Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Went to Malicious Site; System Slows Down Afterwards


  • This topic is locked This topic is locked
28 replies to this topic

#1 techgnosis

techgnosis

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:08:22 AM

Posted 16 April 2015 - 09:57 PM

Here's what's been happening.  Back in February, I was led by a Twitter message to access a malicious site.  I went there and I was hijacked for a few minutes but my Kaspersky fought it off, I thought.  Well, I believe after that incident, my system started slowing down immensely.  It's very hard to open multiple Web sites using Explorer; when the memory runs out, the website just freezes and black streaks runs through the Web.  Same thing with Chrome, pretty much.

 

What I'm noticing is that "Host Process for Setting Synchronization" is hogging my CPU, Disk and Memory in Task Manager.  This is a Microsoft process.  Is this supposedly to be constantly running in the background like this?  My Kaspersky Total Security says that "Host Process for Setting Synchronization" is a trusted system but I see that its digital signature is missing. 

 

What happens is after a while I get this message from Internet Explorer Security consistently:  dw20.exe.  This is the message:

 

=========================

A website wants to open web content using this program on your computer

 

This program will open outside of Protected mode.  Internet Explorer's Protected mode helps protect your computer.  If you do not trust this website, do not open this program.

 

Name:  dw20.exe.

Publisher Microsoft Corporation

=======================

 

When you push either "allow" or "don't allow," the response is the same.  The website goes offline.  After that, another message comes on from IEXPLORE.EXE - Application Error

 

========================

Process ID=0x158c (5516), Thread ID=0x369c (13980).

 

Click OK to terminate the application.

Click Cancel to debut the application.

========================

 

Is there a possibility that I've been hacked and being monitored?  I've upgraded to 2015 Kaspersky Total Security (from just Antivirus), got rid of Comodo Firewall (which previously may have caused conflict issues with Kaspersky).  I have 12GB installed RAM and my hard drive isn't even 25% full.  It's ridiculously slowing down.   I've run Kaspersky, MalwareBytes, SuperAntiSpyware and many other malware/spyware software but found nothing.  Nothing at all.

 

But always in the back of my mind is what happened back around February because all this started happening right around then.  Here's the FRST.text

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-04-2015 04

Ran by Dolby (administrator) on TRIMESTER on 16-04-2015 21:53:59

Running from C:\Users\Dolby\Downloads\anti-spyware\ran

Loaded Profiles: UpdatusUser & Dolby (Available profiles: UpdatusUser & Dolby & dooda_000)

Platform: Windows 8.1 (X64) OS Language: English (United States)

Internet Explorer Version 11 (Default browser: Chrome)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe

(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe

(Microsoft Corporation) C:\Windows\System32\dasHost.exe

(Seagate Technology LLC) C:\Program Files (x86)\Seagate\DriveSettings\Sync\SeagateDriveSettingsService.exe

(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe

() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\avpui.exe

(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

(Qualcomm Atheros) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtTray.exe

(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe

(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe

() C:\Program Files (x86)\Multimedia Card Reader(9106)\Shwicon9106.exe

(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Microsoft Corporation) C:\Windows\System32\InputMethod\KOR\KorIME.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe

(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

(Microsoft Corporation) C:\Windows\splwow64.exe

(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6548112 2012-06-12] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1212560 2012-06-13] (Realtek Semiconductor)

HKLM\...\Run: [BtTray] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtTray.exe [757888 2012-07-02] (Qualcomm Atheros)

HKLM\...\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [127104 2012-07-02] (Qualcomm Atheros Commnucations)

HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-13] (Apple Inc.)

HKLM\...\Run: [CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}] => "C:\ProgramData\cis51E2.exe" --PostUninstall {81EFDD93-DBBE-415B-BE6E-49B9664E3E82}

HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [285240 2012-09-01] (Intel Corporation)

HKLM-x32\...\Run: [Shwicon9106] => C:\Program Files (x86)\Multimedia Card Reader(9106)\Shwicon9106.exe [262144 2012-06-28] ()

HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [102928 2012-10-23] (CyberLink Corp.)

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-02-13] (Apple Inc.)

HKLM-x32\...\Run: [Memeo Instant Backup] => C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe [136416 2010-07-08] (Memeo Inc.)

HKLM-x32\...\Run: [Memeo AutoSync] => C:\Program Files (x86)\Memeo\AutoSync\MemeoLauncher2.exe [144608 2010-04-16] (Memeo Inc.)

HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2015-02-08] (Oracle Corporation)

HKU\S-1-5-21-2767479305-1133554152-2264245223-1001\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2015-03-04] (Microsoft Corporation)

HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\ssText3d.scr [217088 2015-03-04] (Microsoft Corporation)

Startup: C:\Users\Dolby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\Dolby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)

ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File

ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File

ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File

ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File

ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File

ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/

HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com

URLSearchHook: [S-1-5-21-2767479305-1133554152-2264245223-1001] ATTENTION ==> Default URLSearchHook is missing.

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1002 -> {E20512F9-5C1E-448F-915C-7AB81B06BA55} URL =

BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-02-10] (Microsoft Corporation)

BHO: Virtual Keyboard Plugin -> {4A66AD60-A03D-4D01-86F0-5F0F7C0EF1AD} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)

BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-02-08] (Oracle Corporation)

BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll [2012-07-02] (Qualcomm Atheros Commnucations)

BHO: Content Blocker Plugin -> {93BC2EA7-2F17-4729-948A-D2E03FFB2412} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)

BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll No File

BHO: Safe Money Plugin -> {AB379017-4C03-4E00-8EDF-E6D6AF7CCF82} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)

BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-02-10] (Microsoft Corporation)

BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-08] (Oracle Corporation)

BHO-x32: Virtual Keyboard Plugin -> {4A66AD60-A03D-4D01-86F0-5F0F7C0EF1AD} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)

BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-02-14] (Oracle Corporation)

BHO-x32: IEExtension.VDownloaderBHO -> {7b523e7c-f096-4e36-a0cb-7efeb5c675c1} -> C:\WINDOWS\SysWOW64\mscoree.dll [2013-08-21] (Microsoft Corporation)

BHO-x32: Content Blocker Plugin -> {93BC2EA7-2F17-4729-948A-D2E03FFB2412} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)

BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll No File

BHO-x32: Safe Money Plugin -> {AB379017-4C03-4E00-8EDF-E6D6AF7CCF82} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)

BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)

BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-14] (Oracle Corporation)

DPF: HKLM-x32 {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB

DPF: HKLM-x32 {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.oracle.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab

DPF: HKLM-x32 {8E2A904F-FDD7-4086-A49C-834F1C47DC39}

DPF: HKLM-x32 {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} https://cert.vno.co.kr/common/keyprotect/kdfense8.cab

DPF: HKLM-x32 {BD8667B7-38D8-4C77-B580-18C3E146372C} http://ak.imgag.com/imgag/cp/install/Crusher.cab

Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

 

FireFox:

========

FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-08] (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-08] (Oracle Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)

FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation)

FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-14] (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-14] (Oracle Corporation)

FF Plugin-x32: @kaspersky.com/content_blocker_663BE84DBCC949E88C7600F63CA7F098 -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\content_blocker@kaspersky.com [2015-03-29] ()

FF Plugin-x32: @kaspersky.com/online_banking_08806E753BE44495B44E90AA2513BDC5 -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\online_banking@kaspersky.com [2015-03-29] ()

FF Plugin-x32: @kaspersky.com/virtual_keyboard_07402848C2F6470194F131B0F3DE025E -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2015-03-29] ()

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-09] (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)

FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-08-09] (NVIDIA Corporation)

FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-08-09] (NVIDIA Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

FF Plugin HKU\S-1-5-21-2767479305-1133554152-2264245223-1002: @citrixonline.com/appdetectorplugin -> C:\Users\Dolby\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-03-25] (Citrix Online)

FF Plugin HKU\S-1-5-21-2767479305-1133554152-2264245223-1002: vitzo.com/VDownloader -> C:\Program Files\VDownloader\Addons\npVDownloader.dll No File

FF HKLM\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files\VDownloader\Addons\FireFox

FF HKLM-x32\...\Firefox\Extensions: [content_blocker_663BE84DBCC949E88C7600F63CA7F098@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\content_blocker@kaspersky.com

FF Extension: Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\content_blocker@kaspersky.com [2015-03-29]

FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard_07402848C2F6470194F131B0F3DE025E@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com

FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2015-03-29]

FF HKLM-x32\...\Firefox\Extensions: [online_banking_08806E753BE44495B44E90AA2513BDC5@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\online_banking@kaspersky.com

FF Extension: Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\online_banking@kaspersky.com [2015-03-29]

 

Chrome:

=======

CHR HomePage: Default -> hxxp://start.mysearchdial.com/?f=1&a=irmsd1202&cd=2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0AyByBtA0CtBzy0D0ByCyCtN0D0Tzu0SyBtAtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=249668639&ir=

CHR StartupUrls: Default -> "hxxp://www.google.com/"

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.90\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.90\ppGoogleNaClPluginChrome.dll No File

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.90\pdf.dll No File

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File

CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)

CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)

CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

CHR Plugin: (Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

CHR Plugin: (Microsoft Office 2013) - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)

CHR Plugin: (McAfee SecurityCenter) - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL No File

CHR Profile: C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Docs) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-06-02]

CHR Extension: (Google Drive) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-06-02]

CHR Extension: (YouTube) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-06-02]

CHR Extension: (Google Search) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-06-02]

CHR Extension: (Kaspersky Protection) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho [2014-11-16]

CHR Extension: (Bookmark Manager) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-16]

CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]

CHR Extension: (Google Wallet) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-28]

CHR Extension: (Gmail) - C:\Users\Dolby\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-06-02]

CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho

CHR HKLM\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files\VDownloader\Addons\Chrome.crx [Not Found]

CHR HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lcgnmdipgajofmpanhpdinhkgmeifmdo] - C:\Users\Dolby\AppData\Local\CRE\lcgnmdipgajofmpanhpdinhkgmeifmdo.crx [Not Found]

CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho

CHR HKLM-x32\...\Chrome\Extension: [lcgnmdipgajofmpanhpdinhkgmeifmdo] - C:\Users\Dolby\AppData\Local\CRE\lcgnmdipgajofmpanhpdinhkgmeifmdo.crx [Not Found]

 

==================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-08-16] (SUPERAntiSpyware.com)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)

R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [128640 2012-07-02] (Qualcomm Atheros Commnucations) [File not signed]

R2 AVP15.0.2; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\avp.exe [193400 2014-12-23] (Kaspersky Lab ZAO)

S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2015-03-04] (Microsoft Corporation)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2714800 2015-03-16] (Microsoft Corporation)

S2 DellDigitalDelivery; c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [173056 2012-06-19] (Dell Products, LP.) [File not signed]

R2 FreeAgentGoFlex Service; C:\Program Files (x86)\Seagate\DriveSettings\Sync\SeagateDriveSettingsService.exe [91432 2011-02-10] (Seagate Technology LLC)

R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)

R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [254512 2012-04-24] ()

R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1914728 2012-11-26] (SoftThinks SAS)

S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)

R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [77824 2012-06-19] (Atheros) [File not signed]

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)

R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)

R0 cm_km_w; C:\Windows\System32\DRIVERS\cm_km_w.sys [238288 2013-01-14] (Kaspersky Lab UK Ltd)

S3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-02-26] (Dell Computer Corporation)

S3 DellProf; C:\Windows\system32\drivers\DellProf.sys [23312 2015-02-26] (Dell Computer Corporation)

S3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)

R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [468576 2014-03-31] (Kaspersky Lab ZAO)

R2 kldisk; C:\Windows\system32\DRIVERS\kldisk.sys [56008 2015-03-29] (Kaspersky Lab ZAO)

S0 klelam; C:\Windows\System32\DRIVERS\klelam.sys [29616 2012-07-27] (Kaspersky Lab)

R3 klflt; C:\Windows\system32\DRIVERS\klflt.sys [151240 2014-11-28] (Kaspersky Lab ZAO)

R1 klhk; C:\Windows\system32\DRIVERS\klhk.sys [247496 2014-10-22] (Kaspersky Lab ZAO)

R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [824008 2015-03-29] (Kaspersky Lab ZAO)

R1 KLIM6; C:\Windows\system32\DRIVERS\klim6.sys [30920 2014-10-10] (Kaspersky Lab ZAO)

R3 klkbdflt; C:\Windows\system32\DRIVERS\klkbdflt.sys [31432 2014-10-30] (Kaspersky Lab ZAO)

R3 klmouflt; C:\Windows\system32\DRIVERS\klmouflt.sys [29280 2013-08-08] (Kaspersky Lab ZAO)

R1 klpd; C:\Windows\system32\DRIVERS\klpd.sys [15456 2013-04-12] (Kaspersky Lab ZAO)

R1 klwfp; C:\Windows\system32\DRIVERS\klwfp.sys [69320 2014-11-20] (Kaspersky Lab ZAO)

R1 Klwtp; C:\Windows\system32\DRIVERS\klwtp.sys [77000 2014-11-22] (Kaspersky Lab ZAO)

R1 kneps; C:\Windows\system32\DRIVERS\kneps.sys [181960 2014-11-10] (Kaspersky Lab ZAO)

S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2014-03-30] ()

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

S0 tljkva; No ImagePath

U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-03-15] ()

S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)

S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]

U4 CmdAgent; No ImagePath

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-04-16 20:34 - 2015-04-16 20:34 - 00000000 ___RD () C:\Users\Dolby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices

2015-04-15 19:48 - 2015-03-23 17:59 - 07476032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe

2015-04-15 19:48 - 2015-03-23 17:59 - 01733952 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll

2015-04-15 19:48 - 2015-03-23 17:59 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\system32\sechost.dll

2015-04-15 19:48 - 2015-03-23 17:58 - 01498872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll

2015-04-15 19:48 - 2015-03-23 17:45 - 00257216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sechost.dll

2015-04-15 19:48 - 2015-03-20 00:12 - 00246272 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll

2015-04-15 19:48 - 2015-03-20 00:10 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll

2015-04-15 19:48 - 2015-03-20 00:10 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll

2015-04-15 19:48 - 2015-03-19 23:17 - 00411648 _____ (Microsoft Corporation) C:\WINDOWS\system32\tracerpt.exe

2015-04-15 19:48 - 2015-03-19 22:41 - 00369152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tracerpt.exe

2015-04-15 19:48 - 2015-03-19 22:40 - 00950784 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll

2015-04-15 19:48 - 2015-03-19 22:16 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll

2015-04-15 19:48 - 2015-03-14 04:20 - 01385256 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll

2015-04-15 19:48 - 2015-03-14 04:13 - 01124352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll

2015-04-15 19:47 - 2015-03-22 18:45 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll

2015-04-15 19:47 - 2015-03-22 18:09 - 01111552 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll

2015-04-15 19:47 - 2015-03-22 18:09 - 00957440 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll

2015-04-15 19:47 - 2015-03-22 18:09 - 00769024 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll

2015-04-15 19:47 - 2015-03-22 18:09 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll

2015-04-15 19:47 - 2015-03-22 18:09 - 00419328 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll

2015-04-15 19:47 - 2015-03-22 18:09 - 00030720 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll

2015-04-15 19:47 - 2015-03-14 04:54 - 00133256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe

2015-04-15 19:47 - 2015-03-13 21:56 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll

2015-04-15 19:47 - 2015-03-13 21:56 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll

2015-04-15 19:47 - 2015-03-13 21:51 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wu.upgrade.ps.dll

2015-04-15 19:47 - 2015-03-13 21:37 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll

2015-04-15 19:47 - 2015-03-13 21:14 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll

2015-04-15 19:47 - 2015-03-13 20:22 - 03678720 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll

2015-04-15 19:47 - 2015-03-13 20:12 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll

2015-04-15 19:47 - 2015-03-13 20:12 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe

2015-04-15 19:47 - 2015-03-13 20:09 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll

2015-04-15 19:47 - 2015-03-13 20:08 - 00408064 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll

2015-04-15 19:47 - 2015-03-13 20:08 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll

2015-04-15 19:47 - 2015-03-13 20:06 - 02373632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll

2015-04-15 19:47 - 2015-03-13 20:06 - 00891392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll

2015-04-15 19:47 - 2015-03-13 20:02 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll

2015-04-15 19:47 - 2015-03-13 20:02 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe

2015-04-15 19:47 - 2015-03-13 19:59 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll

2015-04-15 19:47 - 2015-03-13 19:59 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll

2015-04-15 19:47 - 2015-03-13 00:32 - 24980480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll

2015-04-15 19:47 - 2015-03-13 00:08 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll

2015-04-15 19:47 - 2015-03-13 00:07 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll

2015-04-15 19:47 - 2015-03-12 23:53 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll

2015-04-15 19:47 - 2015-03-12 23:50 - 06025216 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll

2015-04-15 19:47 - 2015-03-12 23:42 - 19695616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll

2015-04-15 19:47 - 2015-03-12 23:28 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll

2015-04-15 19:47 - 2015-03-12 23:26 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll

2015-04-15 19:47 - 2015-03-12 23:22 - 02278400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll

2015-04-15 19:47 - 2015-03-12 23:17 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll

2015-04-15 19:47 - 2015-03-12 23:16 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll

2015-04-15 19:47 - 2015-03-12 23:08 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe

2015-04-15 19:47 - 2015-03-12 23:07 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll

2015-04-15 19:47 - 2015-03-12 23:00 - 14397440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll

2015-04-15 19:47 - 2015-03-12 22:58 - 00259072 _____ (Microsoft Corporation) C:\WINDOWS\system32\pku2u.dll

2015-04-15 19:47 - 2015-03-12 22:50 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll

2015-04-15 19:47 - 2015-03-12 22:49 - 04305408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll

2015-04-15 19:47 - 2015-03-12 22:45 - 02358784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll

2015-04-15 19:47 - 2015-03-12 22:44 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll

2015-04-15 19:47 - 2015-03-12 22:37 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\pku2u.dll

2015-04-15 19:47 - 2015-03-12 22:34 - 12825600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll

2015-04-15 19:47 - 2015-03-12 22:33 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll

2015-04-15 19:47 - 2015-03-12 22:22 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll

2015-04-15 19:47 - 2015-03-12 22:20 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll

2015-04-15 19:47 - 2015-03-12 22:16 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll

2015-04-15 19:47 - 2015-03-12 22:14 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll

2015-04-15 19:47 - 2015-03-04 06:25 - 00377152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys

2015-04-15 19:47 - 2015-03-03 23:04 - 00075264 _____ (Microsoft Corporation) C:\WINDOWS\system32\clfsw32.dll

2015-04-15 19:47 - 2015-03-03 22:19 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clfsw32.dll

2015-04-15 19:47 - 2015-02-24 04:32 - 00991552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys

2015-04-15 19:47 - 2015-02-20 19:49 - 00780800 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsm.dll

2015-04-12 10:41 - 2015-04-12 10:41 - 01074344 _____ () C:\WINDOWS\Minidump\041215-161421-01.dmp

2015-04-12 10:39 - 2015-04-12 10:39 - 722626446 _____ () C:\WINDOWS\MEMORY.DMP

2015-04-11 00:07 - 2015-04-11 00:07 - 00026624 ___SH () C:\Users\Dolby\Desktop\Thumbs.db

2015-04-09 22:16 - 2015-04-16 20:58 - 01192451 _____ () C:\WINDOWS\WindowsUpdate.log

2015-04-06 13:44 - 2015-04-16 20:21 - 00000308 _____ () C:\WINDOWS\setupact.log

2015-04-06 13:44 - 2015-04-09 22:07 - 00000000 _____ () C:\WINDOWS\setuperr.log

2015-04-05 12:50 - 2015-04-05 12:50 - 00001789 _____ () C:\Users\Dolby\Desktop\Kaspersky Vault 1.lnk

2015-04-05 12:44 - 2015-04-05 12:48 - 00000000 ____D () C:\Encryption

2015-04-03 23:56 - 2015-04-03 23:56 - 00000000 ___SD () C:\WINDOWS\SysWOW64\GWX

2015-04-03 23:56 - 2015-04-03 23:56 - 00000000 ___SD () C:\WINDOWS\system32\GWX

2015-04-03 00:48 - 2015-04-03 00:50 - 00000000 ____D () C:\!!!!!!!!!!!!!!!!!!!Reading Folder

2015-03-31 13:45 - 2015-03-31 13:45 - 13986809 _____ () C:\Users\Dolby\Downloads\State-of-Nev-Presentation (1).pptx

2015-03-29 16:25 - 2015-03-29 16:25 - 00002325 _____ () C:\Users\Dolby\Desktop\Safe Money.lnk

2015-03-29 16:20 - 2015-03-29 16:20 - 00002071 _____ () C:\Users\Public\Desktop\Kaspersky Total Security.lnk

2015-03-29 16:20 - 2015-03-29 16:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Total Security

2015-03-29 16:19 - 2015-03-29 16:35 - 00824008 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\klif.sys

2015-03-29 16:19 - 2015-03-29 16:19 - 00000000 ____D () C:\Program Files (x86)\Kaspersky Lab

2015-03-29 16:19 - 2014-10-22 21:13 - 00247496 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\klhk.sys

2015-03-29 16:19 - 2013-05-06 08:13 - 00110176 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\klfphc.dll

2015-03-29 16:06 - 2015-03-29 16:07 - 196444992 _____ (Kaspersky Lab) C:\Users\Dolby\Downloads\kts15.0.2.361en_7225.exe

2015-03-28 18:58 - 2015-03-28 18:58 - 13986941 _____ ()

C:\Users\Dolby\Downloads\State-of-Nev-Presentation.pptx

2015-03-27 01:23 - 2015-03-27 01:23 - 00273754 _____ ()

2015-03-25 23:59 - 2015-03-25 23:59 - 00000000 ____D () C:\WINDOWS\%LOCALAPPDATA%

2015-03-25 23:43 - 2015-03-25 23:43 - 03480040 _____ (McAfee, Inc.) C:\Users\Dolby\Desktop\MCPR.exe

2015-03-25 23:36 - 2015-03-25 23:36 - 00000155 _____ () C:\Users\Dolby\Desktop\dell.txt

2015-03-25 23:19 - 2015-03-27 02:07 - 00000000 ____D () C:\Users\Dolby\AppData\Local\Citrix

2015-03-25 23:19 - 2015-03-25 23:19 - 00000000 ____D () C:\ProgramData\Citrix

2015-03-25 23:19 - 2015-03-25 23:19 - 00000000 ____D () C:\Program Files (x86)\Citrix

2015-03-25 20:30 - 2015-03-25 20:30 - 00000046 _____ () C:\WINDOWS\wininit.ini

2015-03-25 20:16 - 2015-03-25 20:17 - 195153520 _____ (Kaspersky Lab) C:\Users\Dolby\Downloads\kav15.0.2.361en.exe

2015-03-24 13:02 - 2015-03-24 13:02 - 00033188 _____ () C:\Users\Dolby\Documents\Result.txt

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-04-16 21:54 - 2015-02-19 00:33 - 00000000 ____D () C:\FRST

2015-04-16 21:48 - 2013-06-02 11:40 - 00000930 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

2015-04-16 21:17 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppCompat

2015-04-16 21:02 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\sru

2015-04-16 20:53 - 2013-06-29 22:05 - 00000000 ____D () C:\Users\Dolby\AppData\Local\CrashDumps

2015-04-16 20:48 - 2013-06-02 11:40 - 00000926 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

2015-04-16 20:38 - 2013-11-12 02:56 - 00003934 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{AC4BC4C1-70C0-4853-823B-C615611A9348}

2015-04-16 20:37 - 2013-05-14 02:00 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery

2015-04-16 20:36 - 2013-12-04 19:01 - 00000000 ____D () C:\ProgramData\Kaspersky Lab

2015-04-16 20:32 - 2014-03-31 09:15 - 00000000 ___DO () C:\Users\Dolby\SkyDrive

2015-04-16 20:21 - 2014-03-31 05:17 - 00000000 ____D () C:\ProgramData\NVIDIA

2015-04-16 20:21 - 2013-08-22 10:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT

2015-04-16 01:09 - 2014-12-13 03:56 - 00000000 ____D () C:\WINDOWS\system32\appraiser

2015-04-16 01:09 - 2014-07-09 13:56 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel

2015-04-15 20:15 - 2013-08-13 20:42 - 00000000 ____D () C:\WINDOWS\system32\MRT

2015-04-15 20:15 - 2013-06-27 00:42 - 00000000 ____D () C:\ProgramData\Microsoft Help

2015-04-15 20:10 - 2013-05-29 05:14 - 128913832 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

2015-04-15 20:10 - 2012-07-26 03:59 - 00000000 ____D () C:\WINDOWS\CbsTemp

2015-04-15 19:47 - 2014-11-11 19:37 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaext.dll

2015-04-14 19:19 - 2013-05-28 13:20 - 00003600 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2767479305-1133554152-2264245223-1002

2015-04-13 19:24 - 2013-08-22 11:38 - 00792056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe

2015-04-13 19:24 - 2013-08-22 11:38 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

2015-04-12 16:07 - 2013-11-14 03:28 - 01983102 _____ () C:\WINDOWS\system32\PerfStringBackup.INI

2015-04-12 16:07 - 2013-05-29 02:00 - 00646142 _____ () C:\WINDOWS\system32\perfh012.dat

2015-04-12 16:07 - 2013-05-29 02:00 - 00175914 _____ () C:\WINDOWS\system32\perfc012.dat

2015-04-12 10:41 - 2014-10-18 14:15 - 00000000 ____D () C:\WINDOWS\Minidump

2015-04-11 23:40 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\NDF

2015-04-09 22:06 - 2015-02-15 14:52 - 00000000 ____D () C:\Program Files\Dell

2015-04-09 22:06 - 2013-06-26 23:56 - 00000000 ____D () C:\Users\Dolby\Documents\Outlook Files

2015-04-09 22:06 - 2013-06-26 23:12 - 00000000 ____D () C:\Program Files (x86)\Dell

2015-04-09 22:06 - 2013-05-29 23:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell

2015-04-07 19:11 - 2014-07-25 19:56 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys

2015-04-07 19:11 - 2013-06-02 11:40 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware

2015-04-04 19:21 - 2013-08-22 09:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI

2015-04-03 00:41 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppReadiness

2015-03-30 19:09 - 2015-02-19 23:19 - 00000000 ____D () C:\Users\Dolby\AppData\Roaming\PCDr

2015-03-29 16:35 - 2014-08-19 12:31 - 00056008 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\kldisk.sys

2015-03-29 16:20 - 2013-08-22 09:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM

2015-03-29 16:19 - 2012-07-26 04:12 - 00000000 ___HD () C:\WINDOWS\ELAMBKUP

2015-03-29 16:16 - 2013-11-14 03:20 - 00061414 _____ () C:\WINDOWS\PFRO.log

2015-03-27 01:55 - 2014-06-08 02:14 - 00000000 ____D ()2015-03-27 01:26 - 2013-05-28 13:12 - 00000000 ____D () C:\Users\Dolby\AppData\Local\Packages

2015-03-25 20:30 - 2013-11-28 15:15 - 00000000 ____D () C:\Program Files\COMODO

 

==================== Files in the root of some directories =======

 

2013-07-28 00:48 - 2008-10-09 22:34 - 20660296 _____ () C:\Program Files (x86)\DeductionPro2006.exe

2013-07-28 00:48 - 2009-04-15 12:59 - 21038400 _____ () C:\Program Files (x86)\DeductionPro2008.exe

2013-07-28 00:48 - 2010-04-15 21:06 - 21513576 _____ () C:\Program Files (x86)\DeductionPro2009.exe

2013-07-28 00:48 - 2010-04-23 17:01 - 21034344 _____ () C:\Program Files (x86)\HRBlock_DeluxeSE_2009_Update_H.exe

2013-07-28 00:48 - 2010-04-15 21:02 - 33690984 _____ () C:\Program Files (x86)\HRB_At_Home_2009DESH2.exe

2013-07-28 00:48 - 2009-10-27 21:44 - 58139344 _____ (Kaspersky Lab) C:\Program Files (x86)\kav9.0.0.463en.exe

2013-07-28 00:47 - 2011-05-19 19:57 - 101164432 _____ (Intuit Inc.                                                 ) C:\Program Files (x86)\Quicken_Premier_2011.exe

2013-07-28 00:47 - 2011-05-19 20:16 - 29764000 _____ (Intuit                                                      ) C:\Program Files (x86)\QW11R8Patch.exe

2013-07-28 00:48 - 2008-10-10 00:41 - 36881736 _____ () C:\Program Files (x86)\TaxCut2007PA.exe

2013-07-28 00:48 - 2009-04-15 13:00 - 37942592 _____ () C:\Program Files (x86)\TaxCut2008PSEI.exe

2013-07-28 00:48 - 2008-01-03 02:14 - 1011784 _____ () C:\Program Files (x86)\TaxCut_2005_New_Jersey_UpdaterC.exe

2013-07-28 00:47 - 2008-01-03 02:10 - 3301960 _____ () C:\Program Files (x86)\TaxCut_2005_New_York_InstallerD.exe

2013-07-28 00:48 - 2008-01-03 02:14 - 1900104 _____ () C:\Program Files (x86)\TaxCut_2005_New_York_UpdaterD.exe

2013-07-28 00:48 - 2008-10-09 22:35 - 44441160 _____ () C:\Program Files (x86)\TaxCut_2006_Federal_InstallerPSF.exe

2013-07-28 00:48 - 2008-10-09 23:18 - 0733768 _____ () C:\Program Files (x86)\TaxCut_2006_New_Jersey_UpdaterC.exe

2013-07-28 00:48 - 2009-04-15 09:51 - 0733768 _____ () C:\Program Files (x86)\TaxCut_2006_New_Jersey_UpdaterC2 dupe.exe

2013-07-28 00:48 - 2008-10-09 23:18 - 0861256 _____ () C:\Program Files (x86)\TaxCut_2006_New_York_UpdaterA.exe

2013-07-28 00:48 - 2009-04-15 09:51 - 0861256 _____ () C:\Program Files (x86)\TaxCut_2006_New_York_UpdaterA2 dupe.exe

2013-07-28 00:48 - 2009-04-15 09:51 - 4207944 _____ () C:\Program Files (x86)\TaxCut_2007_New_York_UpdaterA.exe

2013-07-28 00:48 - 2010-05-27 12:37 - 2164032 _____ () C:\Program Files (x86)\TaxCut_2008_New_Jersey_Updater.exe

2013-07-28 00:48 - 2010-05-27 12:36 - 26711360 _____ () C:\Program Files (x86)\TaxCut_PremiumSE_2008_Update_I.exe

2013-07-28 00:48 - 2010-05-27 12:44 - 33895752 _____ () C:\Program Files (x86)\TaxCut_PremiumS_2007_Update_F.exe

2013-07-28 00:48 - 2008-01-03 02:14 - 9328712 _____ () C:\Program Files (x86)\TaxCut_Premium_2005_UpdateD.exe

2013-07-28 00:48 - 2008-10-09 23:18 - 11392072 _____ () C:\Program Files (x86)\TaxCut_Premium_2006_Update_F.exe

2013-07-28 00:48 - 2009-04-15 09:38 - 11392072 _____ () C:\Program Files (x86)\TaxCut_Premium_2006_Update_F2.exe

2013-07-28 00:48 - 2010-05-27 12:44 - 33674568 _____ () C:\Program Files (x86)\TaxCut_Premium_2007_Update_F.exe

2013-07-28 00:48 - 2010-05-29 10:55 - 4331944 _____ () C:\Program Files (x86)\w_new_jersey_ind_2008.03a.0001.exe

2013-07-28 00:47 - 2011-04-18 21:05 - 6622808 _____ () C:\Program Files (x86)\w_new_jersey_ind_2010.12c.0100.exe

2013-07-28 00:48 - 2010-04-23 17:28 - 76485272 _____ () C:\Program Files (x86)\w_perrelsuperpatch_ttax_2008.exe

2013-07-28 00:47 - 2011-04-17 23:27 - 78777616 _____ () C:\Program Files (x86)\w_perrelsuperpatch_ttax_2009.15c.0101.exe

2013-07-28 00:47 - 2011-04-18 21:17 - 108842800 _____ () C:\Program Files (x86)\w_perrelsuperpatch_ttax_2010.16a.0100.exe

2013-07-28 00:47 - 2010-05-29 10:56 - 111048960 _____ () C:\Program Files (x86)\w_turbotax_1040_prm_2008.14d.0100.exe

2013-07-28 00:47 - 2011-04-17 23:26 - 84588608 _____ () C:\Program Files (x86)\w_turbotax_1040_prm_2009.15c.0101.exe

2013-07-28 00:47 - 2011-04-18 21:23 - 116481640 _____ () C:\Program Files (x86)\w_turbotax_1040_prm_2010.16a.0100.exe

2014-03-04 21:42 - 2014-03-04 21:56 - 0000130 _____ ()

C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

2013-05-14 02:00 - 2013-05-14 02:00 - 0000119 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log

2013-05-14 01:57 - 2013-05-14 01:58 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log

2013-05-14 01:58 - 2013-05-14 01:59 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log

2013-05-14 01:57 - 2013-05-14 01:57 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log

2013-05-14 01:59 - 2013-05-14 02:00 - 0000108 _____ () C:\ProgramData\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}.log

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2015-04-16 20:32

 

==================== End Of Log ============================

 

 

 

=============================

My Specs::

 

(1) Dell XPS 8500; 3.4 GHz; 12 Gb RAM; 64-bit OS; 2 Tb HD

(2) Windows 8.1 2013; Kaspersky Total Security 2015 15.0.1.415©.  

(3) Have run free versions of:  MalwayreBytes; Super AntiSpyware; HitmanPro; JRT; FRST64; FSS; MiniToolBox; rkill; tdsskiller

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 20 April 2015 - 09:01 PM

Greetings techgnosis and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please cut and paste FRST.exe onto your Desktop.

Running from C:\Users\Dolby\Downloads\anti-spyware\ran


===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKLM\...\Run: [CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}] => "C:\ProgramData\cis51E2.exe" --PostUninstall {81EFDD93-DBBE-415B-BE6E-49B9664E3E82}
C:\ProgramData\cis51E2.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-2767479305-1133554152-2264245223-1001] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1002 -> {E20512F9-5C1E-448F-915C-7AB81B06BA55} URL = 
DPF: HKLM-x32 {8E2A904F-FDD7-4086-A49C-834F1C47DC39} 
FF Plugin HKU\S-1-5-21-2767479305-1133554152-2264245223-1002: vitzo.com/VDownloader -> C:\Program Files\VDownloader\Addons\npVDownloader.dll No File
S0 tljkva; No ImagePath
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
U4 CmdAgent; No ImagePath
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
Folder: C:\WINDOWS\%LOCALAPPDATA%
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:08:22 AM

Posted 23 April 2015 - 12:54 AM

Hi, Oh My, thank you so much for focusing on my issue.  Unfortunately, since I didn't receive any reply for a while, I started tinkering with my system and changed some configurations.  So I should probably repost my scans.  And now I'm not so sure if it's a malware/virus issue.  I think it could be but it should also be considered a Windows 8.1 issue. 

 

Could I cross-post in both places? 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 23 April 2015 - 08:15 AM

Greetings,

If you have an open Topic in the Malware Forum other Forums will not assist until the Malware topic is resolved. Since we have connected here go ahead and run the fix I posted, rescan with FRST, including Addition.txt, and post the new logs. We will figure things from there.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:08:22 AM

Posted 24 April 2015 - 12:32 AM

Ok, thanks, can I do it over the weekend? I'm just bogged down with work now and won't have free time until about Sat/Sun. 



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 24 April 2015 - 07:58 AM

No problem at all. See you in a day or 2.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:08:22 AM

Posted 26 April 2015 - 02:00 PM

Ok, here's the FRST scan and the system info is zipped and attached.  Thanks again.  Wow, just noticed a whole bunch of Windows Error Reporting in that Summary file attached going back to February, which was when the problem started.

===========================

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-04-2015
Ran by Sung at 2015-04-26 14:51:49 Run:6
Running from C:\Users\Sung\Desktop
Loaded Profiles: UpdatusUser & Sung & Dolby (Available profiles: UpdatusUser & Sung & dooda_000 & Dolby)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM\...\Run: [CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}] => "C:\ProgramData\cis51E2.exe" --PostUninstall {81EFDD93-DBBE-415B-BE6E-49B9664E3E82}
C:\ProgramData\cis51E2.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-2767479305-1133554152-2264245223-1001] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1002 -> {E20512F9-5C1E-448F-915C-7AB81B06BA55} URL =
DPF: HKLM-x32 {8E2A904F-FDD7-4086-A49C-834F1C47DC39}
FF Plugin HKU\S-1-5-21-2767479305-1133554152-2264245223-1002: vitzo.com/VDownloader -> C:\Program Files\VDownloader\Addons\npVDownloader.dll No File
S0 tljkva; No ImagePath
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
U4 CmdAgent; No ImagePath
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
Folder: C:\WINDOWS\%LOCALAPPDATA%
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82} => Value not found.
"C:\ProgramData\cis51E2.exe" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 => Key not found.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 => Key not found.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 => Key not found.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 => Key not found.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 => Key not found.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 => Key not found.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
HKLM\SOFTWARE\Policies\Google => Key not found.
Error setting Default URLSearchHook.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-21-2767479305-1133554152-2264245223-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E20512F9-5C1E-448F-915C-7AB81B06BA55} => Key not found.
HKCR\CLSID\{E20512F9-5C1E-448F-915C-7AB81B06BA55} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{8E2A904F-FDD7-4086-A49C-834F1C47DC39} => Key not found.
HKCR\Wow6432Node\CLSID\{8E2A904F-FDD7-4086-A49C-834F1C47DC39} => Key not found.
HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\Software\MozillaPlugins\vitzo.com/VDownloader => Key not found.
C:\Program Files\VDownloader\Addons\npVDownloader.dll not found.
tljkva => Service not found.
BTATH_LWFLT => Service not found.
CmdAgent => Service not found.
"C:\ProgramData\Temp" => ":5C321E34" ADS not found.

========================= Folder: C:\WINDOWS\%LOCALAPPDATA% ========================

2015-03-25 23:59 - 2015-03-25 23:59 - 0000000 ____D () C:\WINDOWS\%LOCALAPPDATA%\CrashDumps

====== End of Folder: ======

==== End of Fixlog 14:51:49 ====

Attached Files


Edited by techgnosis, 26 April 2015 - 02:14 PM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 26 April 2015 - 02:17 PM

Greetings,

 

Did you happen to run that fix twice?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:08:22 AM

Posted 26 April 2015 - 02:25 PM

Yes, I did.  Is that not should have been done?



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 26 April 2015 - 02:28 PM

Not a problem, I just needed to be sure because the Fixlog report you posted shows nothing was found.

 

Can you provide an update regarding your computer performance?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:08:22 AM

Posted 26 April 2015 - 02:34 PM

Hold on, then, let me rerun it again.  Is that gonna change anything?  Because that fixlist.txt disappears from Desktop after you run it.



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 26 April 2015 - 02:38 PM

That is correct, it will disappear. The fix ran correctly.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:08:22 AM

Posted 26 April 2015 - 02:58 PM

I think this is the very first run that I did.  I reran Farbar and they come out exactly the same:  Value not found, key not found.

 

I made some changes to my computer since I made this post originally on 4/16/2015.  What I did was to mainly disabled via Kasperky the Onedrive access feature.  When I did that, the  "Host Process for Setting Synchronization" did not come on as much and there was some improvement.  However, the dw20.exe error message still comes on and the system is still pretty slow.

 

=============

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-04-2015
Ran by Sung at 2015-04-26 10:58:02 Run:1
Running from C:\Users\Sung\Desktop
Loaded Profiles: UpdatusUser & Sung (Available profiles: UpdatusUser & Sung & dooda_000)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM\...\Run: [CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}] => "C:\ProgramData\cis51E2.exe" --PostUninstall {81EFDD93-DBBE-415B-BE6E-49B9664E3E82}
C:\ProgramData\cis51E2.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-2767479305-1133554152-2264245223-1001] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2767479305-1133554152-2264245223-1002 -> {E20512F9-5C1E-448F-915C-7AB81B06BA55} URL =
DPF: HKLM-x32 {8E2A904F-FDD7-4086-A49C-834F1C47DC39}
FF Plugin HKU\S-1-5-21-2767479305-1133554152-2264245223-1002: vitzo.com/VDownloader -> C:\Program Files\VDownloader\Addons\npVDownloader.dll No File
S0 tljkva; No ImagePath
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
U4 CmdAgent; No ImagePath
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
Folder: C:\WINDOWS\%LOCALAPPDATA%
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82} => value deleted successfully.
"C:\ProgramData\cis51E2.exe" => File/Directory not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
Error setting Default URLSearchHook.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-2767479305-1133554152-2264245223-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E20512F9-5C1E-448F-915C-7AB81B06BA55}" => Key deleted successfully.
HKCR\CLSID\{E20512F9-5C1E-448F-915C-7AB81B06BA55} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{8E2A904F-FDD7-4086-A49C-834F1C47DC39}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{8E2A904F-FDD7-4086-A49C-834F1C47DC39}" => Key deleted successfully.
"HKU\S-1-5-21-2767479305-1133554152-2264245223-1002\Software\MozillaPlugins\vitzo.com/VDownloader" => Key deleted successfully.
C:\Program Files\VDownloader\Addons\npVDownloader.dll not found.
tljkva => Service deleted successfully.
BTATH_LWFLT => Service deleted successfully.
CmdAgent => Service deleted successfully.
C:\ProgramData\Temp => ":5C321E34" ADS removed successfully.

========================= Folder: C:\WINDOWS\%LOCALAPPDATA% ========================

2015-03-25 23:59 - 2015-03-25 23:59 - 0000000 ____D () C:\WINDOWS\%LOCALAPPDATA%\CrashDumps

====== End of Folder: ======

==== End of Fixlog 10:58:03 ====



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 26 April 2015 - 03:08 PM

Thank you,

 

Can you confirm you have Microsoft Office 2013?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:22 AM

Posted 26 April 2015 - 03:11 PM

Or is it Office 365?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users