Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still infected after running numerous AV/AM/AS programs


  • This topic is locked This topic is locked
24 replies to this topic

#1 oculum

oculum

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 18 March 2015 - 07:08 PM

Hi everyone, I'm working on a friend's computer, and I do a lot of computer repair (malware/virus removal typically) at work, but this particular infection has me stumped. I've run Avast, AdwCleaner, Malwarebytes, Roguekiller (stalls at cmwf.sys so I can't complete), TDSSKiller, SuperAntiSpyware, HitmanPro, and probably a couple others that I'm forgetting. Over 2000 traces of malware were found and removed, including about every type of malware and over a dozen trojans as well.

 

Despite this, I'm still having malware notifications pop up through the antivirus. Below is my FRST.txt log and Addition.txt is attached.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Drake (administrator) on DRAKE-PC on 18-03-2015 20:06:10
Running from C:\Users\Drake\Downloads
Loaded Profiles: Drake (Available profiles: Drake)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(InstallShield Software Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Users\Drake\Downloads\RogueKillerX64 (1).exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [107816 2011-03-09] (CyberLink)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [136488 2012-06-15] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\CyberLink\YouCam\YouCam.exe [234000 2012-06-15] (CyberLink Corp.)
HKLM-x32\...\Run: [LGODDFU] => C:\Program Files (x86)\lg_fwupdate\lgfw.exe [27760 2012-07-12] (Bitleader)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [444760 2014-03-07] (Razer Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [ISUSScheduler] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [69632 2004-04-13] (InstallShield Software Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-02-27] (AVAST Software)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1940160 2014-11-18] (Valve Corporation)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe [37632 2014-02-16] (Overwolf LTD)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [26232152 2015-02-19] (Google)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [30522472 2014-11-28] (Skype Technologies S.A.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [43816 2014-10-20] (Apple Inc.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [ISUSPM Startup] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [196608 2004-04-17] (InstallShield Software Corporation)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-01-22] (SUPERAntiSpyware)
HKU\S-1-5-18\...\RunOnce: [SpUninstallDeleteDir] => rmdir /s /q "\SearchProtect"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
ShortcutTarget: Ralink Wireless Utility.lnk -> C:\Program Files (x86)\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.msn.com/
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-04-09] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-02-27] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-04-09] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-02-27] (AVAST Software)
Toolbar: HKU\S-1-5-21-3810231965-2665440232-335968719-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {0D41B8C5-2599-4893-8183-00195EC8D5F9} https://www.asus.com/support/asusTek_sys_ctrl3.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-26] ()
FF Plugin: @java.com/DTPlugin,version=10.17.2 -> C:\Windows\system32\npDeployJava1.dll [2013-04-09] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.17.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-04-09] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-26] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 -> C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll No File
FF Plugin-x32: @esn/npbattlelog,version=2.3.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.2\npbattlelog.dll [2014-03-24] (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=10.21.2 -> C:\WINDOWS\SysWOW64\npDeployJava1.dll [2013-04-04] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-26] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-26] (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-02-27]
FF HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Firefox\Extensions: [{94AC1397-3EEF-85D7-0C32-1BCFC464C5E7}] - C:\Program Files (x86)\ver0BlockAndSurf\185.xpi
 
Chrome: 
=======
CHR Profile: C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Default
CHR Profile: C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Prezi) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\acoonfmhnndodekhecidldfdjgooefpg [2014-09-01]
CHR Extension: (Duolingo Web) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aiahmijlpehemcpleichkcokhegllfjl [2014-09-01]
CHR Extension: (Google Docs) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-29]
CHR Extension: (Google Drive) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-29]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-29]
CHR Extension: (YouTube) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-29]
CHR Extension: (Vafmusic2) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cbjibcbpmbcabnfnohhgjjmkgkimajko [2014-08-29]
CHR Extension: (2048) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\clgddkicplcbgjfobecebadodeggpghp [2014-09-01]
CHR Extension: (Google Search) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-29]
CHR Extension: (Pandora) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fbangkleohkafngihneedemihgfeikcl [2014-09-03]
CHR Extension: (MixiDJ V5) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fdepacjoijebcfaaenjicnejghibmebp [2014-08-29]
CHR Extension: (WhiteSmoke New) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi [2014-08-29]
CHR Extension: (Blogger) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lejliakmhcfhakneflmicaoikhbicggc [2014-09-01]
CHR Extension: (Google Wallet) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-29]
CHR Extension: (PowToon Edu) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ogodblbnhpbcmcjcoopbalconhnloagl [2014-09-01]
CHR Extension: (Gmail) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-29]
CHR Profile: C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4
CHR Extension: (Google Slides) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-07]
CHR Extension: (Google Docs) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-07]
CHR Extension: (Google Drive) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-07]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-07]
CHR Extension: (YouTube) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-07]
CHR Extension: (Adblock Plus) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-02-27]
CHR Extension: (Google Search) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-07]
CHR Extension: (Google Sheets) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-07]
CHR Extension: (Cinemax Plus 1.9cV26.02) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fjfiaeaopgmgbenipljajjipecobmbni [2015-02-26]
CHR Extension: (Avast Online Security) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-02-27]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2015-01-07]
CHR Extension: (Google Wallet) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-07]
CHR Extension: (Gmail) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-07]
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Drake\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-01-07]
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-02-27]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-02-27] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2015-02-27] (Avast Software)
S3 EasyAntiCheat; C:\WINDOWS\SysWOW64\EasyAntiCheat.exe [174112 2014-11-03] (EasyAntiCheat Ltd)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S3 OverwolfUpdaterService; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [98560 2014-02-16] (Overwolf LTD)
R2 PnkBstrA; C:\WINDOWS\SysWOW64\PnkBstrA.exe [76888 2014-03-25] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2013-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2013-10-30] (Microsoft Corporation)
S2 ba8bdfd1; "C:\WINDOWS\system32\rundll32.exe" "c:\Program Files (x86)\PragmaSystem\PragmaSystem.dll",serv
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 asahci64; C:\Windows\System32\drivers\asahci64.sys [49760 2012-01-06] (Asmedia Technology)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-02-27] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-02-27] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-02-27] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-02-27] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-02-27] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-02-27] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-02-27] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-02-27] ()
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [211456 2013-12-30] () [File not signed]
R3 AU8168; C:\Windows\system32\DRIVERS\au630x64.sys [792648 2013-09-23] (Realtek                                            )
S3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2015-02-27] (Emsisoft GmbH)
R1 cmwf; C:\WINDOWS\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed] <==== ATTENTION
R1 cmwr; C:\WINDOWS\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed] <==== ATTENTION
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-12-14] (Symantec Corporation)
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [35328 2013-12-30] () [File not signed]
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-18] (Malwarebytes Corporation)
S3 rt70x64; C:\Windows\system32\DRIVERS\netr7064.sys [308224 2006-12-27] (Ralink Technology Inc.)
S3 RtlWlanu; C:\Windows\system32\DRIVERS\wna3100m.sys [1577760 2012-08-16] (Realtek Semiconductor Corporation                           )
S3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [39080 2013-11-15] (Razer Inc)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-03-18] ()
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2012-12-13] (Apple, Inc.) [File not signed]
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [271752 2015-02-27] (Avast Software)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2013-10-30] (Microsoft Corporation)
S2 CMWFP; \??\C:\WINDOWS\system32\Drivers\CMWFP64.sys [X]
S3 IntcAzAudAddService; \SystemRoot\system32\drivers\RTKVHD64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-18 20:06 - 2015-03-18 20:06 - 00021473 _____ () C:\Users\Drake\Downloads\FRST.txt
2015-03-18 20:06 - 2015-03-18 20:06 - 00000000 ____D () C:\FRST
2015-03-18 20:04 - 2015-03-18 20:04 - 02095616 _____ (Farbar) C:\Users\Drake\Downloads\FRST64.exe
2015-03-18 19:56 - 2015-03-18 19:57 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Drake\Downloads\tdsskiller.exe
2015-03-18 19:51 - 2015-03-18 19:53 - 229979832 _____ (COMODO) C:\Users\Drake\Downloads\cispremium_installer_6100_08.exe
2015-03-18 19:43 - 2015-03-18 19:44 - 18816600 _____ () C:\Users\Drake\Downloads\RogueKillerX64 (1).exe
2015-03-18 19:39 - 2015-03-18 19:39 - 00000197 _____ () C:\WINDOWS\system32\2015-03-18-23-39-17.016-AvastVBoxSVC.exe-2236.log
2015-03-18 19:32 - 2015-03-18 19:32 - 02171392 _____ () C:\Users\Drake\Downloads\AdwCleaner.exe
2015-03-18 19:28 - 2015-03-18 19:28 - 00000197 _____ () C:\WINDOWS\system32\2015-03-18-23-28-03.008-AvastVBoxSVC.exe-2460.log
2015-03-18 19:21 - 2015-03-18 19:21 - 00003276 _____ () C:\WINDOWS\System32\Tasks\avastBCLRestartS-1-5-21-3810231965-2665440232-335968719-1001
2015-02-28 01:23 - 2015-02-28 01:23 - 00000247 _____ () C:\WINDOWS\system32\2015-02-28-05-23-32.040-aswFe.exe-3540.log
2015-02-28 01:20 - 2015-02-28 01:23 - 00000247 _____ () C:\WINDOWS\system32\2015-02-28-05-20-39.037-aswFe.exe-3852.log
2015-02-28 01:20 - 2015-02-28 01:20 - 00000197 _____ () C:\WINDOWS\system32\2015-02-28-05-20-33.088-AvastVBoxSVC.exe-2736.log
2015-02-27 21:44 - 2015-02-27 21:44 - 00000197 _____ () C:\WINDOWS\system32\2015-02-28-01-44-22.005-AvastVBoxSVC.exe-4868.log
2015-02-27 21:39 - 2015-02-27 21:39 - 00000000 ____D () C:\Program Files (x86)\Enigma Software Group
2015-02-27 21:38 - 2015-03-18 19:30 - 00000000 ____D () C:\WINDOWS\DB847E94446B49E0AC5DC5627EC8B0C0.TMP
2015-02-27 21:32 - 2015-02-27 21:36 - 00000000 ____D () C:\WINDOWS\SysWOW64\vbox
2015-02-27 21:32 - 2015-02-27 21:36 - 00000000 ____D () C:\WINDOWS\system32\vbox
2015-02-27 21:32 - 2015-02-27 21:32 - 00001980 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-02-27 21:32 - 2015-02-27 21:32 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\AVAST Software
2015-02-27 21:32 - 2015-02-27 21:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-02-27 21:31 - 2015-03-18 19:41 - 00004182 _____ () C:\WINDOWS\System32\Tasks\avast! Emergency Update
2015-02-27 21:31 - 2015-02-27 21:31 - 01050432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsnx.sys
2015-02-27 21:31 - 2015-02-27 21:31 - 00087912 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswmonflt.sys
2015-02-27 21:31 - 2015-02-27 21:30 - 00436624 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2015-02-27 21:31 - 2015-02-27 21:30 - 00267632 _____ () C:\WINDOWS\system32\Drivers\aswVmm.sys
2015-02-27 21:31 - 2015-02-27 21:30 - 00116728 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2015-02-27 21:31 - 2015-02-27 21:30 - 00093568 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2015-02-27 21:31 - 2015-02-27 21:30 - 00065776 _____ () C:\WINDOWS\system32\Drivers\aswRvrt.sys
2015-02-27 21:31 - 2015-02-27 21:30 - 00029208 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
2015-02-27 21:30 - 2015-02-27 21:30 - 00364512 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2015-02-27 21:30 - 2015-02-27 21:30 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2015-02-27 21:28 - 2015-02-27 21:28 - 00000000 ____D () C:\Program Files\AVAST Software
2015-02-27 21:27 - 2015-02-27 21:28 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-02-27 21:27 - 2015-02-27 21:27 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-02-27 21:26 - 2015-02-27 21:27 - 04864752 _____ (AVAST Software) C:\Users\Drake\Downloads\avast_free_antivirus_setup_online.exe
2015-02-27 21:24 - 2015-02-27 21:44 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\uTorrent
2015-02-27 21:24 - 2015-02-27 21:24 - 00000839 _____ () C:\Users\Drake\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2015-02-27 20:49 - 2015-02-27 20:49 - 00000000 ____D () C:\SUPERDelete
2015-02-27 20:48 - 2015-03-18 19:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-02-27 20:48 - 2015-02-27 21:50 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-02-27 20:48 - 2015-02-27 20:48 - 00001820 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-02-27 19:51 - 2015-02-27 19:51 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\SUPERAntiSpyware.com
2015-02-27 19:51 - 2015-02-27 19:51 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-02-27 19:49 - 2015-03-18 19:49 - 00037624 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-02-27 19:49 - 2015-02-27 19:51 - 21320392 _____ (SUPERAntiSpyware) C:\Users\Drake\Downloads\SUPERAntiSpyware.exe
2015-02-27 19:49 - 2015-02-27 19:49 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-27 19:47 - 2015-02-27 19:48 - 18687064 _____ () C:\Users\Drake\Downloads\RogueKillerX64.exe
2015-02-26 23:23 - 2015-02-26 23:24 - 00000000 ____D () C:\EEK
2015-02-26 21:47 - 2015-03-18 19:36 - 00000000 ____D () C:\AdwCleaner
2015-02-26 20:34 - 2015-03-18 19:21 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-26 20:33 - 2015-02-26 20:33 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-26 20:33 - 2015-02-26 20:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-26 20:33 - 2015-02-26 20:33 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-26 20:33 - 2015-02-26 20:33 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-26 20:33 - 2014-11-21 07:14 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-26 20:33 - 2014-11-21 07:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-02-26 20:33 - 2014-11-21 07:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-26 20:04 - 2015-03-18 20:06 - 00000020 _____ () C:\Users\Drake\AppData\Roaming\appdataFr3.bin
2015-02-26 20:04 - 2015-02-26 20:26 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-02-26 19:51 - 2015-03-18 19:38 - 00001354 _____ () C:\WINDOWS\Tasks\NSFNE.job
2015-02-26 19:51 - 2015-02-26 21:30 - 00000000 ____D () C:\Program Files (x86)\862a6334-cdc1-4e0c-a4ba-29fd27eb7ca4
2015-02-26 19:51 - 2015-02-26 19:51 - 00004360 _____ () C:\WINDOWS\System32\Tasks\NSFNE
2015-02-26 19:50 - 2015-02-26 21:52 - 00001306 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-26 19:49 - 2015-02-26 19:49 - 00000000 ____D () C:\WINDOWS\LastGood.Tmp
2015-02-26 19:45 - 2015-02-26 19:45 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\Compete
2015-02-26 19:44 - 2015-02-27 19:45 - 00000000 ____D () C:\Program Files (x86)\PragmaSystem
2015-02-20 00:11 - 2015-02-20 00:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RaLink Wireless
2015-02-20 00:08 - 2015-02-20 00:08 - 00002319 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Program Updates.lnk
2015-02-20 00:08 - 2006-12-27 18:41 - 00308224 _____ (Ralink Technology Inc.) C:\WINDOWS\system32\Drivers\netr7064.sys
2015-02-20 00:08 - 2004-04-16 12:24 - 00061440 _____ (InstallShield Software Corporation) C:\WINDOWS\SysWOW64\ISUSPM.cpl
2015-02-20 00:06 - 2015-02-20 00:08 - 00000000 ____D () C:\Program Files (x86)\RALINK
2015-02-20 00:06 - 2015-02-20 00:06 - 00000000 ____D () C:\RALINK
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-18 20:02 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-03-18 19:57 - 2014-01-12 12:13 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-03-18 19:57 - 2013-03-27 10:22 - 00000924 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-18 19:44 - 2013-11-14 03:28 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-03-18 19:43 - 2013-03-26 14:44 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3810231965-2665440232-335968719-1001
2015-03-18 19:42 - 2013-12-14 10:56 - 01835350 _____ () C:\WINDOWS\WindowsUpdate.log
2015-03-18 19:41 - 2014-09-21 18:03 - 00000000 __RDO () C:\Users\Drake\SkyDrive
2015-03-18 19:41 - 2013-03-27 09:37 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-03-18 19:40 - 2014-08-10 13:50 - 00000000 ___RD () C:\Users\Drake\Google Drive
2015-03-18 19:39 - 2014-12-14 14:05 - 00000000 ___RD () C:\Users\Drake\iCloudDrive
2015-03-18 19:38 - 2015-01-07 17:20 - 00001354 _____ () C:\WINDOWS\Tasks\PHLKX.job
2015-03-18 19:38 - 2013-08-22 10:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-03-18 19:38 - 2013-03-27 10:22 - 00000920 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-18 19:37 - 2013-08-22 09:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-03-18 19:24 - 2015-01-07 17:32 - 00361936 _____ () C:\WINDOWS\PFRO.log
2015-03-18 19:23 - 2014-08-10 13:46 - 00002058 _____ () C:\Users\Public\Desktop\Google Slides.lnk
2015-03-18 19:23 - 2014-08-10 13:46 - 00002056 _____ () C:\Users\Public\Desktop\Google Sheets.lnk
2015-03-18 19:23 - 2014-08-10 13:46 - 00002046 _____ () C:\Users\Public\Desktop\Google Docs.lnk
2015-03-18 19:23 - 2014-08-10 13:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-02-27 22:37 - 2014-01-09 14:09 - 00003926 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{85896E68-EEB3-4FE6-8312-A215FE081BC5}
2015-02-27 21:48 - 2013-12-14 10:44 - 00000000 ____D () C:\Users\Drake
2015-02-27 19:46 - 2014-05-30 17:00 - 00000000 ____D () C:\Users\Drake\AppData\Local\SlimWare Utilities Inc
2015-02-27 19:45 - 2015-01-07 17:20 - 00000000 ____D () C:\Program Files (x86)\3788fb5f-595c-4738-84c0-3f1c823bfa5d
2015-02-26 21:52 - 2013-03-27 10:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-02-26 21:40 - 2015-01-07 17:20 - 00000000 ____D () C:\ProgramData\APdVpXpqVGE
2015-02-26 21:31 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\Branding
2015-02-26 21:30 - 2015-01-07 17:24 - 00000000 ____D () C:\Users\Drake\AppData\Local\com
2015-02-26 20:19 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-02-26 19:57 - 2014-01-12 12:13 - 00003718 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-02-26 19:55 - 2013-03-28 07:26 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-02-26 19:52 - 2013-03-27 10:22 - 00003896 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-26 19:52 - 2013-03-27 10:22 - 00003660 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-26 19:50 - 2015-01-07 17:21 - 00000000 ___HD () C:\Users\Public\Temp
2015-02-20 00:08 - 2013-12-28 08:25 - 00000000 ____D () C:\ProgramData\InstallShield
2015-02-20 00:05 - 2015-01-07 17:40 - 00000793 _____ () C:\WINDOWS\setupact.log
2015-02-19 23:40 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
 
==================== Files in the root of some directories =======
 
2015-02-26 20:04 - 2015-03-18 20:06 - 0000020 _____ () C:\Users\Drake\AppData\Roaming\appdataFr3.bin
 
Some content of TEMP:
====================
C:\Users\Drake\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Drake\AppData\Local\Temp\Quarantine.exe
C:\Users\Drake\AppData\Local\Temp\sqlite3.dll
C:\Users\Drake\AppData\Local\Temp\_is8CF1.exe
C:\Users\Drake\AppData\Local\Temp\_isDF1B.exe
C:\Users\Drake\AppData\Local\Temp\_isED6.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-27 22:06
 
==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 AM

Posted 18 March 2015 - 08:45 PM

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Attached File  fixlist.txt   7.39KB   2 downloads

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 oculum

oculum
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 18 March 2015 - 09:08 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Drake at 2015-03-18 22:01:06 Run:1
Running from C:\Users\Drake\Downloads
Loaded Profiles: Drake (Available profiles: Drake)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-3810231965-2665440232-335968719-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {0D41B8C5-2599-4893-8183-00195EC8D5F9} https://www.asus.com/support/asusTek_sys_ctrl3.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
CHR Extension: (WhiteSmoke New) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi [2014-08-29]
CHR Extension: (Cinemax Plus 1.9cV26.02) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fjfiaeaopgmgbenipljajjipecobmbni [2015-02-26]
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Drake\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-01-07]
S2 ba8bdfd1; "C:\WINDOWS\system32\rundll32.exe" "c:\Program Files (x86)\PragmaSystem\PragmaSystem.dll",serv
R1 cmwf; C:\WINDOWS\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed] <==== ATTENTION
R1 cmwr; C:\WINDOWS\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed] <==== ATTENTION
C:\WINDOWS\system32\Drivers\cmwf.sys
S2 CMWFP; \??\C:\WINDOWS\system32\Drivers\CMWFP64.sys [X]
S3 IntcAzAudAddService; \SystemRoot\system32\drivers\RTKVHD64.sys [X]
C:\WINDOWS\system32\Drivers\CMWFP64.sys
2015-02-26 19:44 - 2015-02-27 19:45 - 00000000 ____D () C:\Program Files (x86)\PragmaSystem
2015-02-26 21:40 - 2015-01-07 17:20 - 00000000 ____D () C:\ProgramData\APdVpXpqVGE
Task: {19DA1CDD-7A1A-4EBC-8ADD-3CFD1BC3C326} - System32\Tasks\PHLKX => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION
Task: {7212972F-5943-4BB4-B2F4-CF8CEE8B7534} - System32\Tasks\NSFNE => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION
Task: {9FA53575-05B0-4AA7-A9AD-884C31027686} - \Updater19962.exe No Task File <==== ATTENTION
Task: {99AD4B79-E450-4741-BC18-7B693F9732BE} - System32\Tasks\RVHKCSW => C:\ProgramData\489f1cd218ec4591b081a334a119122f\489f1cd218ec4591b081a334a119122f.exe
C:\Users\Drake\AppData\Roaming\NSFNE.exe
C:\Users\Drake\AppData\Roaming\PHLKX.exe
Task: C:\WINDOWS\Tasks\NSFNE.job => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\PHLKX.job => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Drake\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Drake\SkyDrive (2).old:ms-properties
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwr.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CMWFP => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwr.sys => ""="Driver" <==== ATTENTION
C:\WINDOWS\system32\Drivers\cmwr.sys
C:\WINDOWS\system32\Drivers\CMWFP.sys 
 
 
emptytemp:
 
 
 
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key deleted successfully.
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => Key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{0D41B8C5-2599-4893-8183-00195EC8D5F9}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{0D41B8C5-2599-4893-8183-00195EC8D5F9}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\livecall" => Key deleted successfully.
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => Key not found. 
"HKCR\PROTOCOLS\Handler\msnim" => Key deleted successfully.
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => Key not found. 
C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi => Moved successfully.
C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fjfiaeaopgmgbenipljajjipecobmbni => Moved successfully.
"HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf" => Key deleted successfully.
C:\Users\Drake\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx => Moved successfully.
ba8bdfd1 => Service deleted successfully.
cmwf => Unable to stop service
cmwf => Error deleting Service
cmwr => Unable to stop service
cmwr => Error deleting Service
Could not move "C:\WINDOWS\system32\Drivers\cmwf.sys" => Scheduled to move on reboot.
CMWFP => Error deleting Service
IntcAzAudAddService => Service deleted successfully.
"C:\WINDOWS\system32\Drivers\CMWFP64.sys" => File/Directory not found.
C:\Program Files (x86)\PragmaSystem => Moved successfully.
C:\ProgramData\APdVpXpqVGE => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{19DA1CDD-7A1A-4EBC-8ADD-3CFD1BC3C326}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19DA1CDD-7A1A-4EBC-8ADD-3CFD1BC3C326}" => Key deleted successfully.
C:\Windows\System32\Tasks\PHLKX => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PHLKX" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7212972F-5943-4BB4-B2F4-CF8CEE8B7534}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7212972F-5943-4BB4-B2F4-CF8CEE8B7534}" => Key deleted successfully.
C:\Windows\System32\Tasks\NSFNE => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\NSFNE" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9FA53575-05B0-4AA7-A9AD-884C31027686}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9FA53575-05B0-4AA7-A9AD-884C31027686}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updater19962.exe" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{99AD4B79-E450-4741-BC18-7B693F9732BE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{99AD4B79-E450-4741-BC18-7B693F9732BE}" => Key deleted successfully.
C:\Windows\System32\Tasks\RVHKCSW => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RVHKCSW" => Key deleted successfully.
"C:\Users\Drake\AppData\Roaming\NSFNE.exe" => File/Directory not found.
"C:\Users\Drake\AppData\Roaming\PHLKX.exe" => File/Directory not found.
C:\WINDOWS\Tasks\NSFNE.job => Moved successfully.
C:\WINDOWS\Tasks\PHLKX.job => Moved successfully.
C:\ProgramData\Temp => ":373E1720" ADS removed successfully.
"C:\Users\Drake\SkyDrive" => ":ms-properties" ADS not found.
"C:\Users\Drake\SkyDrive (2).old" => ":ms-properties" ADS not found.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\cmwf.sys => Key could not be deleted. Access denied.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\cmwr.sys => Key could not be deleted. Access denied.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\cmwf.sys => Key could not be deleted. Access denied.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CMWFP" => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\cmwr.sys => Key could not be deleted. Access denied.
Could not move "C:\WINDOWS\system32\Drivers\cmwr.sys" => Scheduled to move on reboot.
"C:\WINDOWS\system32\Drivers\CMWFP.sys" => File/Directory not found.
EmptyTemp: => Removed 4.2 GB temporary data.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-03-18 22:05:14)<=
 
"C:\WINDOWS\system32\Drivers\cmwf.sys" => File could not move.
"C:\WINDOWS\system32\Drivers\cmwr.sys" => File could not move.
 
==== End of Fixlog 22:05:14 ====


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 AM

Posted 19 March 2015 - 09:51 AM

We are going to need to do this a little differently.

 

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 oculum

oculum
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 19 March 2015 - 08:24 PM

Since it's running Windows 8.1, the startup procedure is a little bit different than in Win 7. But I used the advanced settings option in the alternate restart menu to reach the command prompt, which I believe will produce the same results. Correct me if I'm wrong :) Anyway, here is the FRST log.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by SYSTEM on MININT-UUATEFD on 19-03-2015 21:20:43
Running from d:\
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [107816 2011-03-09] (CyberLink)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [136488 2012-06-14] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\CyberLink\YouCam\YouCam.exe [234000 2012-06-14] (CyberLink Corp.)
HKLM-x32\...\Run: [LGODDFU] => C:\Program Files (x86)\lg_fwupdate\lgfw.exe [27760 2012-07-12] (Bitleader)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [444760 2014-03-07] (Razer Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [ISUSScheduler] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [69632 2004-04-13] (InstallShield Software Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-02-27] (AVAST Software)
HKU\Drake\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1940160 2014-11-18] (Valve Corporation)
HKU\Drake\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe [37632 2014-02-16] (Overwolf LTD)
HKU\Drake\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [26232152 2015-02-19] (Google)
HKU\Drake\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [30522472 2014-11-28] (Skype Technologies S.A.)
HKU\Drake\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\Drake\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-11-21] (Apple Inc.)
HKU\Drake\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [43816 2014-10-20] (Apple Inc.)
HKU\Drake\...\Run: [ISUSPM Startup] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [196608 2004-04-17] (InstallShield Software Corporation)
HKU\Drake\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-01-22] (SUPERAntiSpyware)
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-02-27] (AVAST Software)
S3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2015-02-27] (Avast Software)
S3 EasyAntiCheat; C:\WINDOWS\SysWOW64\EasyAntiCheat.exe [174112 2014-11-03] (EasyAntiCheat Ltd)
S3 OverwolfUpdaterService; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [98560 2014-02-16] (Overwolf LTD)
S2 PnkBstrA; C:\WINDOWS\SysWOW64\PnkBstrA.exe [76888 2014-03-25] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2013-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2013-10-30] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 asahci64; C:\Windows\System32\drivers\asahci64.sys [49760 2012-01-06] (Asmedia Technology)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-02-27] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-02-27] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-02-27] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-02-27] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-02-27] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-02-27] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-02-27] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-02-27] ()
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [211456 2013-12-30] ()
S3 AU8168; C:\Windows\system32\DRIVERS\au630x64.sys [792648 2013-09-23] (Realtek                                            )
S3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2015-02-26] (Emsisoft GmbH)
S1 cmwf; C:\WINDOWS\system32\Drivers\cmwf.sys [33952 2015-01-07] (CartCrunch Israel Ltd.) <==== ATTENTION
S1 cmwr; C:\WINDOWS\system32\Drivers\cmwr.sys [45216 2015-01-07] (CartCrunch Israel Ltd.) <==== ATTENTION
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-12-14] (Symantec Corporation)
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [35328 2013-12-30] ()
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-18] (Malwarebytes Corporation)
S3 rt70x64; C:\Windows\system32\DRIVERS\netr7064.sys [308224 2006-12-27] (Ralink Technology Inc.)
S3 RtlWlanu; C:\Windows\system32\DRIVERS\wna3100m.sys [1577760 2012-08-16] (Realtek Semiconductor Corporation                           )
S3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [39080 2013-11-14] (Razer Inc)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-03-18] ()
S2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [271752 2015-02-27] (Avast Software)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2013-10-30] (Microsoft Corporation)
S2 CMWFP; \??\C:\WINDOWS\system32\Drivers\CMWFP64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-19 17:13 - 2015-03-19 17:13 - 00000197 _____ () C:\Windows\System32\2015-03-20-01-13-54.053-AvastVBoxSVC.exe-4332.log
2015-03-18 18:16 - 2015-03-18 18:16 - 00000247 _____ () C:\Windows\System32\2015-03-19-02-16-28.000-aswFe.exe-516.log
2015-03-18 18:11 - 2015-03-18 18:16 - 00000247 _____ () C:\Windows\System32\2015-03-19-02-11-01.083-aswFe.exe-4840.log
2015-03-18 18:10 - 2015-03-18 18:10 - 00000197 _____ () C:\Windows\System32\2015-03-19-02-10-57.071-AvastVBoxSVC.exe-2420.log
2015-03-18 16:06 - 2015-03-18 18:05 - 00000000 ____D () C:\FRST
2015-03-18 16:06 - 2015-03-18 16:07 - 00034441 _____ () C:\Users\Drake\Downloads\FRST.txt
2015-03-18 16:06 - 2015-03-18 16:07 - 00031744 _____ () C:\Users\Drake\Downloads\Addition.txt
2015-03-18 16:04 - 2015-03-18 16:04 - 02095616 _____ (Farbar) C:\Users\Drake\Downloads\FRST64.exe
2015-03-18 15:56 - 2015-03-18 15:57 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Drake\Downloads\tdsskiller.exe
2015-03-18 15:51 - 2015-03-18 15:53 - 229979832 _____ (COMODO) C:\Users\Drake\Downloads\cispremium_installer_6100_08.exe
2015-03-18 15:43 - 2015-03-18 15:44 - 18816600 _____ () C:\Users\Drake\Downloads\RogueKillerX64 (1).exe
2015-03-18 15:39 - 2015-03-18 15:39 - 00000197 _____ () C:\Windows\System32\2015-03-18-23-39-17.016-AvastVBoxSVC.exe-2236.log
2015-03-18 15:32 - 2015-03-18 15:32 - 02171392 _____ () C:\Users\Drake\Downloads\AdwCleaner.exe
2015-03-18 15:28 - 2015-03-18 15:28 - 00000197 _____ () C:\Windows\System32\2015-03-18-23-28-03.008-AvastVBoxSVC.exe-2460.log
2015-03-18 15:21 - 2015-03-18 15:21 - 00003276 _____ () C:\Windows\System32\Tasks\avastBCLRestartS-1-5-21-3810231965-2665440232-335968719-1001
2015-02-27 21:23 - 2015-02-27 21:23 - 00000247 _____ () C:\Windows\System32\2015-02-28-05-23-32.040-aswFe.exe-3540.log
2015-02-27 21:20 - 2015-02-27 21:23 - 00000247 _____ () C:\Windows\System32\2015-02-28-05-20-39.037-aswFe.exe-3852.log
2015-02-27 21:20 - 2015-02-27 21:20 - 00000197 _____ () C:\Windows\System32\2015-02-28-05-20-33.088-AvastVBoxSVC.exe-2736.log
2015-02-27 17:44 - 2015-02-27 17:44 - 00000197 _____ () C:\Windows\System32\2015-02-28-01-44-22.005-AvastVBoxSVC.exe-4868.log
2015-02-27 17:39 - 2015-02-27 17:39 - 00000000 ____D () C:\Program Files (x86)\Enigma Software Group
2015-02-27 17:38 - 2015-03-18 15:30 - 00000000 ____D () C:\Windows\DB847E94446B49E0AC5DC5627EC8B0C0.TMP
2015-02-27 17:32 - 2015-02-27 17:36 - 00000000 ____D () C:\Windows\SysWOW64\vbox
2015-02-27 17:32 - 2015-02-27 17:36 - 00000000 ____D () C:\Windows\System32\vbox
2015-02-27 17:32 - 2015-02-27 17:32 - 00001980 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-02-27 17:32 - 2015-02-27 17:32 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\AVAST Software
2015-02-27 17:31 - 2015-03-19 17:13 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-02-27 17:31 - 2015-02-27 17:31 - 01050432 _____ (AVAST Software) C:\Windows\System32\Drivers\aswsnx.sys
2015-02-27 17:31 - 2015-02-27 17:31 - 00087912 _____ (AVAST Software) C:\Windows\System32\Drivers\aswmonflt.sys
2015-02-27 17:31 - 2015-02-27 17:30 - 00436624 _____ (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2015-02-27 17:31 - 2015-02-27 17:30 - 00267632 _____ () C:\Windows\System32\Drivers\aswVmm.sys
2015-02-27 17:31 - 2015-02-27 17:30 - 00116728 _____ (AVAST Software) C:\Windows\System32\Drivers\aswStm.sys
2015-02-27 17:31 - 2015-02-27 17:30 - 00093568 _____ (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2015-02-27 17:31 - 2015-02-27 17:30 - 00065776 _____ () C:\Windows\System32\Drivers\aswRvrt.sys
2015-02-27 17:31 - 2015-02-27 17:30 - 00029208 _____ () C:\Windows\System32\Drivers\aswHwid.sys
2015-02-27 17:30 - 2015-02-27 17:30 - 00364512 _____ (AVAST Software) C:\Windows\System32\aswBoot.exe
2015-02-27 17:30 - 2015-02-27 17:30 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-02-27 17:28 - 2015-02-27 17:28 - 00000000 ____D () C:\Program Files\AVAST Software
2015-02-27 17:27 - 2015-02-27 17:28 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-02-27 17:27 - 2015-02-27 17:27 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-02-27 17:26 - 2015-02-27 17:27 - 04864752 _____ (AVAST Software) C:\Users\Drake\Downloads\avast_free_antivirus_setup_online.exe
2015-02-27 17:24 - 2015-02-27 17:44 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\uTorrent
2015-02-27 16:49 - 2015-02-27 16:49 - 00000000 ____D () C:\SUPERDelete
2015-02-27 16:48 - 2015-02-27 17:50 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-02-27 16:48 - 2015-02-27 16:48 - 00001820 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-02-27 15:51 - 2015-02-27 15:51 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\SUPERAntiSpyware.com
2015-02-27 15:51 - 2015-02-27 15:51 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-02-27 15:49 - 2015-03-18 15:49 - 00037624 _____ () C:\Windows\System32\Drivers\TrueSight.sys
2015-02-27 15:49 - 2015-02-27 15:51 - 21320392 _____ (SUPERAntiSpyware) C:\Users\Drake\Downloads\SUPERAntiSpyware.exe
2015-02-27 15:49 - 2015-02-27 15:49 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-27 15:47 - 2015-02-27 15:48 - 18687064 _____ () C:\Users\Drake\Downloads\RogueKillerX64.exe
2015-02-26 19:23 - 2015-02-26 19:24 - 00000000 ____D () C:\EEK
2015-02-26 17:47 - 2015-03-18 15:36 - 00000000 ____D () C:\AdwCleaner
2015-02-26 16:34 - 2015-03-18 15:21 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-02-26 16:33 - 2015-02-26 16:33 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-26 16:33 - 2015-02-26 16:33 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-26 16:33 - 2015-02-26 16:33 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-26 16:33 - 2014-11-21 03:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2015-02-26 16:33 - 2014-11-21 03:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2015-02-26 16:33 - 2014-11-21 03:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2015-02-26 16:04 - 2015-03-18 16:06 - 00000020 _____ () C:\Users\Drake\AppData\Roaming\appdataFr3.bin
2015-02-26 16:04 - 2015-02-26 16:26 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-02-26 15:51 - 2015-02-26 17:30 - 00000000 ____D () C:\Program Files (x86)\862a6334-cdc1-4e0c-a4ba-29fd27eb7ca4
2015-02-26 15:50 - 2015-02-26 17:52 - 00001306 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-26 15:49 - 2015-02-26 15:49 - 00000000 ____D () C:\Windows\LastGood.Tmp
2015-02-26 15:45 - 2015-02-26 15:45 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\Compete
2015-02-19 20:08 - 2006-12-27 14:41 - 00308224 _____ (Ralink Technology Inc.) C:\Windows\System32\Drivers\netr7064.sys
2015-02-19 20:08 - 2004-04-16 08:24 - 00061440 _____ (InstallShield Software Corporation) C:\Windows\SysWOW64\ISUSPM.cpl
2015-02-19 20:06 - 2015-02-19 20:08 - 00000000 ____D () C:\Program Files (x86)\RALINK
2015-02-19 20:06 - 2015-02-19 20:06 - 00000000 ____D () C:\RALINK
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-19 17:17 - 2013-12-14 06:56 - 01857099 _____ () C:\Windows\WindowsUpdate.log
2015-03-19 17:17 - 2013-11-13 23:28 - 00863592 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-03-19 17:17 - 2013-08-22 06:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-19 17:17 - 2013-08-22 05:25 - 00262144 ___SH () C:\Windows\System32\config\BBI
2015-03-19 17:15 - 2015-01-07 13:40 - 00001589 _____ () C:\Windows\setupact.log
2015-03-19 17:14 - 2014-09-21 14:03 - 00000000 __RDO () C:\Users\Drake\SkyDrive
2015-03-19 17:13 - 2014-12-14 10:05 - 00000000 ___RD () C:\Users\Drake\iCloudDrive
2015-03-19 17:13 - 2014-08-10 09:50 - 00000000 ___RD () C:\Users\Drake\Google Drive
2015-03-19 17:13 - 2013-03-27 06:22 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-19 17:13 - 2013-03-27 05:37 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-03-18 18:03 - 2015-01-07 13:32 - 00362642 _____ () C:\Windows\PFRO.log
2015-03-18 18:00 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\sru
2015-03-18 16:57 - 2014-01-12 08:13 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-18 16:57 - 2013-03-27 06:22 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-18 16:25 - 2013-03-26 10:44 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3810231965-2665440232-335968719-1001
2015-03-18 15:23 - 2014-08-10 09:46 - 00002058 _____ () C:\Users\Public\Desktop\Google Slides.lnk
2015-03-18 15:23 - 2014-08-10 09:46 - 00002056 _____ () C:\Users\Public\Desktop\Google Sheets.lnk
2015-03-18 15:23 - 2014-08-10 09:46 - 00002046 _____ () C:\Users\Public\Desktop\Google Docs.lnk
2015-02-27 18:37 - 2014-01-09 10:09 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{85896E68-EEB3-4FE6-8312-A215FE081BC5}
2015-02-27 17:48 - 2013-12-14 06:44 - 00000000 ____D () C:\users\Drake
2015-02-27 15:46 - 2014-05-30 13:00 - 00000000 ____D () C:\Users\Drake\AppData\Local\SlimWare Utilities Inc
2015-02-27 15:45 - 2015-01-07 13:20 - 00000000 ____D () C:\Program Files (x86)\3788fb5f-595c-4738-84c0-3f1c823bfa5d
2015-02-26 17:31 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\Branding
2015-02-26 17:30 - 2015-01-07 13:24 - 00000000 ____D () C:\Users\Drake\AppData\Local\com
2015-02-26 16:19 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-02-26 15:57 - 2014-01-12 08:13 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-26 15:55 - 2013-03-28 03:26 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-02-26 15:52 - 2013-03-27 06:22 - 00003896 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-26 15:52 - 2013-03-27 06:22 - 00003660 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-26 15:50 - 2015-01-07 13:21 - 00000000 ___HD () C:\Users\Public\Temp
2015-02-19 20:08 - 2013-12-28 04:25 - 00000000 ____D () C:\ProgramData\InstallShield
2015-02-19 19:40 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\NDF
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2015-02-27 17:28:32
Restore point made on: 2015-02-27 17:37:29
Restore point made on: 2015-03-18 15:30:40
Restore point made on: 2015-03-18 18:07:17
 
==================== Memory info =========================== 
 
Percentage of memory in use: 18%
Total physical RAM: 4001.16 MB
Available physical RAM: 3250.13 MB
Total Pagefile: 4001.16 MB
Available Pagefile: 3260.89 MB
Total Virtual: 131072 MB
Available Virtual: 131071.88 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.17 GB) (Free:655.74 GB) NTFS
Drive d: (BLAH) (Removable) (Total:0.96 GB) (Free:0.01 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.01 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 9FA1E9FB)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.2 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 983 MB) (Disk ID: D31D984A)
Partition 1: (Not Active) - (Size=983 MB) - (Type=0E)
 
 
LastRegBack: 2015-03-18 18:17
 
==================== End Of Log ============================


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 AM

Posted 20 March 2015 - 11:08 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Run: [] => [X]
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-3810231965-2665440232-335968719-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {0D41B8C5-2599-4893-8183-00195EC8D5F9} https://www.asus.com/support/asusTek_sys_ctrl3.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
CHR Extension: (WhiteSmoke New) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi [2014-08-29]
CHR Extension: (Cinemax Plus 1.9cV26.02) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fjfiaeaopgmgbenipljajjipecobmbni [2015-02-26]
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Drake\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-01-07]
S2 ba8bdfd1; "C:\WINDOWS\system32\rundll32.exe" "c:\Program Files (x86)\PragmaSystem\PragmaSystem.dll",serv
R1 cmwf; C:\WINDOWS\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed] <==== ATTENTION
R1 cmwr; C:\WINDOWS\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed] <==== ATTENTION
C:\WINDOWS\system32\Drivers\cmwf.sys
S2 CMWFP; \??\C:\WINDOWS\system32\Drivers\CMWFP64.sys [X]
S3 IntcAzAudAddService; \SystemRoot\system32\drivers\RTKVHD64.sys [X]
C:\WINDOWS\system32\Drivers\CMWFP64.sys
2015-02-26 19:44 - 2015-02-27 19:45 - 00000000 ____D () C:\Program Files (x86)\PragmaSystem
2015-02-26 21:40 - 2015-01-07 17:20 - 00000000 ____D () C:\ProgramData\APdVpXpqVGE
Task: {19DA1CDD-7A1A-4EBC-8ADD-3CFD1BC3C326} - System32\Tasks\PHLKX => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION
Task: {7212972F-5943-4BB4-B2F4-CF8CEE8B7534} - System32\Tasks\NSFNE => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION
Task: {9FA53575-05B0-4AA7-A9AD-884C31027686} - \Updater19962.exe No Task File <==== ATTENTION
Task: {99AD4B79-E450-4741-BC18-7B693F9732BE} - System32\Tasks\RVHKCSW => C:\ProgramData\489f1cd218ec4591b081a334a119122f\489f1cd218ec4591b081a334a119122f.exe
C:\Users\Drake\AppData\Roaming\NSFNE.exe
C:\Users\Drake\AppData\Roaming\PHLKX.exe
Task: C:\WINDOWS\Tasks\NSFNE.job => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\PHLKX.job => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Drake\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Drake\SkyDrive (2).old:ms-properties
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwr.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CMWFP => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwr.sys => ""="Driver" <==== ATTENTION
C:\WINDOWS\system32\Drivers\cmwr.sys
C:\WINDOWS\system32\Drivers\CMWFP.sys 
emptytemp:

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 oculum

oculum
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 March 2015 - 10:46 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by SYSTEM at 2015-03-21 11:43:17 Run:2
Running from d:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-3810231965-2665440232-335968719-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {0D41B8C5-2599-4893-8183-00195EC8D5F9} https://www.asus.com/support/asusTek_sys_ctrl3.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
CHR Extension: (WhiteSmoke New) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi [2014-08-29]
CHR Extension: (Cinemax Plus 1.9cV26.02) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fjfiaeaopgmgbenipljajjipecobmbni [2015-02-26]
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Drake\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-01-07]
S2 ba8bdfd1; "C:\WINDOWS\system32\rundll32.exe" "c:\Program Files (x86)\PragmaSystem\PragmaSystem.dll",serv
R1 cmwf; C:\WINDOWS\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed] <==== ATTENTION
R1 cmwr; C:\WINDOWS\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed] <==== ATTENTION
C:\WINDOWS\system32\Drivers\cmwf.sys
S2 CMWFP; \??\C:\WINDOWS\system32\Drivers\CMWFP64.sys [X]
S3 IntcAzAudAddService; \SystemRoot\system32\drivers\RTKVHD64.sys [X]
C:\WINDOWS\system32\Drivers\CMWFP64.sys
2015-02-26 19:44 - 2015-02-27 19:45 - 00000000 ____D () C:\Program Files (x86)\PragmaSystem
2015-02-26 21:40 - 2015-01-07 17:20 - 00000000 ____D () C:\ProgramData\APdVpXpqVGE
Task: {19DA1CDD-7A1A-4EBC-8ADD-3CFD1BC3C326} - System32\Tasks\PHLKX => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION
Task: {7212972F-5943-4BB4-B2F4-CF8CEE8B7534} - System32\Tasks\NSFNE => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION
Task: {9FA53575-05B0-4AA7-A9AD-884C31027686} - \Updater19962.exe No Task File <==== ATTENTION
Task: {99AD4B79-E450-4741-BC18-7B693F9732BE} - System32\Tasks\RVHKCSW => C:\ProgramData\489f1cd218ec4591b081a334a119122f\489f1cd218ec4591b081a334a119122f.exe
C:\Users\Drake\AppData\Roaming\NSFNE.exe
C:\Users\Drake\AppData\Roaming\PHLKX.exe
Task: C:\WINDOWS\Tasks\NSFNE.job => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\PHLKX.job => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Drake\SkyDrive:ms-properties
AlternateDataStreams: C:\Users\Drake\SkyDrive (2).old:ms-properties
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwr.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwf.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CMWFP => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwr.sys => ""="Driver" <==== ATTENTION
C:\WINDOWS\system32\Drivers\cmwr.sys
C:\WINDOWS\system32\Drivers\CMWFP.sys 
emptytemp:
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. => Error: The entry should be fixed outside recovery mode.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574 => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: The entry should be fixed outside recovery mode.
Toolbar: HKU\S-1-5-21-3810231965-2665440232-335968719-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File => Error: The entry should be fixed outside recovery mode.
DPF: HKLM-x32 {0D41B8C5-2599-4893-8183-00195EC8D5F9} https://www.asus.com/support/asusTek_sys_ctrl3.cab => Error: The entry should be fixed outside recovery mode.
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File => Error: The entry should be fixed outside recovery mode.
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File => Error: The entry should be fixed outside recovery mode.
CHR Extension: (WhiteSmoke New) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi [2014-08-29] => Error: The entry should be fixed outside recovery mode.
CHR Extension: (Cinemax Plus 1.9cV26.02) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fjfiaeaopgmgbenipljajjipecobmbni [2015-02-26] => Error: The entry should be fixed outside recovery mode.
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Drake\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-01-07] => Error: The entry should be fixed outside recovery mode.
ba8bdfd1 => Service not found.
cmwf => Service deleted successfully.
cmwr => Service deleted successfully.
C:\WINDOWS\system32\Drivers\cmwf.sys => Moved successfully.
CMWFP => Service deleted successfully.
IntcAzAudAddService => Service not found.
"C:\WINDOWS\system32\Drivers\CMWFP64.sys" => File/Directory not found.
"C:\Program Files (x86)\PragmaSystem" => File/Directory not found.
"C:\ProgramData\APdVpXpqVGE" => File/Directory not found.
Task: {19DA1CDD-7A1A-4EBC-8ADD-3CFD1BC3C326} - System32\Tasks\PHLKX => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: {7212972F-5943-4BB4-B2F4-CF8CEE8B7534} - System32\Tasks\NSFNE => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: {9FA53575-05B0-4AA7-A9AD-884C31027686} - \Updater19962.exe No Task File <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: {99AD4B79-E450-4741-BC18-7B693F9732BE} - System32\Tasks\RVHKCSW => C:\ProgramData\489f1cd218ec4591b081a334a119122f\489f1cd218ec4591b081a334a119122f.exe => Error: The entry should be fixed outside recovery mode.
"C:\Users\Drake\AppData\Roaming\NSFNE.exe" => File/Directory not found.
"C:\Users\Drake\AppData\Roaming\PHLKX.exe" => File/Directory not found.
Task: C:\WINDOWS\Tasks\NSFNE.job => C:\Users\Drake\AppData\Roaming\NSFNE.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: C:\WINDOWS\Tasks\PHLKX.job => C:\Users\Drake\AppData\Roaming\PHLKX.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
"C:\ProgramData\Temp" => ":373E1720" ADS not found.
"C:\Users\Drake\SkyDrive" => ":ms-properties" ADS not found.
"C:\Users\Drake\SkyDrive (2).old" => ":ms-properties" ADS not found.
"HKLM\System\ControlSet001\Control\SafeBoot\Minimal\cmwf.sys" => Key deleted successfully.
"HKLM\System\ControlSet001\Control\SafeBoot\Minimal\cmwr.sys" => Key deleted successfully.
"HKLM\System\ControlSet001\Control\SafeBoot\Network\cmwf.sys" => Key deleted successfully.
HKLM\System\ControlSet001\Control\SafeBoot\Network\CMWFP => Key not found. 
"HKLM\System\ControlSet001\Control\SafeBoot\Network\cmwr.sys" => Key deleted successfully.
C:\WINDOWS\system32\Drivers\cmwr.sys => Moved successfully.
"C:\WINDOWS\system32\Drivers\CMWFP.sys" => File/Directory not found.
emptytemp: => Error: This directive works only outside recovery mode.
 
==== End of Fixlog 11:43:17 ====


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 AM

Posted 22 March 2015 - 03:13 PM

Please run FRST as you did the frirst time you ran it and post the FRST.txt


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 oculum

oculum
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 22 March 2015 - 04:53 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Drake (administrator) on DRAKE-PC on 22-03-2015 17:52:14
Running from E:\
Loaded Profiles: Drake (Available profiles: Drake)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(InstallShield Software Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [107816 2011-03-09] (CyberLink)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [136488 2012-06-15] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\CyberLink\YouCam\YouCam.exe [234000 2012-06-15] (CyberLink Corp.)
HKLM-x32\...\Run: [LGODDFU] => C:\Program Files (x86)\lg_fwupdate\lgfw.exe [27760 2012-07-12] (Bitleader)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [444760 2014-03-07] (Razer Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [ISUSScheduler] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [69632 2004-04-13] (InstallShield Software Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-02-27] (AVAST Software)
HKLM-x32\...\RunOnce: [20150107] => C:\Program Files\AVAST Software\Avast\setup\emupdate\2de08b0e-a28b-4451-9931-15d68d6358f5.exe [183232 2015-03-21] (AVAST Software)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [2874048 2015-02-18] (Valve Corporation)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe [37632 2014-02-16] (Overwolf LTD)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [26232152 2015-02-19] (Google)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [30522472 2014-11-28] (Skype Technologies S.A.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [43816 2014-10-20] (Apple Inc.)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [ISUSPM Startup] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [196608 2004-04-17] (InstallShield Software Corporation)
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-01-22] (SUPERAntiSpyware)
HKU\S-1-5-18\...\RunOnce: [SpUninstallDeleteDir] => rmdir /s /q "\SearchProtect"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
ShortcutTarget: Ralink Wireless Utility.lnk -> C:\Program Files (x86)\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
HKU\S-1-5-21-3810231965-2665440232-335968719-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.msn.com/
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-04-09] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-04-09] (Oracle Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-26] ()
FF Plugin: @java.com/DTPlugin,version=10.17.2 -> C:\Windows\system32\npDeployJava1.dll [2013-04-09] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.17.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-04-09] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-26] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 -> C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll No File
FF Plugin-x32: @esn/npbattlelog,version=2.3.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.2\npbattlelog.dll [2014-03-24] (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=10.21.2 -> C:\WINDOWS\SysWOW64\npDeployJava1.dll [2013-04-04] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-26] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-26] (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-02-27]
FF HKU\S-1-5-21-3810231965-2665440232-335968719-1001\...\Firefox\Extensions: [{94AC1397-3EEF-85D7-0C32-1BCFC464C5E7}] - C:\Program Files (x86)\ver0BlockAndSurf\185.xpi
 
Chrome: 
=======
CHR Profile: C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Default
CHR Profile: C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Prezi) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\acoonfmhnndodekhecidldfdjgooefpg [2014-09-01]
CHR Extension: (Duolingo Web) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aiahmijlpehemcpleichkcokhegllfjl [2014-09-01]
CHR Extension: (Google Docs) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-29]
CHR Extension: (Google Drive) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-29]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-29]
CHR Extension: (YouTube) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-29]
CHR Extension: (Vafmusic2) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cbjibcbpmbcabnfnohhgjjmkgkimajko [2014-08-29]
CHR Extension: (2048) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\clgddkicplcbgjfobecebadodeggpghp [2014-09-01]
CHR Extension: (Google Search) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-29]
CHR Extension: (Pandora) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fbangkleohkafngihneedemihgfeikcl [2014-09-03]
CHR Extension: (MixiDJ V5) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fdepacjoijebcfaaenjicnejghibmebp [2014-08-29]
CHR Extension: (Blogger) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lejliakmhcfhakneflmicaoikhbicggc [2014-09-01]
CHR Extension: (Google Wallet) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-29]
CHR Extension: (PowToon Edu) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ogodblbnhpbcmcjcoopbalconhnloagl [2014-09-01]
CHR Extension: (Gmail) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-29]
CHR Profile: C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4
CHR Extension: (Google Slides) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-07]
CHR Extension: (Google Docs) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-07]
CHR Extension: (Google Drive) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-19]
CHR Extension: (YouTube) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-07]
CHR Extension: (Adblock Plus) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-02-27]
CHR Extension: (Google Search) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-07]
CHR Extension: (Google Sheets) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-07]
CHR Extension: (Avast Online Security) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-02-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-21]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2015-01-07]
CHR Extension: (Google Wallet) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-07]
CHR Extension: (Gmail) - C:\Users\Drake\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-07]
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Drake\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-03-18]
CHR HKU\S-1-5-21-3810231965-2665440232-335968719-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-21]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-02-27] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2015-02-27] (Avast Software)
S3 EasyAntiCheat; C:\WINDOWS\SysWOW64\EasyAntiCheat.exe [174112 2014-11-03] (EasyAntiCheat Ltd)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S3 OverwolfUpdaterService; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [98560 2014-02-16] (Overwolf LTD)
R2 PnkBstrA; C:\WINDOWS\SysWOW64\PnkBstrA.exe [76888 2014-03-25] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2013-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2013-10-30] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 asahci64; C:\Windows\System32\drivers\asahci64.sys [49760 2012-01-06] (Asmedia Technology)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-03-21] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [88408 2015-03-21] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-03-21] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-03-21] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-03-21] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [441728 2015-03-21] (Avast Software s.r.o.)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [136752 2015-03-21] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [268640 2015-03-21] ()
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [211456 2013-12-30] () [File not signed]
R3 AU8168; C:\Windows\system32\DRIVERS\au630x64.sys [792648 2013-09-23] (Realtek                                            )
S3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2015-02-27] (Emsisoft GmbH)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-12-14] (Symantec Corporation)
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [35328 2013-12-30] () [File not signed]
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-18] (Malwarebytes Corporation)
S3 rt70x64; C:\Windows\system32\DRIVERS\netr7064.sys [308224 2006-12-27] (Ralink Technology Inc.)
S3 RtlWlanu; C:\Windows\system32\DRIVERS\wna3100m.sys [1577760 2012-08-16] (Realtek Semiconductor Corporation                           )
S3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [39080 2013-11-15] (Razer Inc)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-03-18] ()
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2012-12-13] (Apple, Inc.) [File not signed]
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [271752 2015-02-27] (Avast Software)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2013-10-30] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-21 11:48 - 2015-02-27 21:31 - 01050432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswB871.tmp
2015-03-21 11:48 - 2015-02-27 21:31 - 00087912 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswB883.tmp
2015-03-21 11:48 - 2015-02-27 21:30 - 00436624 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswB895.tmp
2015-03-21 11:48 - 2015-02-27 21:30 - 00267632 _____ () C:\WINDOWS\system32\Drivers\aswB8A6.tmp
2015-03-21 11:48 - 2015-02-27 21:30 - 00116728 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswB8A7.tmp
2015-03-21 11:48 - 2015-02-27 21:30 - 00093568 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswB872.tmp
2015-03-21 11:48 - 2015-02-27 21:30 - 00065776 _____ () C:\WINDOWS\system32\Drivers\aswB894.tmp
2015-03-21 11:48 - 2015-02-27 21:30 - 00029208 _____ () C:\WINDOWS\system32\Drivers\aswB882.tmp
2015-03-21 11:47 - 2015-03-21 11:47 - 00364472 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\aswBoot.exe
2015-03-21 11:47 - 2015-03-21 11:47 - 00043112 _____ (Avast Software s.r.o.) C:\WINDOWS\avastSS.scr
2015-03-21 11:45 - 2015-03-21 11:45 - 00000197 _____ () C:\WINDOWS\system32\2015-03-21-15-45-06.015-AvastVBoxSVC.exe-2512.log
2015-03-19 21:25 - 2015-03-19 21:25 - 00000197 _____ () C:\WINDOWS\system32\2015-03-20-01-25-12.050-AvastVBoxSVC.exe-3440.log
2015-03-19 21:24 - 2015-03-19 21:24 - 00000000 ____D () C:\Users\Drake\AppData\Local\Steam
2015-03-19 21:13 - 2015-03-19 21:14 - 00000197 _____ () C:\WINDOWS\system32\2015-03-20-01-13-54.053-AvastVBoxSVC.exe-4332.log
2015-03-18 22:16 - 2015-03-18 22:16 - 00000247 _____ () C:\WINDOWS\system32\2015-03-19-02-16-28.000-aswFe.exe-516.log
2015-03-18 22:11 - 2015-03-18 22:16 - 00000247 _____ () C:\WINDOWS\system32\2015-03-19-02-11-01.083-aswFe.exe-4840.log
2015-03-18 22:10 - 2015-03-18 22:10 - 00000197 _____ () C:\WINDOWS\system32\2015-03-19-02-10-57.071-AvastVBoxSVC.exe-2420.log
2015-03-18 20:06 - 2015-03-22 17:52 - 00000000 ____D () C:\FRST
2015-03-18 20:06 - 2015-03-18 20:07 - 00034441 _____ () C:\Users\Drake\Downloads\FRST.txt
2015-03-18 20:06 - 2015-03-18 20:07 - 00031744 _____ () C:\Users\Drake\Downloads\Addition.txt
2015-03-18 20:04 - 2015-03-18 20:04 - 02095616 _____ (Farbar) C:\Users\Drake\Downloads\FRST64.exe
2015-03-18 19:56 - 2015-03-18 19:57 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Drake\Downloads\tdsskiller.exe
2015-03-18 19:51 - 2015-03-18 19:53 - 229979832 _____ (COMODO) C:\Users\Drake\Downloads\cispremium_installer_6100_08.exe
2015-03-18 19:43 - 2015-03-18 19:44 - 18816600 _____ () C:\Users\Drake\Downloads\RogueKillerX64 (1).exe
2015-03-18 19:39 - 2015-03-18 19:39 - 00000197 _____ () C:\WINDOWS\system32\2015-03-18-23-39-17.016-AvastVBoxSVC.exe-2236.log
2015-03-18 19:32 - 2015-03-18 19:32 - 02171392 _____ () C:\Users\Drake\Downloads\AdwCleaner.exe
2015-03-18 19:28 - 2015-03-18 19:28 - 00000197 _____ () C:\WINDOWS\system32\2015-03-18-23-28-03.008-AvastVBoxSVC.exe-2460.log
2015-03-18 19:21 - 2015-03-18 19:21 - 00003276 _____ () C:\WINDOWS\System32\Tasks\avastBCLRestartS-1-5-21-3810231965-2665440232-335968719-1001
2015-02-28 01:23 - 2015-02-28 01:23 - 00000247 _____ () C:\WINDOWS\system32\2015-02-28-05-23-32.040-aswFe.exe-3540.log
2015-02-28 01:20 - 2015-02-28 01:23 - 00000247 _____ () C:\WINDOWS\system32\2015-02-28-05-20-39.037-aswFe.exe-3852.log
2015-02-28 01:20 - 2015-02-28 01:20 - 00000197 _____ () C:\WINDOWS\system32\2015-02-28-05-20-33.088-AvastVBoxSVC.exe-2736.log
2015-02-27 21:44 - 2015-02-27 21:44 - 00000197 _____ () C:\WINDOWS\system32\2015-02-28-01-44-22.005-AvastVBoxSVC.exe-4868.log
2015-02-27 21:39 - 2015-02-27 21:39 - 00000000 ____D () C:\Program Files (x86)\Enigma Software Group
2015-02-27 21:38 - 2015-03-18 19:30 - 00000000 ____D () C:\WINDOWS\DB847E94446B49E0AC5DC5627EC8B0C0.TMP
2015-02-27 21:32 - 2015-02-27 21:36 - 00000000 ____D () C:\WINDOWS\SysWOW64\vbox
2015-02-27 21:32 - 2015-02-27 21:36 - 00000000 ____D () C:\WINDOWS\system32\vbox
2015-02-27 21:32 - 2015-02-27 21:32 - 00001980 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-02-27 21:32 - 2015-02-27 21:32 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\AVAST Software
2015-02-27 21:32 - 2015-02-27 21:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-02-27 21:31 - 2015-03-21 11:48 - 00003924 _____ () C:\WINDOWS\System32\Tasks\avast! Emergency Update
2015-02-27 21:31 - 2015-03-21 11:47 - 01047320 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswSnx.sys
2015-02-27 21:31 - 2015-03-21 11:47 - 00441728 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswSP.sys
2015-02-27 21:31 - 2015-03-21 11:47 - 00268640 _____ () C:\WINDOWS\system32\Drivers\aswVmm.sys
2015-02-27 21:31 - 2015-03-21 11:47 - 00136752 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswStm.sys
2015-02-27 21:31 - 2015-03-21 11:47 - 00093528 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2015-02-27 21:31 - 2015-03-21 11:47 - 00088408 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2015-02-27 21:31 - 2015-03-21 11:47 - 00065736 _____ () C:\WINDOWS\system32\Drivers\aswRvrt.sys
2015-02-27 21:31 - 2015-03-21 11:47 - 00029168 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
2015-02-27 21:28 - 2015-02-27 21:28 - 00000000 ____D () C:\Program Files\AVAST Software
2015-02-27 21:27 - 2015-02-27 21:28 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-02-27 21:27 - 2015-02-27 21:27 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-02-27 21:26 - 2015-02-27 21:27 - 04864752 _____ (AVAST Software) C:\Users\Drake\Downloads\avast_free_antivirus_setup_online.exe
2015-02-27 21:24 - 2015-02-27 21:44 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\uTorrent
2015-02-27 21:24 - 2015-02-27 21:24 - 00000839 _____ () C:\Users\Drake\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2015-02-27 20:49 - 2015-02-27 20:49 - 00000000 ____D () C:\SUPERDelete
2015-02-27 20:48 - 2015-03-18 19:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-02-27 20:48 - 2015-02-27 21:50 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-02-27 20:48 - 2015-02-27 20:48 - 00001820 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-02-27 19:51 - 2015-02-27 19:51 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\SUPERAntiSpyware.com
2015-02-27 19:51 - 2015-02-27 19:51 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-02-27 19:49 - 2015-03-18 19:49 - 00037624 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-02-27 19:49 - 2015-02-27 19:51 - 21320392 _____ (SUPERAntiSpyware) C:\Users\Drake\Downloads\SUPERAntiSpyware.exe
2015-02-27 19:49 - 2015-02-27 19:49 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-27 19:47 - 2015-02-27 19:48 - 18687064 _____ () C:\Users\Drake\Downloads\RogueKillerX64.exe
2015-02-26 23:23 - 2015-02-26 23:24 - 00000000 ____D () C:\EEK
2015-02-26 21:47 - 2015-03-18 19:36 - 00000000 ____D () C:\AdwCleaner
2015-02-26 20:34 - 2015-03-18 19:21 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-26 20:33 - 2015-02-26 20:33 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-26 20:33 - 2015-02-26 20:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-26 20:33 - 2015-02-26 20:33 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-26 20:33 - 2015-02-26 20:33 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-26 20:33 - 2014-11-21 07:14 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-26 20:33 - 2014-11-21 07:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-02-26 20:33 - 2014-11-21 07:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-26 20:04 - 2015-03-18 20:06 - 00000020 _____ () C:\Users\Drake\AppData\Roaming\appdataFr3.bin
2015-02-26 20:04 - 2015-02-26 20:26 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-02-26 19:51 - 2015-02-26 21:30 - 00000000 ____D () C:\Program Files (x86)\862a6334-cdc1-4e0c-a4ba-29fd27eb7ca4
2015-02-26 19:50 - 2015-03-21 03:58 - 00002203 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-26 19:49 - 2015-02-26 19:49 - 00000000 ____D () C:\WINDOWS\LastGood.Tmp
2015-02-26 19:45 - 2015-02-26 19:45 - 00000000 ____D () C:\Users\Drake\AppData\Roaming\Compete
2015-02-20 00:11 - 2015-02-20 00:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RaLink Wireless
2015-02-20 00:08 - 2015-02-20 00:08 - 00002319 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Program Updates.lnk
2015-02-20 00:08 - 2006-12-27 18:41 - 00308224 _____ (Ralink Technology Inc.) C:\WINDOWS\system32\Drivers\netr7064.sys
2015-02-20 00:08 - 2004-04-16 12:24 - 00061440 _____ (InstallShield Software Corporation) C:\WINDOWS\SysWOW64\ISUSPM.cpl
2015-02-20 00:06 - 2015-02-20 00:08 - 00000000 ____D () C:\Program Files (x86)\RALINK
2015-02-20 00:06 - 2015-02-20 00:06 - 00000000 ____D () C:\RALINK
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-22 07:00 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-03-22 06:58 - 2014-01-09 14:09 - 00003926 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{85896E68-EEB3-4FE6-8312-A215FE081BC5}
2015-03-22 06:58 - 2013-03-27 10:22 - 00000924 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-22 06:57 - 2014-01-12 12:13 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-03-21 11:50 - 2013-11-14 03:28 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-03-21 11:46 - 2014-09-21 18:03 - 00000000 __RDO () C:\Users\Drake\SkyDrive
2015-03-21 11:46 - 2014-08-10 13:50 - 00000000 ___RD () C:\Users\Drake\Google Drive
2015-03-21 11:46 - 2013-12-14 10:56 - 02022276 _____ () C:\WINDOWS\WindowsUpdate.log
2015-03-21 11:45 - 2014-12-14 14:05 - 00000000 ___RD () C:\Users\Drake\iCloudDrive
2015-03-21 11:45 - 2013-03-27 10:22 - 00000920 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-21 11:45 - 2013-03-27 09:37 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-03-21 11:44 - 2013-08-22 10:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-03-21 11:41 - 2013-08-22 09:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-03-21 09:21 - 2013-03-26 14:44 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3810231965-2665440232-335968719-1001
2015-03-21 04:00 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-03-19 21:15 - 2015-01-07 17:40 - 00001589 _____ () C:\WINDOWS\setupact.log
2015-03-18 22:03 - 2015-01-07 17:32 - 00362642 _____ () C:\WINDOWS\PFRO.log
2015-03-18 19:23 - 2014-08-10 13:46 - 00002058 _____ () C:\Users\Public\Desktop\Google Slides.lnk
2015-03-18 19:23 - 2014-08-10 13:46 - 00002056 _____ () C:\Users\Public\Desktop\Google Sheets.lnk
2015-03-18 19:23 - 2014-08-10 13:46 - 00002046 _____ () C:\Users\Public\Desktop\Google Docs.lnk
2015-03-18 19:23 - 2014-08-10 13:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-02-27 21:48 - 2013-12-14 10:44 - 00000000 ____D () C:\Users\Drake
2015-02-27 19:46 - 2014-05-30 17:00 - 00000000 ____D () C:\Users\Drake\AppData\Local\SlimWare Utilities Inc
2015-02-27 19:45 - 2015-01-07 17:20 - 00000000 ____D () C:\Program Files (x86)\3788fb5f-595c-4738-84c0-3f1c823bfa5d
2015-02-26 21:52 - 2013-03-27 10:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-02-26 21:40 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\Branding
2015-02-26 21:30 - 2015-01-07 17:24 - 00000000 ____D () C:\Users\Drake\AppData\Local\com
2015-02-26 19:57 - 2014-01-12 12:13 - 00003718 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-02-26 19:55 - 2013-03-28 07:26 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-02-26 19:52 - 2013-03-27 10:22 - 00003896 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-26 19:52 - 2013-03-27 10:22 - 00003660 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-26 19:50 - 2015-01-07 17:21 - 00000000 ___HD () C:\Users\Public\Temp
2015-02-20 00:08 - 2013-12-28 08:25 - 00000000 ____D () C:\ProgramData\InstallShield
 
==================== Files in the root of some directories =======
 
2015-02-26 20:04 - 2015-03-18 20:06 - 0000020 _____ () C:\Users\Drake\AppData\Roaming\appdataFr3.bin
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-21 11:55
 
==================== End Of Log ============================


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 AM

Posted 22 March 2015 - 05:06 PM

1.

Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
     
    malwarebytes-anti-malware-fix-now.jpg
    .
  • Click on Update Now to download the current database definitions, then click the Scan Now >> button.
    .
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button.
     
    malwarebytes-anti-malware-2-0-update-now
    .
  • The THREAT SCAN will automatically begin.
     
    malwarebytes-anti-malware-scan.jpg
    .
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
     
    malwarebytes-anti-malware-potential-thre
    .
  • To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
     
    mbam4_zps490948cc.png
    .
  • After rebooting the computer, copy and past the mbam.log in your next reply.

.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)
  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)
  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

 

2.

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 oculum

oculum
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 22 March 2015 - 07:10 PM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 3/22/2015
Scan Time: 6:16:55 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.03.22.06
Rootkit Database: v2015.02.25.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Drake
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 348055
Time Elapsed: 15 min, 38 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 1
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
 
Files: 9
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_config_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_externalJS_diagnostic_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_externalJS_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_externalJS_serp_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_externalJS_shoppingcart_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_notification_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_privacy_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_voicebox_rules_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
PUP.Optional.ConsumerInput.C, C:\Users\Drake\AppData\Roaming\Compete\Consumer Input\DCA_whitelist_gladiolus000.dat, Quarantined, [7f0f07410e7cec4a15610ea1db287d83], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
=====================
 
 
 
Emsisoft Emergency Kit - Version 9.0
Last update: 3/22/2015 7:01:49 PM
User account: DRAKE-PC\Drake
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 3/22/2015 7:03:01 PM
C:\ProgramData\Windows Media Player\media.dat detected: Gen:Variant.Graftor.178512 (B)
 
Scanned 314645
Found 1
 
Scan end: 3/22/2015 8:00:37 PM
Scan time: 0:57:36
 
C:\ProgramData\Windows Media Player\media.dat Quarantined Gen:Variant.Graftor.178512 (B)
 
Quarantined 1
 


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 AM

Posted 22 March 2015 - 07:17 PM

How is the computer running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 oculum

oculum
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 22 March 2015 - 07:21 PM

edit


Edited by oculum, 22 March 2015 - 07:23 PM.


#14 oculum

oculum
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 22 March 2015 - 07:24 PM

I thought it was running great (hence the edit), but it appears that malware is still calling out via the web browser as it was before.

 

edit: It didn't seem to be doing this before the Malwarebytes/Emsisoft scan, oddly enough.


Edited by oculum, 22 March 2015 - 07:29 PM.


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:02 AM

Posted 22 March 2015 - 07:48 PM

what is it doing exactly?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users