Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

S3 Amazonaws / Alarabeyes browser Hijack


  • Please log in to reply
2 replies to this topic

#1 jslegers

jslegers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 17 April 2015 - 10:33 AM

Hello,
 
A user of us is having an annoying problem with his pc. If the users starts IE It first goes to this website :
 
hxxttps://s3.amazonaws.com/amazo/rnnd as I can see and then opens hxxttp://www.alarabeyes.com
 
If I change the startpage it is automatically changed to the from above.
 
I have ran FRTS for the log files :
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-04-2015 04
Ran by USER at 2015-04-17 16:10:48
Running from E:\Malware CleanUp
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Symantec Endpoint Protection (Enabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Symantec Endpoint Protection (Enabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection (Disabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.176 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) - Nederlands (HKLM-x32\...\{AC76BA86-7AD7-1043-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.4.634 - Adobe Systems, Inc.)
Alarabeyes (HKU\S-1-5-21-796845957-1303643608-1801674531-18866\...\ARHome) (Version: 2.1 - NoVooIT)
AMD Catalyst Install Manager (HKLM\...\{426B43EC-284B-8DAB-5419-D8418C7C3D26}) (Version: 8.0.915.0 - Advanced Micro Devices, Inc.)
Avaya Microsoft Lync Integration (HKLM-x32\...\{3110CD25-2EB2-468B-9F24-E506C1CBEAB4}) (Version: 6.2.0.0 - Avaya)
Avaya Office 2010 Add-in (x86) (HKLM-x32\...\{71BF5D1B-4035-47C9-9821-588E7F8DA9EE}) (Version: 6.2.1 - Avaya)
Citrix online plug-in (HKLM-x32\...\CitrixOnlinePluginFull) (Version: 12.3.0.8 - Citrix Systems, Inc.)
HP Hotkey Support (HKLM-x32\...\{C97CC14E-4789-4FC5-BC75-79191F7CE009}) (Version: 4.6.10.1 - Hewlett-Packard Company)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6435.0 - IDT)
Java 7 Update 55 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417055FF}) (Version: 7.0.550 - Oracle)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Lync 2010 (HKLM\...\{11849FBC-C416-4742-8279-17C3A2C85F72}) (Version: 4.0.7577.4446 - Microsoft Corporation)
Microsoft Lync 2010 SDK Runtime (HKLM-x32\...\{8AF10E19-4330-4077-A1B5-491ACDC24B08}) (Version: 4.0.7577.124 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft redistributable runtime DLLs VS2010 SP1 (x86) (HKLM-x32\...\{2385C070-EC26-4AB9-8718-E605C977C0ED}) (Version: 10.0.40219.1 - SAP)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Opera Stable 28.0.1750.48 (HKLM-x32\...\Opera 28.0.1750.48) (Version: 28.0.1750.48 - Opera Software ASA)
Quest One Secure Password Extension x64 (HKLM\...\{DDAC1F11-AD21-4E79-B63C-7D6A745ADD61}) (Version: 5.0.3.5564 - Quest Software, Inc.)
SAP GUI for Windows 7.30 (Patch 9) (HKLM-x32\...\SAPGUI710) (Version: 7.30 Compilation 3 - SAP AG)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Skype™ 7.1 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.1.105 - Skype Technologies S.A.)
Snow Inventory Client 3.7.00 (HKLM-x32\...\{A83ABEEB-0B46-4291-ABC2-08BCF974125D}) (Version: 3.7.11069 - Snow Software AB)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{B53661DC-CD94-4B14-B15F-D9DDCFF72558}) (Version: 12.1.4013.4013 - Symantec Corporation)
Symantec Enterprise Vault HTTP-only Outlook Add-In (HKLM-x32\...\{8B78A1C2-8916-4351-AE81-6423C346A452}) (Version: 9.0.5169 - Symantec Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.8.9 - Synaptics Incorporated)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WinPdf Writer (HKLM\...\WinPdf Writer) (Version:  - )
WinPDF Writer (HKLM-x32\...\{16E72583-459E-428C-B4E7-C2CC4538FFED}) (Version: 1.0.0 - TopByteLabs Ltd.)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
23-02-2015 12:10:01 Windows Update
02-03-2015 12:45:01 Scheduled Checkpoint
09-03-2015 14:33:10 Scheduled Checkpoint
11-03-2015 17:29:02 Windows Update
12-03-2015 16:46:34 Windows Update
20-03-2015 16:26:29 Scheduled Checkpoint
03-04-2015 09:42:28 Scheduled Checkpoint
13-04-2015 13:11:24 Scheduled Checkpoint
15-04-2015 16:20:44 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {0870B411-825C-4E67-A0F6-A506AE22CBEA} - System32\Tasks\9A5A8340-6B15 => C:\Users\USER\AppData\Roaming\htcon\Updater.exe
Task: {2E373856-7949-4E43-8D43-DB0F02F698E1} - System32\Tasks\ScheduledScan => C:\Users\USER\AppData\Roaming\Flasher\c32s.exe [2015-03-19] ()
Task: {47A6E7CA-5C5A-4095-881D-4D7B02F51700} - System32\Tasks\Virt-Device => C:\Users\USER\AppData\Roaming\Craft\Updater.exe
Task: {68C33496-5808-4000-B087-7B277802512C} - System32\Tasks\Newsfeed => C:\Users\USER\AppData\Roaming\Flasher\c32s.exe [2015-03-19] ()
Task: {6C18E5EC-1F62-4B09-95C5-C4178A2F6457} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {90A663F2-5EC0-48C3-8A65-AB128C0A8FFE} - System32\Tasks\Drv Update => C:\ProgramData\Drv\Drv.exe
Task: {B9F12428-E8AE-438D-A1E7-F213072CB187} - System32\Tasks\Opera scheduled Autoupdate 1427724832 => C:\Program Files (x86)\Opera\launcher.exe [2015-03-16] (Opera Software)
Task: {CFA20085-5315-45BA-9D98-1097C7157C32} - System32\Tasks\Mistl => C:\ProgramData\Mistl\Mistl.exe
Task: {F9C2D64A-60F8-48FE-B881-8D1C7E6A408E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-08] (Adobe Systems Incorporated)
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2013-10-03 13:59 - 2006-11-30 16:41 - 00087040 _____ () C:\windows\System32\custmon64.dll
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2013-06-05 16:51 - 2013-06-05 16:51 - 00098304 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\BrandingNet4.dll
2013-06-05 16:51 - 2013-06-05 16:51 - 00024576 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\BrandingResourcesNet4.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-796845957-1303643608-1801674531-18866\Control Panel\Desktop\\Wallpaper -> C:\Users\USER\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.128.128.128
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2198343187-204490053-3806889315-500 - Administrator - Enabled) => C:\Users\Administrator.COMPUTER
Guest (S-1-5-21-2198343187-204490053-3806889315-501 - Limited - Disabled)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/17/2015 04:06:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/17/2015 09:16:15 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/16/2015 10:10:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/16/2015 09:09:17 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/15/2015 08:34:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/14/2015 09:24:40 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/13/2015 01:06:21 PM) (Source: Software Protection Platform Service) (EventID: 8208) (User: )
Description: Acquisition of genuine ticket failed (hr=0x8004FE33) for template Id 66c92734-d682-4d71-983e-d6ec3f16059f
 
Error: (04/13/2015 01:06:21 PM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details. 
hr=0x8004FE33
 
Error: (04/13/2015 09:12:15 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen in File: C:\PROGRAMDATA\Kirin\Kirin.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.
 
Error: (04/13/2015 09:11:07 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen in File: C:\Users\USER\AppData\Roaming\htcon\Updater.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.
 
 
System errors:
=============
Error: (04/17/2015 04:08:04 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.
 
Error: (04/17/2015 04:06:16 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: domaincontroller)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (04/17/2015 04:05:56 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
 
Error: (04/17/2015 04:05:55 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain domaincontroller due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
Error: (04/17/2015 11:46:41 AM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.
 
Error: (04/17/2015 11:44:08 AM) (Source: MEIx64) (EventID: 3) (User: )
Description: Intel® Management Engine Interface driver has failed to perform handshake with the Firmware.
 
Error: (04/17/2015 10:55:03 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (04/17/2015 09:18:47 AM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.
 
Error: (04/17/2015 09:16:22 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: domaincontroller)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (04/17/2015 09:15:59 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
 
 
Microsoft Office Sessions:
=========================
Error: (04/17/2015 04:06:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/17/2015 09:16:15 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/16/2015 10:10:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/16/2015 09:09:17 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/15/2015 08:34:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/14/2015 09:24:40 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (04/13/2015 01:06:21 PM) (Source: Software Protection Platform Service) (EventID: 8208) (User: )
Description: hr=0x8004FE3366c92734-d682-4d71-983e-d6ec3f16059f
 
Error: (04/13/2015 01:06:21 PM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: hr=0x8004FE3300010001(0x00000000, 13:06:21:733 - http://go.microsoft.com/fwlink/?LinkId=151642)
00020001(0x00000000, 13:06:21:733)
00030001(0x00000000, 13:06:21:733 - http://go.microsoft.com)
00030002(0x00000000, 13:06:21:733 - 0)
00040001(0x00000000, 13:06:21:733 - http://go.microsoft.com)
00040002(0x00000000, 13:06:21:733 - 1, <NULL>, <NULL>, <NULL>)
00040004(0x00000000, 13:06:21:733 - http://proxy:80/wpad.dat)
00040005(0x00000001, 13:06:21:748 - 1, http://go.microsoft.com, 192.168.254.12:8080, <NULL>)
00040006(0x00000000, 13:06:21:748 - 1, http://go.microsoft.com, 192.168.254.12:8080, <local>)
00020005(0x00000000, 13:06:21:748 - 1)
0002000C(0x00000000, 13:06:21:748 - 407)
00010002(0x8004FE33, 13:06:21:748 - <NULL>)
00010003(0x8004FE33, 13:06:21:748)
 
Error: (04/13/2015 09:12:15 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen in File: C:\PROGRAMDATA\Kirin\Kirin.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.
 
Error: (04/13/2015 09:11:07 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen in File: C:\Users\USER\AppData\Roaming\htcon\Updater.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.
 
 
CodeIntegrity Errors:
===================================
  Date: 2013-10-03 21:08:21.265
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:08:21.250
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:07:56.836
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:07:56.820
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:06:58.663
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:06:58.663
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:06:58.507
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbehci.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:06:58.507
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbehci.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:06:58.460
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbehci.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-03 21:06:58.445
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbehci.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 35%
Total physical RAM: 4043.56 MB
Available physical RAM: 2612.66 MB
Total Pagefile: 8085.31 MB
Available Pagefile: 6592.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
 
==================== Drives ================================
 
Drive c: (OSDisk) (Fixed) (Total:465.27 GB) (Free:401.65 GB) NTFS
Drive e: (ICT Stick) (Removable) (Total:14.92 GB) (Free:10.86 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: A876A6D9)
Partition 1: (Active) - (Size=499 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.3 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.9 GB) (Disk ID: 01931AF7)
Partition 1: (Not Active) - (Size=14.9 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-04-2015 04
Ran by USER (administrator) on COMPUTER on 17-04-2015 16:10:01
Running from E:\Malware CleanUp
Loaded Profiles: USER (Available profiles: Administrator & USER)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe
(Avaya Inc.) C:\Program Files (x86)\Avaya\Avaya one-X Communicator\QosServM.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Snow Software AB) C:\Program Files (x86)\Snow\InventoryClient\client64.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\Smc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Quest Software, Inc.) C:\Windows\System32\SPEnroll.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Lync\communicator.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\pnamain.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Lync\UcMapi.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SPEnroll] => C:\windows\system32\SPEnroll.exe [3226960 2013-10-28] (Quest Software, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-09-04] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-11-12] (IDT, Inc.)
HKLM-x32\...\Run: [BCSSync] => c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [309184 2012-03-28] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [QLBController] => C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe [334240 2012-08-28] (Hewlett-Packard Company)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Communicator] => C:\Program Files (x86)\Microsoft Lync\communicator.exe [12117312 2014-05-01] (Microsoft Corporation)
HKLM-x32\...\Run: [LyncAddin] => C:\Program Files (x86)\Avaya\Avaya Microsoft Lync Integration\LyncAddin.exe [1935872 2013-03-06] (Microsoft)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-11] (Advanced Micro Devices, Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Online plug-in.lnk
ShortcutTarget: Online plug-in.lnk -> C:\Windows\Installer\{913778D3-E1D8-4B55-9246-3308C54D3162}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.arabyonline.com/?src=1000
HKU\S-1-5-21-796845957-1303643608-1801674531-18866\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alarabeyes.com/
BHO: DigiAd Class -> {2ED35963-FCC9-4698-B619-787FE1C75079} -> C:\Users\USER\AppData\Roaming\VolIE\IE\AdSafe_64.dll [2015-03-30] ()
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-09-08] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-09-08] (Oracle Corporation)
BHO-x32: DigiAd Class -> {2ED35963-FCC9-4698-B619-787FE1C75079} -> C:\Users\USER\AppData\Roaming\VolIE\IE\AdSafe_32.dll [2015-03-30] ()
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Lync\OCHelper.dll [2010-10-22] (Microsoft Corporation)
BHO-x32: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\bin\IPS\IPSBHO.DLL [2015-02-10] (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-09-24] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-09-24] (Oracle Corporation)
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2014-05-15] (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2014-05-15] (SAP, Walldorf)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-03-28] (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.128.128.128
 
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-09-08] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-09-08] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> c:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-09-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-09-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> c:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2014-05-01] ()
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\IPSFFPlgn
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [523680 2012-08-28] (Hewlett-Packard Company)
R2 iClarityQoSService; C:\Program Files (x86)\Avaya\Avaya one-X Communicator\QosServM.exe [1650688 2012-12-10] (Avaya Inc.) [File not signed]
R2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [144368 2015-02-10] (Symantec Corporation)
R3 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\Smc.exe [2377984 2015-02-10] (Symantec Corporation)
S3 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\snac64.exe [334736 2015-02-10] (Symantec Corporation)
R2 SnowInventoryClient; C:\Program Files (x86)\Snow\InventoryClient\client64.exe [4775424 2014-02-10] (Snow Software AB) [File not signed]
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [327680 2012-11-12] (IDT, Inc.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2012-02-02] (Broadcom Corporation.)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150309.013\BHDrvx64.sys [1622744 2015-02-17] (Symantec Corporation)
R1 ccSettings_{2FF4FBED-F03A-4EE2-AC58-C985811A4FBE}; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\ccSetx64.sys [169048 2015-02-10] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2015-03-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2015-02-10] (Symantec Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2013-08-07] (Intel Corporation)
R1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150416.011\IDSvia64.sys [637656 2015-03-30] (Symantec Corporation)
R3 johci; C:\Windows\System32\DRIVERS\johci.sys [26208 2012-07-16] (JMicron Technology Corp.)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-07-26] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150416.001\ENG64.SYS [129752 2015-04-13] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150416.001\EX64.SYS [2137304 2015-04-13] (Symantec Corporation)
R3 SnowSoftwareDnsMonDriver; C:\Program Files (x86)\Snow\InventoryClient\swpcap64.sys [18072 2015-04-17] (Snow Software AB)
S3 SPUVCbv; C:\Windows\System32\Drivers\SPUVCbv_x64.sys [1064184 2012-09-23] (Sunplus)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SRTSP64.SYS [797272 2015-02-10] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SRTSPX64.SYS [36952 2015-02-10] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\SyDvCtrl64.sys [34800 2015-02-10] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMDS64.SYS [493656 2015-02-10] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMEFA64.SYS [1147480 2015-02-10] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2015-02-10] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\Ironx64.SYS [224856 2015-02-10] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMNETS.SYS [437336 2015-02-10] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [155352 2015-02-10] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [92456 2015-02-10] (Symantec Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-17 16:09 - 2015-04-17 16:10 - 00000000 ____D () C:\FRST
2015-04-16 09:56 - 2015-04-16 09:56 - 19546112 _____ () C:\Users\USER\Desktop\Presentation Chewing Gum Trek.ppt
2015-04-15 16:26 - 2015-03-25 05:24 - 03298816 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
2015-04-15 16:26 - 2015-03-25 05:24 - 02553856 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2015-04-15 16:26 - 2015-03-25 05:24 - 00696320 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
2015-04-15 16:26 - 2015-03-25 05:24 - 00191488 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
2015-04-15 16:26 - 2015-03-25 05:24 - 00098304 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
2015-04-15 16:26 - 2015-03-25 05:24 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\WinSetupUI.dll
2015-04-15 16:26 - 2015-03-25 05:24 - 00037376 _____ (Microsoft Corporation) C:\windows\system32\wups2.dll
2015-04-15 16:26 - 2015-03-25 05:24 - 00035328 _____ (Microsoft Corporation) C:\windows\system32\wups.dll
2015-04-15 16:26 - 2015-03-25 05:23 - 00135168 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
2015-04-15 16:26 - 2015-03-25 05:23 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe
2015-04-15 16:26 - 2015-03-25 05:23 - 00012288 _____ (Microsoft Corporation) C:\windows\system32\wu.upgrade.ps.dll
2015-04-15 16:26 - 2015-03-25 05:00 - 00566784 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll
2015-04-15 16:26 - 2015-03-25 05:00 - 00173056 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll
2015-04-15 16:26 - 2015-03-25 05:00 - 00092672 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll
2015-04-15 16:26 - 2015-03-25 05:00 - 00033792 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe
2015-04-15 16:26 - 2015-03-25 05:00 - 00029696 _____ (Microsoft Corporation) C:\windows\SysWOW64\wups.dll
2015-04-15 16:25 - 2015-03-05 07:12 - 00404480 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2015-04-15 16:25 - 2015-03-05 06:05 - 00311808 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2015-04-15 16:24 - 2015-03-10 05:25 - 01882624 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2015-04-15 16:24 - 2015-03-10 05:21 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\msxml3r.dll
2015-04-15 16:24 - 2015-03-10 05:08 - 01237504 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2015-04-15 16:24 - 2015-03-10 05:05 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3r.dll
2015-04-15 16:23 - 2015-03-17 07:22 - 05557696 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-04-15 16:23 - 2015-03-17 07:22 - 00155576 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2015-04-15 16:23 - 2015-03-17 07:22 - 00095672 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2015-04-15 16:23 - 2015-03-17 07:19 - 01727904 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2015-04-15 16:23 - 2015-03-17 07:17 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll
2015-04-15 16:23 - 2015-03-17 07:17 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2015-04-15 16:23 - 2015-03-17 07:17 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 01461760 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 01163264 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00341504 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00314880 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00309760 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-04-15 16:23 - 2015-03-17 07:16 - 00215040 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00136192 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2015-04-15 16:23 - 2015-03-17 07:16 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00029184 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2015-04-15 16:23 - 2015-03-17 07:16 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll
2015-04-15 16:23 - 2015-03-17 07:15 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe
2015-04-15 16:23 - 2015-03-17 07:15 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2015-04-15 16:23 - 2015-03-17 07:15 - 00031232 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2015-04-15 16:23 - 2015-03-17 07:13 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2015-04-15 16:23 - 2015-03-17 07:13 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00686080 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 07:01 - 03976632 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-04-15 16:23 - 2015-03-17 07:01 - 03920824 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-04-15 16:23 - 2015-03-17 06:59 - 01309696 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00259584 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00221184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2015-04-15 16:23 - 2015-03-17 06:57 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2015-04-15 16:23 - 2015-03-17 06:56 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll
2015-04-15 16:23 - 2015-03-17 06:56 - 00274944 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2015-04-15 16:23 - 2015-03-17 06:56 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2015-04-15 16:23 - 2015-03-17 06:56 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2015-04-15 16:23 - 2015-03-17 06:56 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2015-04-15 16:23 - 2015-03-17 06:56 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2015-04-15 16:23 - 2015-03-17 06:56 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2015-04-15 16:23 - 2015-03-17 06:53 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2015-04-15 16:23 - 2015-03-17 06:53 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00686080 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 05:45 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2015-04-15 16:23 - 2015-03-17 05:45 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2015-04-15 16:23 - 2015-03-17 05:43 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 05:43 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 05:43 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-04-15 16:23 - 2015-03-17 05:43 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-04-15 16:22 - 2015-02-25 05:18 - 00754688 _____ (Microsoft Corporation) C:\windows\system32\Drivers\http.sys
2015-04-15 16:21 - 2015-04-02 02:17 - 00389808 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-04-15 16:21 - 2015-04-02 01:49 - 00342704 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-04-15 16:21 - 2015-03-13 06:32 - 24980480 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-04-15 16:21 - 2015-03-13 06:25 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2015-04-15 16:21 - 2015-03-13 06:25 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2015-04-15 16:21 - 2015-03-13 06:09 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2015-04-15 16:21 - 2015-03-13 06:08 - 00584192 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-04-15 16:21 - 2015-03-13 06:08 - 00417280 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2015-04-15 16:21 - 2015-03-13 06:08 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2015-04-15 16:21 - 2015-03-13 06:07 - 02886144 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-04-15 16:21 - 2015-03-13 06:06 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2015-04-15 16:21 - 2015-03-13 06:00 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2015-04-15 16:21 - 2015-03-13 05:59 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2015-04-15 16:21 - 2015-03-13 05:55 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2015-04-15 16:21 - 2015-03-13 05:54 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2015-04-15 16:21 - 2015-03-13 05:54 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2015-04-15 16:21 - 2015-03-13 05:53 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2015-04-15 16:21 - 2015-03-13 05:50 - 06025216 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-04-15 16:21 - 2015-03-13 05:44 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2015-04-15 16:21 - 2015-03-13 05:42 - 19695616 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-04-15 16:21 - 2015-03-13 05:42 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2015-04-15 16:21 - 2015-03-13 05:40 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2015-04-15 16:21 - 2015-03-13 05:32 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2015-04-15 16:21 - 2015-03-13 05:28 - 00503296 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-04-15 16:21 - 2015-03-13 05:28 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2015-04-15 16:21 - 2015-03-13 05:27 - 00340992 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2015-04-15 16:21 - 2015-03-13 05:27 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2015-04-15 16:21 - 2015-03-13 05:27 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2015-04-15 16:21 - 2015-03-13 05:26 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2015-04-15 16:21 - 2015-03-13 05:26 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2015-04-15 16:21 - 2015-03-13 05:23 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2015-04-15 16:21 - 2015-03-13 05:22 - 02278400 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-04-15 16:21 - 2015-03-13 05:20 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2015-04-15 16:21 - 2015-03-13 05:20 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2015-04-15 16:21 - 2015-03-13 05:17 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2015-04-15 16:21 - 2015-03-13 05:16 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2015-04-15 16:21 - 2015-03-13 05:15 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2015-04-15 16:21 - 2015-03-13 05:08 - 00720384 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-04-15 16:21 - 2015-03-13 05:07 - 00801280 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-04-15 16:21 - 2015-03-13 05:06 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2015-04-15 16:21 - 2015-03-13 05:05 - 02125824 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-04-15 16:21 - 2015-03-13 05:05 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2015-04-15 16:21 - 2015-03-13 05:01 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-04-15 16:21 - 2015-03-13 05:00 - 14397440 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-04-15 16:21 - 2015-03-13 04:57 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2015-04-15 16:21 - 2015-03-13 04:56 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2015-04-15 16:21 - 2015-03-13 04:54 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2015-04-15 16:21 - 2015-03-13 04:49 - 04305408 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-04-15 16:21 - 2015-03-13 04:45 - 02358784 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-04-15 16:21 - 2015-03-13 04:44 - 00689152 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-04-15 16:21 - 2015-03-13 04:43 - 02052608 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-04-15 16:21 - 2015-03-13 04:42 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2015-04-15 16:21 - 2015-03-13 04:34 - 12825600 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-04-15 16:21 - 2015-03-13 04:33 - 01548288 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-04-15 16:21 - 2015-03-13 04:22 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-04-15 16:21 - 2015-03-13 04:20 - 01888256 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-04-15 16:21 - 2015-03-13 04:16 - 01311232 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-04-15 16:21 - 2015-03-13 04:14 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-04-15 16:21 - 2015-03-04 06:55 - 00367552 _____ (Microsoft Corporation) C:\windows\system32\clfs.sys
2015-04-15 16:21 - 2015-03-04 06:41 - 00079360 _____ (Microsoft Corporation) C:\windows\system32\clfsw32.dll
2015-04-15 16:21 - 2015-03-04 06:10 - 00058880 _____ (Microsoft Corporation) C:\windows\SysWOW64\clfsw32.dll
2015-04-13 09:00 - 2015-04-13 09:00 - 00003770 _____ () C:\windows\System32\Tasks\Newsfeed
2015-04-13 09:00 - 2015-04-13 09:00 - 00003246 _____ () C:\windows\System32\Tasks\ScheduledScan
2015-04-13 09:00 - 2015-04-13 09:00 - 00000000 ____D () C:\Users\USER\AppData\Roaming\Flasher
2015-04-13 08:59 - 2015-04-13 08:59 - 00003242 _____ () C:\windows\System32\Tasks\Virt-Device
2015-04-13 08:59 - 2015-04-13 08:59 - 00000066 _____ () C:\windows\SysWOW64\sn.txt
2015-04-13 08:59 - 2015-04-13 08:59 - 00000000 ____D () C:\Users\USER\AppData\Roaming\VolIE
2015-04-13 08:59 - 2015-04-13 08:59 - 00000000 ____D () C:\Users\USER\AppData\Roaming\Craft
2015-04-13 08:59 - 2015-04-13 08:59 - 00000000 ____D () C:\ProgramData\Mistl
2015-04-08 22:12 - 2015-04-08 22:12 - 00012261 _____ () C:\Users\USER\Desktop\Condensed TP Ivonne Ramirez vs 02.xlsx
2015-04-07 10:29 - 2015-04-07 10:29 - 00131090 _____ () C:\Users\USER\Desktop\outlook print screen.pptx
2015-03-30 16:14 - 2015-03-30 16:14 - 00000000 ____D () C:\Users\USER\AppData\Roaming\Opera Software
2015-03-30 16:14 - 2015-03-30 16:14 - 00000000 ____D () C:\Users\USER\AppData\Local\Opera Software
2015-03-30 16:13 - 2015-04-13 09:12 - 00000000 ____D () C:\ProgramData\Kirin
2015-03-30 16:13 - 2015-04-13 09:10 - 00000000 ____D () C:\Users\USER\AppData\Roaming\htcon
2015-03-30 16:13 - 2015-04-13 09:09 - 00000000 ____D () C:\ProgramData\Drv
2015-03-30 16:13 - 2015-04-13 09:00 - 00003828 _____ () C:\windows\System32\Tasks\Opera scheduled Autoupdate 1427724832
2015-03-30 16:13 - 2015-04-13 09:00 - 00001229 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2015-03-30 16:13 - 2015-04-13 09:00 - 00001219 _____ () C:\Users\Public\Desktop\Opera.lnk
2015-03-30 16:13 - 2015-04-13 09:00 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-03-30 16:13 - 2015-04-13 08:59 - 00003732 _____ () C:\windows\System32\Tasks\Mistl
2015-03-30 16:13 - 2015-03-30 16:13 - 00784840 _____ (Google Inc.) C:\Users\USER\Downloads\google-chrome.exe
2015-03-30 16:13 - 2015-03-30 16:13 - 00003252 _____ () C:\windows\System32\Tasks\Drv Update
2015-03-30 16:13 - 2015-03-30 16:13 - 00003242 _____ () C:\windows\System32\Tasks\9A5A8340-6B15
2015-03-30 16:13 - 2015-03-30 16:13 - 00000000 ____D () C:\Users\USER\AppData\Roaming\Fixs
2015-03-30 16:13 - 2015-03-30 16:13 - 00000000 ____D () C:\Users\USER\AppData\Roaming\Crown
2015-03-24 11:02 - 2015-03-24 11:02 - 00000000 ____D () C:\Users\USER\AppData\Local\CUSTPDF Writer
2015-03-18 19:36 - 2015-03-18 19:36 - 03087360 _____ () C:\Users\USER\Desktop\I2M Overview Training - Status 13.07.11 (2).ppt
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-17 16:09 - 2009-07-14 07:13 - 00786558 _____ () C:\windows\system32\PerfStringBackup.INI
2015-04-17 16:08 - 2015-02-09 11:27 - 01934856 _____ () C:\windows\WindowsUpdate.log
2015-04-17 16:06 - 2015-02-10 15:00 - 00000000 ____D () C:\Users\USER\Tracing
2015-04-17 16:05 - 2009-07-14 07:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-04-17 16:05 - 2009-07-14 06:51 - 65000818 _____ () C:\windows\setupact.log
2015-04-17 15:50 - 2009-07-14 05:20 - 00000000 ____D () C:\windows\system32\spool
2015-04-17 15:40 - 2015-03-12 10:22 - 00000000 ____D () C:\Users\USER\Documents\Perso
2015-04-17 15:14 - 2013-10-16 14:49 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-04-17 14:16 - 2013-10-03 12:09 - 00000248 _____ () C:\windows\system32\config\netlogon.ftl
2015-04-17 12:39 - 2013-10-03 14:03 - 00000000 ____D () C:\ProgramData\Symantec
2015-04-17 09:23 - 2009-07-14 06:45 - 00029696 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-17 09:23 - 2009-07-14 06:45 - 00029696 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-16 17:20 - 2009-07-14 05:20 - 00000000 ____D () C:\windows\rescache
2015-04-16 10:10 - 2013-10-03 12:11 - 00014640 __RSH () C:\ProgramData\ntuser.pol
2015-04-16 09:09 - 2009-07-14 07:08 - 00032540 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2015-04-15 16:28 - 2013-10-03 13:53 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-04-15 16:28 - 2013-10-03 13:44 - 00770868 _____ () C:\windows\SysWOW64\PerfStringBackup.INI
2015-04-15 16:25 - 2009-07-14 04:34 - 00000478 _____ () C:\windows\win.ini
2015-04-13 08:59 - 2009-07-14 05:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2015-04-13 08:59 - 2009-07-14 05:20 - 00000000 ____D () C:\windows\SysWOW64\GroupPolicy
2015-04-07 17:14 - 2015-02-25 18:25 - 00000000 ____D () C:\Users\USER\AppData\Roaming\Skype
2015-03-31 08:55 - 2010-11-21 05:47 - 00314142 _____ () C:\windows\PFRO.log
2015-03-20 16:18 - 2009-07-14 05:20 - 00000000 ____D () C:\windows\LiveKernelReports
 
Some content of TEMP:
====================
C:\Users\USER\AppData\Local\Temp\SkypeSetup.exe
C:\Users\blx-jhss\AppData\Local\Temp\AtpTimerInfo.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-14 11:50
 
==================== End Of Log ============================
 
I have tried to uninstall the alarabeys but it doesn't work.
 
Is this a new Browser HiJacker ?

Edited by nasdaq, 21 April 2015 - 08:33 AM.
Bad links obfuscated.


BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 PM

Posted 21 April 2015 - 08:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.arabyonline.com/?src=1000
HKU\S-1-5-21-796845957-1303643608-1801674531-18866\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alarabeyes.com/
BHO: DigiAd Class -> {2ED35963-FCC9-4698-B619-787FE1C75079} -> C:\Users\USER\AppData\Roaming\VolIE\IE\AdSafe_64.dll [2015-03-30] ()
BHO-x32: DigiAd Class -> {2ED35963-FCC9-4698-B619-787FE1C75079} -> C:\Users\USER\AppData\Roaming\VolIE\IE\AdSafe_32.dll [2015-03-30] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
C:\Users\USER\AppData\Roaming\VolIE
C:\Users\blx-jhss\AppData\Local\Temp\AtpTimerInfo.dll

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.



Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 jslegers

jslegers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 23 April 2015 - 03:31 AM

Hello,

 

Thanks for the reply. The user will be back in May so it will have to wait. I will give a report on how it works. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users