ivan\AppData\Roaming\vso_ts_preview.xml
2010-04-26 16:30 - 2010-04-26 16:30 - 0003584 _____ () C:\Users\Ivan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-03 21:35 - 2012-08-03 21:35 - 0000840 _____ () C:\Users\Ivan\AppData\Local\recently-used.xbel
2010-05-20 17:00 - 2010-10-14 17:43 - 0007597 _____ () C:\Users\Ivan\AppData\Local\Resmon.ResmonCfg
2011-08-26 22:19 - 2011-08-26 22:19 - 0000000 _____ () C:\Users\Ivan\AppData\Local\{CB8A8353-C841-4666-A16B-E0BB4E5B4965}
2011-01-05 00:09 - 2011-01-05 00:16 - 0000193 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc
2013-05-21 23:33 - 2013-05-21 23:33 - 0000288 _____ () C:\ProgramData\PDF2XL-5-0.TrialData
2003-10-06 16:21 - 2003-10-06 16:21 - 0000000 ____H () C:\ProgramData\sdpsenv.dat

Files to move or delete:
====================
C:\ProgramData\sdpsenv.dat


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-01 14:57

==================== End Of Log ============================


Edited by synz, 18 March 2015 - 09:02 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:34 AM

Posted 22 March 2015 - 08:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

ShellIconOverlayIdentifiers: [0_sxBZOverlayIcon] -> {6457FB0A-5C02-4393-909C-2139A5D5571F} =>  No File
ShellIconOverlayIdentifiers: [0_sxConfidentialOIcon] -> {871FE18B-B68D-4437-BC76-6634996CDB97} =>  No File
ShellIconOverlayIdentifiers: [0_sxForbiddenOIcon] -> {1F03249C-6AB2-4E31-8C10-86F7E31E3B4E} =>  No File
HKU\S-1-5-21-2510227323-1821458481-1787021517-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=utf8kb_oem_dg
BHO: No Name -> {311BA51F-64F2-439D-9A4A-772373D77312} ->  No File
Toolbar: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-2510227323-1821458481-1787021517-1000 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin-x32: @xigua.com/npxgax -> C:\Program Files (x86)\xigua\2.11.0.37\npxgax.dll No File
FF user.js: detected! => C:\Users\Ivan\AppData\Roaming\Mozilla\Firefox\Profiles\nobshlds.default\user.js [2014-07-12]
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
U3 BcmSqlStartupSvc; No ImagePath
S3 GarenaPEngine; \??\C:\Users\Ivan\AppData\Local\Temp\DGNA026.tmp [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\plugins\UI\safedrv.sys [X]
U2 IviRegMgr; No ImagePath
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
S1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [X]
U3 SQLWriter; No ImagePath
S3 wdmirror; system32\DRIVERS\WDMirror.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:34 AM

Posted 27 March 2015 - 09:12 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users