Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with WinOptimizer


  • This topic is locked This topic is locked
18 replies to this topic

#1 sweb

sweb

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2015 - 03:18 PM

Upon startup of my machine today, microsoft security essentials detected a virus called winoptimizer.

Running Windows Vista
screenshot attached

https://www.sendspace.com/file/w7hj5x

 



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:28 AM

Posted 26 March 2015 - 03:44 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2015 - 04:53 PM

Hello Jurgen,

Here are the logs

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by sw13 (administrator) on SW13-PC on 26-03-2015 14:50:44
Running from C:\Users\sw13\Desktop\Bleepingcomputer-march2015
Loaded Profiles: sw13 (Available profiles: sw13)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Program Files\Windows Network Accelerater\v5\winvxm.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [335872 2003-06-05] (ATI Technologies, Inc.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\Real\RealPlayer\update\realsched.exe [295512 2013-06-05] (RealNetworks, Inc.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2015-03-03] (Apple Inc.)
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-30] (Piriform Ltd)
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\RunOnce: [Adobe Speed Launcher] => 1427400031
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2014-12-03] (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-04-16] (RealDownloader)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.apple.com/qtactivex/qtplugin.cab
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11

FireFox:
========
FF ProfilePath: C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\hkbly0m1.default-1421351852135
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: yahoo.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2013-06-05] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-04-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-04-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-04-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll [2013-06-05] (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-04-16] (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\hkbly0m1.default-1421351852135\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-02-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-05-14]
FF HKLM\...\Firefox\Extensions: [{FCE04E1F-9378-4f39-96F6-5689A9159E45}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-06-05]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.yahoo.com/"
CHR Profile: C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-04]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-04-16]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 Ati HotKey Poller; C:\Windows\system32\Ati2evxx.exe [282624 2003-06-02] ()
S2 ATI Smart; C:\Windows\System32\ati2sgag.exe [114688 2003-06-05] () [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-16] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)
R2 WindowsVNT_R5; C:\Program Files\Windows Network Accelerater\v5\winvxm.exe [2976880 2015-03-24] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-26 14:49 - 2015-03-26 14:50 - 00000000 ____D () C:\Users\sw13\Desktop\Bleepingcomputer-march2015
2015-03-26 12:38 - 2015-03-26 12:38 - 00005680 _____ () C:\Users\sw13\Desktop\winoptimizer.txt
2015-03-26 11:49 - 2015-03-26 11:49 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-03-04 10:33 - 2015-03-04 10:33 - 00000000 ____D () C:\Users\sw13\AppData\Roaming\Apple Computer
2015-03-03 14:39 - 2015-03-03 14:39 - 01055952 _____ (Adobe) C:\Users\sw13\Downloads\install_reader10_en_mssa_aaa_aih.exe
2015-03-03 14:34 - 2015-03-03 14:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-03-03 14:33 - 2015-03-03 14:33 - 00000000 ____D () C:\ProgramData\Apple Computer
2015-03-03 14:32 - 2015-03-03 14:32 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-03-03 14:30 - 2015-03-03 14:34 - 00000000 ____D () C:\Program Files\QuickTime

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-26 14:50 - 2015-01-03 18:53 - 00000000 ____D () C:\FRST
2015-03-26 14:23 - 2008-01-20 18:35 - 01090191 _____ () C:\Windows\WindowsUpdate.log
2015-03-26 14:20 - 2014-01-31 15:14 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-26 14:01 - 2013-05-20 13:25 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-26 13:04 - 2006-11-02 03:33 - 00780920 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-26 13:00 - 2014-10-28 09:05 - 00000000 ____D () C:\Program Files\Windows Network Accelerater
2015-03-26 13:00 - 2014-01-31 15:14 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-26 12:59 - 2014-11-19 15:30 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-03-26 12:59 - 2013-05-14 20:11 - 00000680 _____ () C:\Users\sw13\AppData\Local\d3d9caps.dat
2015-03-26 12:59 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-26 12:59 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-26 12:59 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-26 12:40 - 2006-11-02 06:01 - 00032588 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-26 11:44 - 2014-01-31 15:14 - 00001927 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-26 11:23 - 2013-05-20 13:19 - 00000000 ____D () C:\Users\sw13\AppData\Local\Deployment
2015-03-03 16:27 - 1999-11-22 13:41 - 00006319 _____ () C:\Windows\Eclipse.ini
2015-03-03 06:16 - 2013-05-14 21:39 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-26 12:29 - 2013-07-31 14:39 - 00000000 ____D () C:\HT

==================== Files in the root of some directories =======

2013-06-05 14:03 - 2013-06-05 14:03 - 0000552 _____ () C:\Users\sw13\AppData\Local\d3d8caps.dat
2013-05-14 20:11 - 2015-03-26 12:59 - 0000680 _____ () C:\Users\sw13\AppData\Local\d3d9caps.dat
2013-05-22 11:25 - 2015-02-09 10:14 - 0007168 _____ () C:\Users\sw13\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-09-05 09:04 - 2014-09-05 09:04 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-12-04 12:37 - 2014-12-04 12:37 - 0001687 _____ () C:\ProgramData\tempimage.bmp

Some content of TEMP:
====================
C:\Users\sw13\AppData\Local\temp\Quarantine.exe
C:\Users\sw13\AppData\Local\temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-26 13:05

==================== End Of Log ============================


Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015
Ran by sw13 at 2015-03-26 14:51:26
Running from C:\Users\sw13\Desktop\Bleepingcomputer-march2015
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version:  - )
Celsus - Production (HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\4e8983d9705245fb) (Version: 1.1.16492.1114 - Capital IQ)
Eclipse VoX 4.2 (HKLM\...\{27067C64-3491-439F-BC38-59E0E45B12B4}) (Version: 4.2.1.10 - Singularity Software, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.101 - Google Inc.)
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Mozilla Firefox 36.0.4 (x86 en-US) (HKLM\...\Mozilla Firefox 36.0.4 (x86 en-US)) (Version: 36.0.4 - Mozilla)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

05-02-2015 11:18:29 Scheduled Checkpoint
06-02-2015 12:52:29 Scheduled Checkpoint
09-02-2015 09:57:36 Windows Update
10-02-2015 09:47:53 Scheduled Checkpoint
11-02-2015 11:41:20 Scheduled Checkpoint
12-02-2015 10:58:08 Windows Update
13-02-2015 09:56:02 Scheduled Checkpoint
14-02-2015 04:00:21 Scheduled Checkpoint
14-02-2015 04:00:22 Windows Update
18-02-2015 09:37:28 Windows Update
19-02-2015 14:29:01 Scheduled Checkpoint
23-02-2015 09:07:02 Windows Update
24-02-2015 13:10:29 Scheduled Checkpoint
25-02-2015 13:55:23 Scheduled Checkpoint
26-02-2015 14:10:43 Scheduled Checkpoint
27-02-2015 09:57:48 Windows Update
02-03-2015 10:22:15 Windows Update
03-03-2015 14:07:01 Scheduled Checkpoint
03-03-2015 14:32:53 Installed QuickTime 7
04-03-2015 09:43:33 Scheduled Checkpoint
26-03-2015 11:17:30 Windows Update
26-03-2015 12:35:04 Microsoft Antimalware Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 03:23 - 2015-01-19 15:20 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {09B0509B-9915-4A66-94C5-3688343897EA} - System32\Tasks\NCH Software\ScribeReminder => C:\Program Files\NCH Software\Scribe\Scribe.exe
Task: {6620F5B8-D7BF-4D42-BF66-81D24737679D} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {87138C53-6EB3-4B80-B6D7-4E8F3120EA1E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-30] (Piriform Ltd)
Task: {9B59B993-1AD7-43FE-8F71-51898785FDE5} - System32\Tasks\HPCustParticipation HP Officejet 4630 series => C:\Program Files\HP\HP Officejet 4630 series\Bin\HPCustPartic.exe [2014-03-06] (Hewlett-Packard Co.)
Task: {9D3BA9F9-8AEF-4C47-B598-8418D692D36C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-31] (Google Inc.)
Task: {B2956309-8D7D-4A3C-AC53-641626864A0E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-31] (Google Inc.)
Task: {DE48EF34-E6BE-4E79-A0D2-7887E758C9EE} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-05] (Adobe Systems Incorporated)
Task: {E892C798-ACCE-476E-85AC-439DA86A16D0} - System32\Tasks\{D45827CD-A16D-4C01-91FA-8847798699AC} => pcalua.exe -a "C:\Users\sw13\AppData\Local\Temp\Temp1_ATI VGA Driver.ZIP\ATI\Setup.exe"
Task: {FBBF2A1C-0DD7-4973-B91E-7665D071A9F8} - System32\Tasks\{F0548D54-1B27-4926-9FE4-1E586EBCC1D2} => pcalua.exe -a "E:\CAPITALIQ\Training\02 Software\Eclipse Installer\ecldevup.exe" -d "E:\CAPITALIQ\Training\02 Software\Eclipse Installer"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2013-05-21 09:31 - 2012-10-04 19:50 - 00088688 _____ () C:\Windows\System32\cpwmon2k.dll
2013-04-16 03:07 - 2013-04-16 03:07 - 00039056 _____ () C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
2015-02-05 16:01 - 2015-02-05 16:01 - 16852144 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\Wallpaper\img23.jpg
DNS Servers: 68.105.28.12 - 68.105.29.12

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: DPS => 2
MSCONFIG\Services: RasAuto => 3
MSCONFIG\Services: RasMan => 3
MSCONFIG\Services: SessionEnv => 3
MSCONFIG\Services: TermService => 2
MSCONFIG\Services: WdiServiceHost => 3
MSCONFIG\Services: WdiSystemHost => 3
MSCONFIG\Services: WerSvc => 2
MSCONFIG\Services: WPCSvc => 3

==================== Accounts: =============================

Administrator (S-1-5-21-3318673867-2705152334-234800118-500 - Administrator - Disabled)
Guest (S-1-5-21-3318673867-2705152334-234800118-501 - Limited - Enabled)
sw13 (S-1-5-21-3318673867-2705152334-234800118-1000 - Administrator - Enabled) => C:\Users\sw13

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/26/2015 01:01:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/26/2015 01:00:28 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/26/2015 01:00:27 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/26/2015 00:44:41 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/26/2015 00:44:41 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/26/2015 00:44:37 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/26/2015 00:44:12 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (03/26/2015 00:35:03 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {9190fbdd-386b-4e8e-852d-d50aff11bdb3}

Error: (03/26/2015 11:08:23 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/04/2015 10:33:55 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (03/26/2015 01:01:24 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: Windows Virtual Network (WVN5)

Error: (03/26/2015 01:01:24 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Internet Connection Sharing (ICS)Remote Access Connection Manager%%1058

Error: (03/26/2015 00:44:37 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: MpFilter
spldr
Wanarpv6

Error: (03/26/2015 00:44:37 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Internet Connection Sharing (ICS)Remote Access Connection Manager%%1058

Error: (03/26/2015 00:44:37 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Microsoft Network Inspection SystemMicrosoft Malware Protection Driver%%31

Error: (03/26/2015 00:44:37 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Computer BrowserServer%%1068

Error: (03/26/2015 00:44:19 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (03/26/2015 00:44:13 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (03/26/2015 00:44:12 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/26/2015 00:44:05 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2015-01-19 14:13:28.221
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 14:13:27.847
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 14:13:27.426
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 14:13:26.989
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 14:13:26.318
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 14:13:25.835
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 14:13:25.367
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 14:13:24.961
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:10.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:09.912
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Pentium® Dual CPU E2140 @ 1.60GHz
Percentage of memory in use: 52%
Total physical RAM: 2036.24 MB
Available physical RAM: 964.09 MB
Total Pagefile: 5037.52 MB
Available Pagefile: 3965.23 MB
Total Virtual: 2047.88 MB
Available Virtual: 1909.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.05 GB) (Free:95.79 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149.1 GB) (Disk ID: 2369B484)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End Of Log ============================


Edited by sweb, 26 March 2015 - 04:57 PM.


#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:28 AM

Posted 26 March 2015 - 05:01 PM

Hello :)

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    R2 WindowsVNT_R5; C:\Program Files\Windows Network Accelerater\v5\winvxm.exe [2976880 2015-03-24] (Microsoft Corporation) [File not signed]
    C:\Program Files\Windows Network Accelerater
    EmptyTemp:
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.

After the Reboot:


Step 2

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif


lesestoff.png

Can you please tell me which problems still persist now?
How is the computer running?

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2015 - 05:14 PM

fixlog

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015

Ran by sw13 (administrator) on SW13-PC on 26-03-2015 14:50:44

Running from C:\Users\sw13\Desktop\Bleepingcomputer-march2015

Loaded Profiles: sw13 (Available profiles: sw13)

Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)

Internet Explorer Version 9 (Default browser: IE)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe

() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe

(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe

(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe

(Microsoft Corporation) C:\Program Files\Windows Network Accelerater\v5\winvxm.exe

(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe

(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe

(Microsoft Corporation) C:\Windows\System32\wuauclt.exe

(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)

HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [335872 2003-06-05] (ATI Technologies, Inc.)

HKLM\...\Run: [TkBellExe] => C:\Program Files\Real\RealPlayer\update\realsched.exe [295512 2013-06-05] (RealNetworks, Inc.)

HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)

HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)

HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2015-03-03] (Apple Inc.)

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-30] (Piriform Ltd)

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\RunOnce: [Adobe Speed Launcher] => 1427400031

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2014-12-03] (Adobe Systems Incorporated)

BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-04-16] (RealDownloader)

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.apple.com/qtactivex/qtplugin.cab

Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11

 

FireFox:

========

FF ProfilePath: C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\hkbly0m1.default-1421351852135

FF DefaultSearchEngine: Google

FF DefaultSearchEngine.US: Google

FF Homepage: yahoo.com

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()

FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)

FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)

FF Plugin: @real.com/nppl3260;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2013-06-05] (RealNetworks, Inc.)

FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-04-16] (RealNetworks, Inc.)

FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-04-16] (RealNetworks, Inc.)

FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-04-16] (RealNetworks, Inc.)

FF Plugin: @real.com/nprpplugin;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll [2013-06-05] (RealPlayer)

FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-04-16] (RealDownloader)

FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

FF Extension: Adblock Plus - C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\hkbly0m1.default-1421351852135\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-02-26]

FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-05-14]

FF HKLM\...\Firefox\Extensions: [{FCE04E1F-9378-4f39-96F6-5689A9159E45}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext

FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-06-05]

 

Chrome:

=======

CHR StartupUrls: Default -> "hxxp://www.yahoo.com/"

CHR Profile: C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-04]

CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-04-16]

 

========================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

S2 Ati HotKey Poller; C:\Windows\system32\Ati2evxx.exe [282624 2003-06-02] ()

S2 ATI Smart; C:\Windows\System32\ati2sgag.exe [114688 2003-06-05] () [File not signed]

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)

R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-16] ()

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

R2 WindowsVNT_R5; C:\Program Files\Windows Network Accelerater\v5\winvxm.exe [2976880 2015-03-24] (Microsoft Corporation) [File not signed]

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)

U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-03-26 14:49 - 2015-03-26 14:50 - 00000000 ____D () C:\Users\sw13\Desktop\Bleepingcomputer-march2015

2015-03-26 12:38 - 2015-03-26 12:38 - 00005680 _____ () C:\Users\sw13\Desktop\winoptimizer.txt

2015-03-26 11:49 - 2015-03-26 11:49 - 00000000 ____D () C:\Program Files\Mozilla Firefox

2015-03-04 10:33 - 2015-03-04 10:33 - 00000000 ____D () C:\Users\sw13\AppData\Roaming\Apple Computer

2015-03-03 14:39 - 2015-03-03 14:39 - 01055952 _____ (Adobe) C:\Users\sw13\Downloads\install_reader10_en_mssa_aaa_aih.exe

2015-03-03 14:34 - 2015-03-03 14:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime

2015-03-03 14:33 - 2015-03-03 14:33 - 00000000 ____D () C:\ProgramData\Apple Computer

2015-03-03 14:32 - 2015-03-03 14:32 - 00000000 ____D () C:\Program Files\Common Files\Apple

2015-03-03 14:30 - 2015-03-03 14:34 - 00000000 ____D () C:\Program Files\QuickTime

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-03-26 14:50 - 2015-01-03 18:53 - 00000000 ____D () C:\FRST

2015-03-26 14:23 - 2008-01-20 18:35 - 01090191 _____ () C:\Windows\WindowsUpdate.log

2015-03-26 14:20 - 2014-01-31 15:14 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2015-03-26 14:01 - 2013-05-20 13:25 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2015-03-26 13:04 - 2006-11-02 03:33 - 00780920 _____ () C:\Windows\system32\PerfStringBackup.INI

2015-03-26 13:00 - 2014-10-28 09:05 - 00000000 ____D () C:\Program Files\Windows Network Accelerater

2015-03-26 13:00 - 2014-01-31 15:14 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2015-03-26 12:59 - 2014-11-19 15:30 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service

2015-03-26 12:59 - 2013-05-14 20:11 - 00000680 _____ () C:\Users\sw13\AppData\Local\d3d9caps.dat

2015-03-26 12:59 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2015-03-26 12:59 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2015-03-26 12:59 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2015-03-26 12:40 - 2006-11-02 06:01 - 00032588 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

2015-03-26 11:44 - 2014-01-31 15:14 - 00001927 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2015-03-26 11:23 - 2013-05-20 13:19 - 00000000 ____D () C:\Users\sw13\AppData\Local\Deployment

2015-03-03 16:27 - 1999-11-22 13:41 - 00006319 _____ () C:\Windows\Eclipse.ini

2015-03-03 06:16 - 2013-05-14 21:39 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

2015-02-26 12:29 - 2013-07-31 14:39 - 00000000 ____D () C:\HT

 

==================== Files in the root of some directories =======

 

2013-06-05 14:03 - 2013-06-05 14:03 - 0000552 _____ () C:\Users\sw13\AppData\Local\d3d8caps.dat

2013-05-14 20:11 - 2015-03-26 12:59 - 0000680 _____ () C:\Users\sw13\AppData\Local\d3d9caps.dat

2013-05-22 11:25 - 2015-02-09 10:14 - 0007168 _____ () C:\Users\sw13\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2014-09-05 09:04 - 2014-09-05 09:04 - 0000057 _____ () C:\ProgramData\Ament.ini

2014-12-04 12:37 - 2014-12-04 12:37 - 0001687 _____ () C:\ProgramData\tempimage.bmp

 

Some content of TEMP:

====================

C:\Users\sw13\AppData\Local\temp\Quarantine.exe

C:\Users\sw13\AppData\Local\temp\sqlite3.dll

 

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2015-03-26 13:05

 

==================== End Of Log ============================



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:28 AM

Posted 26 March 2015 - 05:17 PM

:)

No, that's not the fixlog.txt
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2015 - 05:28 PM

running the ESET now



#8 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2015 - 05:29 PM

sorry about that

 

try this one

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015

Ran by sw13 at 2015-03-26 15:09:35 Run:4

Running from C:\Users\sw13\Desktop\Bleepingcomputer-march2015

Loaded Profiles: sw13 (Available profiles: sw13)

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

CloseProcesses:

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

R2 WindowsVNT_R5; C:\Program Files\Windows Network Accelerater\v5\winvxm.exe [2976880 2015-03-24] (Microsoft Corporation) [File not signed]

C:\Program Files\Windows Network Accelerater

EmptyTemp:

*****************

 

Processes closed successfully.

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

WindowsVNT_R5 => Service deleted successfully.

C:\Program Files\Windows Network Accelerater => Moved successfully.

EmptyTemp: => Removed 498.1 MB temporary data.

 

 

The system needed a reboot.

 

==== End of Fixlog 15:10:07 ====



#9 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:28 AM

Posted 26 March 2015 - 05:30 PM

OK :thumbup2:


Edited by deeprybka, 26 March 2015 - 05:30 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#10 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2015 - 06:17 PM

here is ESET log

 

C:\ProgramData\Cerber AntiVirus\Installers\cerberav_setup.msi     a variant of Win32/Packed.Themida potentially unwanted application

C:\Users\All Users\Cerber AntiVirus\Installers\cerberav_setup.msi a variant of Win32/Packed.Themida potentially unwanted application

C:\Users\sw13\Downloads\ccsetup401.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Windows\Installer\687b3.msi      a variant of MSIL/Toolbar.Linkury.G potentially unwanted application



#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:28 AM

Posted 26 March 2015 - 06:24 PM

Are there any problems left?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#12 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2015 - 06:26 PM

I dont know

Do you think the virus is removed now?



#13 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:28 AM

Posted 26 March 2015 - 06:34 PM

:)

I think so... :lol:

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    C:\ProgramData\Cerber AntiVirus\
    C:\Windows\Installer\687b3.msi  
    C:\Users\sw13\Downloads\ccsetup401.exe
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.


Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

Edited by deeprybka, 26 March 2015 - 06:35 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#14 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 27 March 2015 - 12:01 PM

ok

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by sw13 at 2015-03-27 10:00:29 Run:5
Running from C:\Users\sw13\Desktop\Bleepingcomputer-march2015
Loaded Profiles: sw13 (Available profiles: sw13)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
C:\ProgramData\Cerber AntiVirus\
C:\Windows\Installer\687b3.msi  
C:\Users\sw13\Downloads\ccsetup401.exe
*****************

C:\ProgramData\Cerber AntiVirus => Moved successfully.
C:\Windows\Installer\687b3.msi => Moved successfully.
C:\Users\sw13\Downloads\ccsetup401.exe => Moved successfully.

==== End of Fixlog 10:00:29 ====



#15 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 27 March 2015 - 12:08 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by sw13 (administrator) on SW13-PC on 27-03-2015 10:01:37
Running from C:\Users\sw13\Desktop\Bleepingcomputer-march2015
Loaded Profiles: sw13 (Available profiles: sw13)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [335872 2003-06-05] (ATI Technologies, Inc.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\Real\RealPlayer\update\realsched.exe [295512 2013-06-05] (RealNetworks, Inc.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2015-03-03] (Apple Inc.)
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-30] (Piriform Ltd)
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\RunOnce: [Adobe Speed Launcher] => 1427475488
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2014-12-03] (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-04-16] (RealDownloader)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.apple.com/qtactivex/qtplugin.cab
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11

FireFox:
========
FF ProfilePath: C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\hkbly0m1.default-1421351852135
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: yahoo.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2013-06-05] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-04-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-04-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-04-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll [2013-06-05] (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-04-16] (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\hkbly0m1.default-1421351852135\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-02-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-05-14]
FF HKLM\...\Firefox\Extensions: [{FCE04E1F-9378-4f39-96F6-5689A9159E45}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-06-05]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://yahoo.com/"
CHR Profile: C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-04]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-04-16]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 Ati HotKey Poller; C:\Windows\system32\Ati2evxx.exe [282624 2003-06-02] ()
S2 ATI Smart; C:\Windows\System32\ati2sgag.exe [114688 2003-06-05] () [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-16] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-26 14:49 - 2015-03-27 10:01 - 00000000 ____D () C:\Users\sw13\Desktop\Bleepingcomputer-march2015
2015-03-26 11:49 - 2015-03-26 11:49 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-03-04 10:33 - 2015-03-04 10:33 - 00000000 ____D () C:\Users\sw13\AppData\Roaming\Apple Computer
2015-03-03 14:39 - 2015-03-03 14:39 - 01055952 _____ (Adobe) C:\Users\sw13\Downloads\install_reader10_en_mssa_aaa_aih.exe
2015-03-03 14:34 - 2015-03-03 14:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-03-03 14:33 - 2015-03-03 14:33 - 00000000 ____D () C:\ProgramData\Apple Computer
2015-03-03 14:32 - 2015-03-03 14:32 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-03-03 14:30 - 2015-03-03 14:34 - 00000000 ____D () C:\Program Files\QuickTime

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-27 10:05 - 2013-05-15 18:23 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-27 10:04 - 2006-11-02 03:33 - 00780920 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-27 10:01 - 2015-01-03 18:53 - 00000000 ____D () C:\FRST
2015-03-27 10:01 - 2013-05-20 13:25 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-27 10:01 - 2008-01-20 18:35 - 01120376 _____ () C:\Windows\WindowsUpdate.log
2015-03-27 09:57 - 2014-01-31 15:14 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-27 09:57 - 2013-05-14 20:11 - 00000680 _____ () C:\Users\sw13\AppData\Local\d3d9caps.dat
2015-03-27 09:57 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-27 09:57 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-27 09:57 - 2006-11-02 05:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-26 16:32 - 2006-11-02 06:01 - 00032588 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-26 16:20 - 2014-01-31 15:14 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-26 12:59 - 2014-11-19 15:30 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-03-26 11:44 - 2014-01-31 15:14 - 00001927 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-26 11:23 - 2013-05-20 13:19 - 00000000 ____D () C:\Users\sw13\AppData\Local\Deployment
2015-03-03 16:27 - 1999-11-22 13:41 - 00006319 _____ () C:\Windows\Eclipse.ini
2015-03-03 06:16 - 2013-05-14 21:39 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-26 12:29 - 2013-07-31 14:39 - 00000000 ____D () C:\HT

==================== Files in the root of some directories =======

2013-06-05 14:03 - 2013-06-05 14:03 - 0000552 _____ () C:\Users\sw13\AppData\Local\d3d8caps.dat
2013-05-14 20:11 - 2015-03-27 09:57 - 0000680 _____ () C:\Users\sw13\AppData\Local\d3d9caps.dat
2013-05-22 11:25 - 2015-02-09 10:14 - 0007168 _____ () C:\Users\sw13\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-09-05 09:04 - 2014-09-05 09:04 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-12-04 12:37 - 2014-12-04 12:37 - 0001687 _____ () C:\ProgramData\tempimage.bmp

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-27 10:04

==================== End Of Log ============================






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users