Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gambali.exe Rootkit Trojan - Can't get rid of it


  • This topic is locked This topic is locked
6 replies to this topic

#1 morandaminds

morandaminds

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 13 April 2015 - 11:21 AM

I would greatly appreciate some help getting rid of this bug.  You guys have helped me in the past to remove some bad malware.  Awaiting instructions.



BC AdBot (Login to Remove)

 


#2 morandaminds

morandaminds
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 13 April 2015 - 11:42 AM

My apologies, just read the prep guide. Here is the FRST log and Addition.txt.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-04-2015
Ran by Terry (administrator) on TERRY-PC on 13-04-2015 09:35:54
Running from C:\Users\Terry\Downloads
Loaded Profiles: Terry (Available profiles: Terry)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(WebEx Communications, Inc.) C:\Windows\SysWOW64\atashost.exe
(Gambali OEM Software) C:\ProgramData\FlashBeat\Gambali.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
(Foolish IT LLC) C:\Users\Terry\Desktop\D7\d7.exe
(CYREN Inc.) C:\Program Files\Common Files\Commtouch\AntiVirus5\vsedsps.exe
(CYREN Inc.) C:\Program Files\Common Files\Commtouch\AntiVirus5\vseamps.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\WscRmd.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [] => [X]
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1482080 2009-08-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ioloLiveBoost] => C:\Program Files (x86)\iolo\System Mechanic Professional\LiveBoost.exe [5482104 2015-02-12] (iolo technologies, LLC)
HKLM\...\RunOnce: [*D7] => C:\Users\Terry\Desktop\D7\d7.exe [7883904 2014-05-13] (Foolish IT LLC)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\822\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-138331719-1066997510-682906465-1000\...\MountPoints2: {0cf423fa-522e-11df-a89a-806e6f6e6963} - C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.ultimatebootcd.com/
HKU\S-1-5-21-138331719-1066997510-682906465-1000\...\MountPoints2: {65cb0db4-7f1f-11df-8e30-00266c6d03d9} - E:\VZAccess_Manager.exe /z detect
HKU\S-1-5-21-138331719-1066997510-682906465-1000\...\MountPoints2: {9032de19-8bbe-11df-8865-00266c6d03d9} - E:\VZAccess_Manager.exe /z detect
HKU\S-1-5-21-138331719-1066997510-682906465-1000\...\MountPoints2: {9032de37-8bbe-11df-8865-00266c6d03d9} - E:\VZAccess_Manager.exe /z detect
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-138331719-1066997510-682906465-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-138331719-1066997510-682906465-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
URLSearchHook: HKU\S-1-5-21-138331719-1066997510-682906465-1000 - (No Name) - {76a747b4-edc6-46ff-8a5d-9ae61a889d5b} - No File
URLSearchHook: HKU\S-1-5-21-138331719-1066997510-682906465-1000 - (No Name) - {5fdeb94c-c7bf-4da6-93ea-2f03a243fa10} - No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-138331719-1066997510-682906465-1000 -> {03541204-1047-4947-8CC9-AF2675D4A01C} URL = http://www.bing.com/search?FORM=U220DF&PC=U220&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-138331719-1066997510-682906465-1000 -> {263E3722-0A69-44EA-92D9-DE7BF9DE95BC} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US400D20130705&p={SearchTerms}
SearchScopes: HKU\S-1-5-21-138331719-1066997510-682906465-1000 -> {43A71F5B-FC75-4115-92F3-DC8595029F4A} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA_enUS384
SearchScopes: HKU\S-1-5-21-138331719-1066997510-682906465-1000 -> {652960BD-CA47-4DF5-AFE4-AFD4D26B8BEA} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-138331719-1066997510-682906465-1000 -> {967061DA-B38A-484B-8629-71A1762C5DFE} URL = 
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll [2012-02-28] (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM-x32 - No Name - {e0c22e6b-a7bd-43f6-b5cc-020e06d11a45} -  No File
Toolbar: HKU\S-1-5-21-138331719-1066997510-682906465-1000 -> No Name - {76A747B4-EDC6-46FF-8A5D-9AE61A889D5B} -  No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://lpt.webex.com/client/T27LC/nbr/ieatgpc1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\windows\syswow64\urlmon.dll [2015-02-19] (Microsoft Corporation)
Winsock: Catalog9 01 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 02 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 03 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 04 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 15 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll [2012-02-28] (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @Motive.com/NpMotive,version=1.0 -> C:\Program Files (x86)\Common Files\Motive\npMotive.dll [2010-11-08] (Alcatel-Lucent)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-02] (Adobe Systems Inc.)
FF Extension: Healthcare Gov Tool - C:\Program Files (x86)\Mozilla Firefox\extensions\healthcare@healthcaregovtool.com.xpi [2015-04-07]
FF Extension: Healthcare Gov Tool - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\healthcare@healthcaregovtool.com.xpi [2015-04-07]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn
FF HKLM-x32\...\Firefox\Extensions: [{4C0766D3-67A7-45a3-85A2-752F77312F32}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn
FF HKU\S-1-5-21-138331719-1066997510-682906465-1000\...\Firefox\Extensions: [ConsumerInput@Compete] - C:\Program Files (x86)\Consumer Input\Firefox\ciff-3.2.0-12099.xpi
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-17]
CHR Extension: (Google Drive) - C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-17]
CHR Extension: (Hot Virtual Keyboard Extension) - C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdejgojmfhngmomodldpdppfbhoajadl [2015-04-08]
CHR Extension: (YouTube) - C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-17]
CHR Extension: (MediaPlayerVid2.1) - C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\jecgbfoconhopjngaaijjgffhokohlac [2015-04-08]
CHR Extension: (Google Wallet) - C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-17]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 atashost; C:\windows\SysWOW64\atashost.exe [20376 2010-06-16] (WebEx Communications, Inc.)
S2 consumerinput_update; C:\Program Files (x86)\Consumer Input\Update\ConsumerInputUpdate.exe [106296 2015-04-10] (ConsumerInput)
S3 consumerinput_updatem; C:\Program Files (x86)\Consumer Input\Update\ConsumerInputUpdate.exe [106296 2015-04-10] (ConsumerInput)
S2 ETSTempService; C:\Users\Terry\Desktop\D7\Modules\ets.exe [134272 2014-07-31] (Foolish IT, LLC)
S2 FlashBeat; C:\ProgramData\FlashBeat\FlashBeat.exe [358400 2015-04-10] () [File not signed]
R2 Gambali; C:\ProgramData\FlashBeat\Gambali.exe [1916456 2015-03-31] (Gambali OEM Software) [File not signed]
S2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
R2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [4702920 2015-02-12] (iolo technologies, LLC)
S2 McciCMService; C:\Program Files (x86)\Common Files\Motive\McciCMService.exe [319488 2010-11-08] (Alcatel-Lucent) [File not signed]
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-11-08] (Alcatel-Lucent) [File not signed]
S2 McciServiceHost; C:\Program Files (x86)\Common Files\Motive\McciServiceHost.exe [315392 2011-09-09] (Alcatel-Lucent) [File not signed]
S2 MSSQL$XACTWARE; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Samsung Network Fax Server; C:\windows\system32\spool\drivers\x64\3\NetFaxServer64.exe [229376 2010-11-17] (Samsung Electronics Co., Ltd.) [File not signed]
R2 vseamps; C:\Program Files\Common Files\Commtouch\AntiVirus5\vseamps.exe [122120 2014-03-25] (CYREN Inc.)
R2 vsedsps; C:\Program Files\Common Files\Commtouch\AntiVirus5\vsedsps.exe [119560 2014-03-25] (CYREN Inc.)
S3 vseqrts; C:\Program Files\Common Files\Commtouch\AntiVirus5\vseqrts.exe [181512 2014-03-25] (CYREN Inc.)
S2 WinAudioSrv_R1; C:\Program Files (x86)\Windows Audio\R1\AudioSrv.exe [4024920 2015-04-07] (Hefei Hejunzhengce Info Tech Co., Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 HitmanPro37CrusaderBoot; "E:\Temp\D7\3rd Party Tools\kheRPwAv.com" /crusader:boot [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AMP; C:\windows\system32\Drivers\amp.sys [174856 2014-03-25] (CYREN Inc.)
S2 AMPSE; C:\windows\system32\Drivers\ampse.sys [1728776 2014-03-25] (CYREN Inc.)
S1 ElRawDisk; C:\windows\system32\drivers\ElRawDsk.sys [30752 2013-03-17] (EldoS Corporation)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2011-09-09] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MREMP50a64; C:\Program Files\Common Files\Motive\MREMP50a64.SYS [43008 2011-09-09] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2011-09-09] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50a64; C:\Program Files\Common Files\Motive\MRESP50a64.SYS [40960 2011-09-09] (Printing Communications Assoc., Inc. (PCAUSA))
S1 RawDisk3; C:\windows\system32\drivers\rawdsk3.sys [32912 2014-07-16] (EldoS Corporation)
R3 RTL8187Se; C:\Windows\System32\DRIVERS\RTL8187Se.sys [403968 2008-08-22] (Realtek Semiconductor Corporation                           )
S3 ssmirrdr; C:\Windows\System32\DRIVERS\ssmirrdr.sys [10112 2010-05-14] (support.com, Inc)
S1 innfd_1_10_0_13; system32\drivers\innfd_1_10_0_13.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-13 09:35 - 2015-04-13 09:37 - 00018732 _____ () C:\Users\Terry\Downloads\FRST.txt
2015-04-13 09:33 - 2015-04-13 09:35 - 00000000 ____D () C:\FRST
2015-04-13 09:28 - 2015-04-13 09:28 - 02096640 _____ (Farbar) C:\Users\Terry\Downloads\FRST64.exe
2015-04-13 09:25 - 2015-04-13 09:25 - 00000408 _____ () C:\windows\SysWOW64\iolo.ini
2015-04-13 09:25 - 2015-04-13 09:25 - 00000408 _____ () C:\windows\system32\iolo.ini
2015-04-13 09:23 - 2015-04-13 09:23 - 00005814 _____ () C:\Users\Terry\Desktop\MBRCheck_04.13.15_09.23.31.txt
2015-04-13 09:10 - 2015-04-13 09:10 - 00012872 _____ (SurfRight B.V.) C:\windows\system32\bootdelete.exe
2015-04-13 09:10 - 2015-04-13 09:10 - 00000000 ____D () C:\Users\Terry\AppData\Local\gmsd_us_426
2015-04-13 09:08 - 2015-04-13 09:10 - 00000000 ____D () C:\Program Files (x86)\gmsd_us_426
2015-04-10 17:49 - 2015-04-10 17:49 - 00000000 ____D () C:\ProgramData\e7ad4612000048ea
2015-04-10 17:47 - 2015-04-10 17:47 - 00003984 _____ () C:\windows\System32\Tasks\LaunchPreSignup
2015-04-10 14:40 - 2015-04-13 09:21 - 00009080 _____ () C:\windows\SysWOW64\GambaliOff.ini
2015-04-10 14:40 - 2015-04-13 09:21 - 00009080 _____ () C:\windows\system32\GambaliOff.ini
2015-04-10 14:40 - 2015-04-10 14:40 - 00003558 _____ () C:\windows\System32\Tasks\IOQGEM
2015-04-10 14:39 - 2015-04-10 17:19 - 00000000 ____D () C:\ProgramData\FlashBeat
2015-04-10 14:39 - 2015-04-10 14:39 - 00000000 ____D () C:\ProgramData\8811dc1280674d76a0f99384d242a792
2015-04-10 14:39 - 2015-04-10 14:39 - 00000000 ____D () C:\ProgramData\1e663b080feb4f97819bd9c56fb5612b
2015-04-10 14:39 - 2015-03-31 15:18 - 00408424 _____ () C:\windows\system32\Gambali64.dll
2015-04-10 14:39 - 2015-03-31 15:18 - 00340944 _____ (Gambali OEM Software) C:\windows\SysWOW64\Gambali.dll
2015-04-10 14:32 - 2015-04-10 17:49 - 00000000 ____D () C:\Program Files (x86)\Optimizer Pro 3.79
2015-04-10 14:28 - 2015-04-10 14:29 - 00000000 ____D () C:\ProgramData\{60fc7e17-709b-cccb-60fc-c7e17709f85d}
2015-04-10 14:24 - 2015-04-13 09:10 - 00000000 ____D () C:\Users\Terry\AppData\Local\40FD0F17-1428675892-DF11-9C5D-00266C6D03D9
2015-04-10 14:24 - 2015-04-13 09:10 - 00000000 ____D () C:\Users\Terry\AppData\Local\40FD0F17-1428675874-DF11-9C5D-00266C6D03D9
2015-04-10 14:10 - 2015-04-13 08:37 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-04-10 14:10 - 2015-04-10 14:11 - 00000000 ____D () C:\Users\Terry\AppData\Local\40FD0F17-1428675030-DF11-9C5D-00266C6D03D9
2015-04-10 14:10 - 2015-04-10 14:10 - 00136408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-10 14:10 - 2015-04-10 14:10 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-10 14:09 - 2015-04-13 09:15 - 00000968 _____ () C:\windows\Tasks\ConsumerInputUpdateTaskMachineUA.job
2015-04-10 14:09 - 2015-04-13 09:13 - 00000964 _____ () C:\windows\Tasks\ConsumerInputUpdateTaskMachineCore.job
2015-04-10 14:09 - 2015-04-10 14:11 - 00000000 ____D () C:\Program Files (x86)\Consumer Input
2015-04-10 14:09 - 2015-04-10 14:09 - 00003964 _____ () C:\windows\System32\Tasks\ConsumerInputUpdateTaskMachineUA
2015-04-10 14:09 - 2015-04-10 14:09 - 00003712 _____ () C:\windows\System32\Tasks\ConsumerInputUpdateTaskMachineCore
2015-04-10 14:09 - 2015-04-10 14:09 - 00000000 ____D () C:\Users\Terry\AppData\Local\Consumer Input
2015-04-10 14:07 - 2015-04-13 09:10 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\40FD0F17-1428700022-DF11-9C5D-00266C6D03D9
2015-04-10 14:07 - 2015-04-10 14:07 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\Eppink
2015-04-10 14:06 - 2015-04-10 14:06 - 00107736 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-04-10 12:16 - 2015-04-13 09:13 - 00000392 _____ () C:\windows\setupact.log
2015-04-10 12:16 - 2015-04-13 08:37 - 00012582 _____ () C:\windows\PFRO.log
2015-04-10 12:16 - 2015-04-10 12:16 - 00000000 _____ () C:\windows\setuperr.log
2015-04-10 12:16 - 2015-04-10 12:16 - 00000000 _____ () C:\windows\ativpsrm.bin
2015-04-10 10:53 - 2015-04-10 10:53 - 00000073 _____ () C:\windows\zerobyte_files_deleted.txt
2015-04-10 10:53 - 2015-04-10 10:53 - 00000029 _____ () C:\windows\system32\zerobyte_files_deleted.txt
2015-04-10 10:14 - 2015-04-13 09:25 - 00000000 ____D () C:\Users\Terry\Desktop\D7
2015-04-09 15:00 - 2015-04-09 15:00 - 00000000 ____D () C:\SUPERDelete
2015-04-09 14:59 - 2015-04-09 14:59 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-04-09 14:46 - 2015-04-13 09:10 - 00005756 _____ () C:\windows\system32\.crusader
2015-04-09 14:14 - 2015-04-09 14:45 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-04-09 13:45 - 2015-04-10 13:57 - 00000000 ____D () C:\AdwCleaner
2015-04-09 13:44 - 2015-04-09 13:44 - 02217984 _____ () C:\Users\Terry\Downloads\adwcleaner_4.201.exe
2015-04-09 13:31 - 2015-04-09 13:32 - 00078467 _____ () C:\Users\Terry\Downloads\C2AD.tmp
2015-04-09 11:52 - 2015-04-09 12:37 - 00000000 ____D () C:\ProgramData\Optimizer
2015-04-09 11:52 - 2015-04-09 11:52 - 00000000 ____D () C:\Users\Terry\Documents\DreamVideoSoft
2015-04-09 11:51 - 2015-04-09 11:51 - 00000000 ____D () C:\Program Files (x86)\Windows Audio
2015-04-09 11:50 - 2015-04-09 11:50 - 00000000 ____D () C:\ProgramData\PastaLeadsAgent
2015-04-09 11:21 - 2015-04-09 14:05 - 00003558 _____ () C:\windows\System32\Tasks\EXNAHX
2015-04-09 11:20 - 2015-04-09 14:03 - 00000000 ____D () C:\ProgramData\494a008f6b824e7395312f7b560cde6a
2015-04-09 11:19 - 2015-04-09 11:19 - 00000000 ____D () C:\ProgramData\7af1e159f7e34401b8e02e750b3004d5
2015-04-09 11:08 - 2015-04-09 11:08 - 00000000 _____ () C:\Users\Terry\AppData\Local\{B3B0EA6C-78FF-42CF-AA7A-12C8B7F5E7B6}
2015-04-09 11:08 - 2015-04-09 11:08 - 00000000 _____ () C:\Users\Terry\AppData\Local\{9739C001-6A3C-484D-BB48-31975AC60F34}
2015-04-08 20:41 - 2015-04-08 20:44 - 00004234 _____ () C:\windows\System32\Tasks\SPBIW_UpdateTask_Time_333739373835303634322d3437415a556c2a3223346c41
2015-04-08 20:39 - 2015-04-08 20:39 - 00000000 ____D () C:\Users\Public\Documents\ShopperPro
2015-04-08 19:00 - 2015-04-08 19:00 - 00000000 ____D () C:\Users\Terry\.cache
2015-04-08 17:51 - 2015-04-09 10:44 - 01858052 _____ () C:\windows\system32\details.dll.xml
2015-04-08 17:33 - 2015-04-08 17:33 - 00000000 ____D () C:\ProgramData\InstallSightSDK
2015-04-08 17:32 - 2015-04-08 17:32 - 00003560 _____ () C:\windows\System32\Tasks\SysHealthcare_Controller
2015-04-08 17:26 - 2015-04-08 17:26 - 00000000 ____D () C:\ProgramData\03dff548327b4f6eaa97fdee45bb8790
2015-04-08 17:25 - 2015-04-08 17:25 - 00000000 ____D () C:\ProgramData\dad90bd9067c4d8c9d9ce6bf2a8c0389
2015-04-08 17:15 - 2015-04-09 14:45 - 00000000 ____D () C:\Program Files (x86)\9d6ec578-1ed5-4715-908a-808f41adcf9e
2015-04-08 17:13 - 2015-04-08 17:13 - 00000000 ____D () C:\Users\Terry\AppData\Local\Zeoinsight
2015-04-08 17:12 - 2015-04-08 17:12 - 00004240 _____ () C:\windows\System32\Tasks\SMW_UpdateTask_Time_333739373835303634322d3437415a556c2a3223346c41
2015-04-08 17:11 - 2015-04-10 17:14 - 00000000 ____D () C:\Program Files (x86)\Hot Virtual Keyboard Extension
2015-04-08 17:11 - 2015-04-08 17:11 - 00003592 _____ () C:\windows\System32\Tasks\SMWUpd
2015-04-08 17:09 - 2015-04-08 17:09 - 00000000 ____D () C:\Users\Terry\AppData\Local\CrashRpt
2015-04-08 17:09 - 2015-04-08 17:09 - 00000000 ____D () C:\ProgramData\15794066317726514482
2015-04-08 17:08 - 2015-04-08 17:08 - 00000000 ____D () C:\ProgramData\ncbfipkjdacdfcepidabkcgccoddejjn
2015-04-08 17:07 - 2015-04-09 11:16 - 00000000 ____D () C:\ProgramData\{bda2a74e-3d78-552f-bda2-2a74e3d79d38}
2015-04-08 17:03 - 2015-04-09 14:45 - 00000000 ____D () C:\Program Files (x86)\da3a1695-e1a3-4b57-bb5c-552c892a5f17
2015-04-08 16:55 - 2015-04-09 11:11 - 00000004 _____ () C:\windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-04-08 16:36 - 2015-04-10 17:14 - 00000000 ____D () C:\Users\Terry\AppData\Local\40FD0F17-1428510994-DF11-9C5D-00266C6D03D9
2015-04-08 16:36 - 2015-04-10 17:14 - 00000000 ____D () C:\Users\Terry\AppData\Local\40FD0F17-1428510972-DF11-9C5D-00266C6D03D9
2015-04-08 16:33 - 2015-04-08 16:35 - 00000000 ____D () C:\Users\Terry\AppData\Local\40FD0F17-1428510837-DF11-9C5D-00266C6D03D9
2015-04-08 16:32 - 2015-04-08 16:32 - 00000000 ____D () C:\Program Files (x86)\Setup Support for Consumer Input
2015-04-08 16:30 - 2015-04-13 09:20 - 00000360 _____ () C:\windows\Tasks\CIMT_S-1-5-21-138331719-1066997510-682906465-1000.job
2015-04-08 16:30 - 2015-04-11 16:30 - 00000394 _____ () C:\windows\Tasks\CIMT_daily_S-1-5-21-138331719-1066997510-682906465-1000.job
2015-04-08 16:30 - 2015-04-08 16:30 - 00003396 _____ () C:\windows\System32\Tasks\CIMT_daily_S-1-5-21-138331719-1066997510-682906465-1000
2015-04-08 16:30 - 2015-04-08 16:30 - 00003274 _____ () C:\windows\System32\Tasks\CIMT_S-1-5-21-138331719-1066997510-682906465-1000
2015-04-08 16:30 - 2015-04-08 16:30 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\40FD0F17-1428535839-DF11-9C5D-00266C6D03D9
2015-04-08 16:28 - 2015-04-08 16:28 - 00000000 ____D () C:\Users\Terry\AppData\Local\Skype
2015-04-08 16:27 - 2015-04-10 17:14 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\40FD0F17-1428535655-DF11-9C5D-00266C6D03D9
2015-04-08 16:27 - 2015-04-09 12:12 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\Skype
2015-04-08 16:24 - 2015-04-09 12:14 - 00000000 ____D () C:\ProgramData\Skype
2015-04-08 16:23 - 2015-04-09 14:45 - 00000000 ____D () C:\ProgramData\{d95a0b16-fdd5-9919-d95a-a0b16fdd2c5b}
2015-04-08 16:22 - 2015-04-08 16:22 - 00000045 _____ () C:\user.js
2015-04-08 16:21 - 2015-04-08 16:21 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\Ebon
2015-04-08 16:21 - 2015-04-08 16:21 - 00000000 ____D () C:\Users\Terry\AppData\Local\Ebon
2015-04-08 16:20 - 2015-04-08 16:20 - 00000000 ____D () C:\Users\Terry\AppData\Local\com
2015-04-08 16:20 - 2015-04-08 16:20 - 00000000 ____D () C:\ProgramData\T122078ED
2015-04-08 16:20 - 2015-04-08 16:20 - 00000000 ____D () C:\ProgramData\Ebon
2015-04-08 16:19 - 2015-04-09 14:45 - 00000000 ____D () C:\Program Files (x86)\fb98e037-def6-42ad-abb1-3354e8d86ddb
2015-04-08 16:19 - 2015-04-09 14:45 - 00000000 ____D () C:\Program Files (x86)\647c91cd-1230-484b-afad-9de3dedd04ee
2015-04-08 16:19 - 2015-04-08 16:51 - 00000000 ____D () C:\Program Files (x86)\Ebon
2015-04-08 16:18 - 2015-04-08 16:18 - 00004086 _____ () C:\windows\System32\Tasks\SysHealth_Controller_Mon
2015-04-08 16:16 - 2015-04-08 16:18 - 00000000 ____D () C:\Program Files (x86)\SysFiles
2015-04-08 16:16 - 2015-04-08 16:16 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-04-08 16:16 - 2015-04-07 16:56 - 00415272 _____ (WebWatcher) C:\windows\system32\WebWatcherLSP64.dll
2015-04-08 16:14 - 2015-04-08 16:14 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Local Temperature
2015-04-05 15:10 - 2015-04-05 15:10 - 00000000 ___SD () C:\windows\SysWOW64\GWX
2015-04-05 15:10 - 2015-04-05 15:10 - 00000000 ___SD () C:\windows\system32\GWX
2015-04-01 11:10 - 2015-04-01 11:10 - 00000000 ____D () C:\Users\Terry\AppData\Local\{33AB386E-6837-4627-AF01-07D365211789}
2015-04-01 10:26 - 2015-04-01 16:15 - 00339968 _____ () C:\Users\Terry\Documents\Coffey, 8 Lot - Boronda.xls
2015-03-31 16:15 - 2015-03-31 17:26 - 00014695 _____ () C:\Users\Terry\Documents\CC,   Initial Project Questionairre.xlsx
2015-03-31 16:07 - 2015-03-31 16:11 - 00050176 _____ () C:\Users\Terry\Documents\CC, Earthwork checklist.xls
2015-03-31 16:02 - 2015-03-31 16:02 - 00079360 _____ () C:\Users\Terry\Documents\CC, - Earthwork SBI 060509 check list.xls
2015-03-29 18:27 - 2015-03-29 18:27 - 00000000 ____D () C:\Users\Terry\AppData\Local\{B7445849-EA0E-4B78-82C6-E069A0E8704B}
2015-03-29 15:49 - 2015-04-11 15:49 - 00000366 _____ () C:\windows\Tasks\SlimCleaner Plus (Scheduled Scan - Terry).job
2015-03-29 15:49 - 2015-03-29 15:49 - 00003024 _____ () C:\windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Terry)
2015-03-29 14:23 - 2015-03-29 15:49 - 00000000 ____D () C:\Users\Terry\AppData\Local\SlimWare Utilities Inc
2015-03-29 14:23 - 2015-03-29 14:23 - 00000000 ____D () C:\Users\Public\Documents\Downloaded Installers
2015-03-27 15:28 - 2015-03-27 15:28 - 00140288 _____ () C:\Users\Terry\Documents\Bileci Law,  Jane Doe, rm options.rpt
2015-03-27 15:21 - 2015-03-27 15:21 - 00145408 _____ () C:\Users\Terry\Documents\Bileci Law, RM Jane Doe Options.rpt
2015-03-27 13:44 - 2015-03-27 13:44 - 00000282 _____ () C:\Users\Terry\Desktop\ReverseVision.appref-ms
2015-03-26 12:14 - 2015-03-26 12:14 - 00005542 _____ () C:\Users\Terry\AppData\Roaming\WUHE
2015-03-26 12:14 - 2015-03-26 12:14 - 00005542 _____ () C:\Users\Terry\AppData\Roaming\NDIANVIC
2015-03-26 12:14 - 2015-03-26 12:14 - 00005542 _____ () C:\Users\Terry\AppData\Roaming\FKRMVN
2015-03-25 13:45 - 2015-03-10 21:06 - 00943616 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2015-03-25 13:45 - 2015-03-10 21:06 - 00760832 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2015-03-25 13:45 - 2015-03-10 21:06 - 00677888 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2015-03-25 13:45 - 2015-03-10 21:06 - 00414720 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2015-03-25 13:45 - 2015-03-10 21:05 - 00227328 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2015-03-25 13:45 - 2015-03-10 21:05 - 00192000 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2015-03-25 13:45 - 2015-03-10 21:05 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\acmigration.dll
2015-03-25 13:45 - 2015-03-10 21:02 - 01107456 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2015-03-23 13:14 - 2015-03-23 13:14 - 00064125 _____ () C:\Users\Terry\Documents\Coffey, 325 - Salinas.html
2015-03-19 18:42 - 2015-03-19 18:42 - 00001448 _____ () C:\Users\Public\Desktop\System Mechanic Professional.lnk
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-13 09:25 - 2014-10-19 15:48 - 00000392 _____ () C:\windows\SysWOW64\iolo.ini.txt
2015-04-13 09:20 - 2010-04-27 11:58 - 01120868 _____ () C:\windows\WindowsUpdate.log
2015-04-13 09:20 - 2009-07-13 21:45 - 00018736 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-13 09:20 - 2009-07-13 21:45 - 00018736 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-13 09:15 - 2010-06-15 14:17 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-13 09:14 - 2010-06-15 14:17 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-13 09:13 - 2009-07-13 22:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-04-13 08:56 - 2012-07-10 09:11 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-04-13 08:55 - 2009-07-13 22:08 - 00032578 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2015-04-13 08:46 - 2009-11-12 19:47 - 00000000 ____D () C:\Program Files (x86)\TOSHIBA
2015-04-13 08:46 - 2009-11-12 19:46 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-04-12 14:31 - 2014-02-20 11:55 - 00000562 _____ () C:\windows\Tasks\G2MUpdateTask-S-1-5-21-138331719-1066997510-682906465-1000.job
2015-04-12 04:25 - 2011-02-02 10:42 - 00000366 _____ () C:\windows\Tasks\Driver Robot.job
2015-04-10 17:47 - 2010-06-15 12:20 - 00000000 ____D () C:\Users\Terry
2015-04-10 16:56 - 2013-09-21 11:32 - 00047616 ___SH () C:\Users\Terry\Desktop\Thumbs.db
2015-04-10 14:42 - 2012-08-02 12:07 - 00000000 ____D () C:\windows\pss
2015-04-10 14:01 - 2011-04-26 12:45 - 00000000 ____D () C:\Program Files (x86)\Google
2015-04-10 14:01 - 2009-11-12 20:00 - 00000000 ____D () C:\Program Files\Google
2015-04-10 13:53 - 2011-04-26 12:45 - 00000000 ____D () C:\ProgramData\Google
2015-04-10 13:53 - 2010-06-15 13:30 - 00000000 ____D () C:\Users\Terry\AppData\Local\Google
2015-04-10 13:02 - 2013-01-16 18:22 - 00000000 ____D () C:\Users\Terry\Desktop\201 Laurel Photos
2015-04-10 11:27 - 2010-06-16 11:26 - 00000000 ____D () C:\Users\Terry\Tracing
2015-04-10 11:26 - 2013-01-16 11:06 - 00000000 ____D () C:\Users\Terry\AppData\Local\CrashDumps
2015-04-10 11:26 - 2009-11-13 11:12 - 00000000 ____D () C:\windows\Panther
2015-04-10 11:19 - 2012-04-09 07:29 - 00000000 ____D () C:\windows\Minidump
2015-04-10 10:57 - 2009-07-13 20:20 - 00000000 __RHD () C:\Users\Default
2015-04-10 10:53 - 2010-06-15 15:21 - 00000000 ____D () C:\temp
2015-04-09 14:45 - 2012-10-06 13:11 - 00000000 ____D () C:\Program Files (x86)\Apple Software Update
2015-04-09 14:45 - 2009-11-12 19:49 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-04-09 13:40 - 2009-07-13 22:13 - 00848194 _____ () C:\windows\system32\PerfStringBackup.INI
2015-04-09 12:13 - 2010-04-27 12:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-04-08 17:14 - 2009-07-13 20:20 - 00000000 ____D () C:\Program Files\Common Files\System
2015-04-08 16:04 - 2009-07-13 20:20 - 00000000 ____D () C:\windows\system32\NDF
2015-04-07 11:31 - 2014-02-20 11:55 - 00003588 _____ () C:\windows\System32\Tasks\G2MUpdateTask-S-1-5-21-138331719-1066997510-682906465-1000
2015-04-05 14:33 - 2009-07-13 22:09 - 00000000 ____D () C:\windows\System32\Tasks\WPD
2015-04-03 15:37 - 2014-05-18 09:30 - 00002023 _____ () C:\Users\Public\Desktop\Check Designer.lnk
2015-04-03 12:25 - 2014-06-11 14:16 - 00002154 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-02 10:12 - 2010-06-17 10:19 - 00000000 ____D () C:\Users\Terry\AppData\Local\Deployment
2015-04-01 12:46 - 2010-07-14 12:45 - 00000400 _____ () C:\windows\Tasks\EasyShare Registration Task.job
2015-03-31 17:26 - 2015-03-06 16:26 - 00014694 _____ () C:\Users\Terry\Documents\Sabal Financial,   Initial Project Questionairre.xlsx
2015-03-31 16:55 - 2011-12-01 10:06 - 00336384 _____ () C:\Users\Terry\Documents\Copy of Template_9_5phase_4plans_cost_breakdown.xls
2015-03-27 16:04 - 2012-05-07 09:20 - 00000000 ____D () C:\Users\Terry\AppData\Local\ReverseVision
2015-03-27 13:44 - 2010-06-17 10:19 - 00000000 ____D () C:\Users\Terry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ReverseVision
2015-03-26 11:29 - 2014-12-11 04:32 - 00000000 ____D () C:\windows\system32\appraiser
2015-03-26 11:29 - 2014-05-07 03:00 - 00000000 ___SD () C:\windows\system32\CompatTel
2015-03-19 18:45 - 2014-10-19 15:04 - 00000000 ____D () C:\ProgramData\iolo
2015-03-19 18:42 - 2014-10-19 15:42 - 00003144 _____ () C:\windows\System32\Tasks\iolo Process Governor
2015-03-19 18:42 - 2014-10-19 15:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Mechanic Professional
2015-03-19 18:42 - 2014-10-19 15:42 - 00000000 ____D () C:\ProgramData\ioloGovernor
2015-03-19 18:42 - 2009-07-13 20:20 - 00000000 __RSD () C:\windows\Media
2015-03-19 11:45 - 2012-04-16 08:36 - 00000000 ____D () C:\ProgramData\Samsung
2015-03-19 11:11 - 2012-04-16 08:39 - 00000099 _____ () C:\Users\Public\LMDebug.log
2015-03-18 18:38 - 2014-06-11 14:33 - 00000000 ____D () C:\Users\Terry\AppData\Local\Adobe
2015-03-18 18:38 - 2012-07-10 09:11 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2015-03-18 18:37 - 2012-07-10 09:11 - 00778928 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-03-18 18:37 - 2011-08-04 19:43 - 00142512 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-03-17 09:16 - 2010-04-27 12:04 - 00000000 ____D () C:\ProgramData\Microsoft Help
 
==================== Files in the root of some directories =======
 
2010-09-25 18:04 - 2010-09-25 18:04 - 0069632 _____ (Elibrium, LLC) C:\Program Files (x86)\Common Files\ClacAdv.dll
2010-09-25 18:04 - 2010-09-25 18:04 - 0126976 _____ (Elibrium, LLC) C:\Program Files (x86)\Common Files\ClacStmp.dll
2010-09-25 18:04 - 2010-09-25 18:04 - 0028672 _____ (Elibrium, Inc) C:\Program Files (x86)\Common Files\MYSWHelpComp.dll
2010-09-25 18:04 - 2010-09-25 18:04 - 0094208 _____ (Avanquest Publishing USA Inc.) C:\Program Files (x86)\Common Files\regdll.dll
2015-03-26 12:14 - 2015-03-26 12:14 - 0005542 _____ () C:\Users\Terry\AppData\Roaming\FKRMVN
2015-03-26 12:14 - 2015-03-26 12:14 - 0005542 _____ () C:\Users\Terry\AppData\Roaming\NDIANVIC
2015-03-26 12:14 - 2015-03-26 12:14 - 0005542 _____ () C:\Users\Terry\AppData\Roaming\WUHE
2015-04-08 17:31 - 2015-04-08 17:31 - 0011754 _____ () C:\Users\Terry\AppData\Local\Temp-log.txt
2015-04-09 11:08 - 2015-04-09 11:08 - 0000000 _____ () C:\Users\Terry\AppData\Local\{9739C001-6A3C-484D-BB48-31975AC60F34}
2015-04-09 11:08 - 2015-04-09 11:08 - 0000000 _____ () C:\Users\Terry\AppData\Local\{B3B0EA6C-78FF-42CF-AA7A-12C8B7F5E7B6}
2013-09-07 16:59 - 2013-09-07 16:59 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-02-02 10:07 - 2011-02-07 15:32 - 0000671 _____ () C:\ProgramData\hpzinstall.log
2014-09-30 09:12 - 2014-09-30 09:20 - 10052260 _____ () C:\ProgramData\log.txt
2011-02-16 13:37 - 2011-02-16 13:37 - 0000058 _____ () C:\ProgramData\mchguid.ini
2011-08-25 15:17 - 2013-10-11 16:26 - 0004143 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc
2013-09-15 13:26 - 2013-09-15 13:26 - 7455944 _____ () C:\ProgramData\SamPCFax000017D40001
2013-10-23 08:55 - 2013-10-23 08:55 - 3730356 _____ () C:\ProgramData\SamPCFax00005E1C0001
 
Some content of TEMP:
====================
C:\Users\Terry\AppData\Local\Temp\Uninstall.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-06 13:26
 
==================== End Of Log ============================


#3 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:12 AM

Posted 15 April 2015 - 09:39 AM

Hello morandaminds and welcome to BleepingComputer!           :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 3 days, feel free to PM me.            :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

Looks like your addition.txt is missing. Please copy/paste it in your next reply.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:12 PM

Posted 15 April 2015 - 10:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

(Gambali OEM Software) C:\ProgramData\FlashBeat\Gambali.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-138331719-1066997510-682906465-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-138331719-1066997510-682906465-1000 - (No Name) - {76a747b4-edc6-46ff-8a5d-9ae61a889d5b} - No File
URLSearchHook: HKU\S-1-5-21-138331719-1066997510-682906465-1000 - (No Name) - {5fdeb94c-c7bf-4da6-93ea-2f03a243fa10} - No File
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM-x32 - No Name - {e0c22e6b-a7bd-43f6-b5cc-020e06d11a45} -  No File
Toolbar: HKU\S-1-5-21-138331719-1066997510-682906465-1000 -> No Name - {76A747B4-EDC6-46FF-8A5D-9AE61A889D5B} -  No File
Winsock: Catalog9 01 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 02 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 03 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 04 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
Winsock: Catalog9 15 C:\windows\SysWOW64\Gambali.dll [340944] (Gambali OEM Software)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: Healthcare Gov Tool - C:\Program Files (x86)\Mozilla Firefox\extensions\healthcare@healthcaregovtool.com.xpi [2015-04-07]
FF Extension: Healthcare Gov Tool - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\healthcare@healthcaregovtool.com.xpi [2015-04-07]
FF HKU\S-1-5-21-138331719-1066997510-682906465-1000\...\Firefox\Extensions: [ConsumerInput@Compete] - C:\Program Files (x86)\Consumer Input\Firefox\ciff-3.2.0-12099.xpi
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Extension: (MediaPlayerVid2.1) - C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\jecgbfoconhopjngaaijjgffhokohlac [2015-04-08]
S2 consumerinput_update; C:\Program Files (x86)\Consumer Input\Update\ConsumerInputUpdate.exe [106296 2015-04-10] (ConsumerInput)
S3 consumerinput_updatem; C:\Program Files (x86)\Consumer Input\Update\ConsumerInputUpdate.exe [106296 2015-04-10] (ConsumerInput)
R2 Gambali; C:\ProgramData\FlashBeat\Gambali.exe [1916456 2015-03-31] (Gambali OEM Software) [File not signed]
S2 HitmanPro37CrusaderBoot; "E:\Temp\D7\3rd Party Tools\kheRPwAv.com" /crusader:boot [X]
S1 innfd_1_10_0_13; system32\drivers\innfd_1_10_0_13.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
C:\ProgramData\FlashBeat
C:\windows\SysWOW64\Gambali.dll
C:\Program Files (x86)\Mozilla Firefox\extensions\healthcare@healthcaregovtool.com.xpi
C:\Program Files (x86)\Mozilla Firefox\browser\extensions\healthcare@healthcaregovtool.com.xpi
C:\Program Files (x86)\Consumer Input
C:\Users\Terry\AppData\Local\Google\Chrome\User Data\Default\Extensions\jecgbfoconhopjngaaijjgffhokohlac

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#5 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:12 AM

Posted 15 April 2015 - 10:04 AM

Nasdaq, I replied.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#6 morandaminds

morandaminds
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 15 April 2015 - 12:36 PM

I apologize, I no longer have access to this system.  The client decided to move to a new system.

 

Please close this thread, I apologize for wasting time with this.

 

Thank you again for the reply.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:12 PM

Posted 15 April 2015 - 12:39 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users