Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo fix log


  • This topic is locked This topic is locked
11 replies to this topic

#1 joyfulpixiegirl

joyfulpixiegirl

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 18 April 2015 - 09:58 AM

I followed the directions for installing and running the combo fix and now it is asking that an expert look at the log to analyze it.  My sister works on computers and told me to run it to get rid of any virus after I used Malwarebytes, Spybot and Microsoft Essentials. None of these help.  So I do not know what virus I had. Thank you ahead of time for taking the time and your expertise to help me.  It is much appreciated. Here is the log:ComboFix 15-04-16.01 - Admin 04/18/2015   8:55.1.2 - x86 NETWORK
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1015.309 [GMT -5:00]
Running from: c:\users\Admin\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2015-03-18 to 2015-04-18  )))))))))))))))))))))))))))))))
.
.
2015-04-18 14:01 . 2015-04-18 14:01    --------    d-----w-    c:\users\User\AppData\Local\temp
2015-04-18 14:01 . 2015-04-18 14:01    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2015-04-18 14:01 . 2015-04-18 14:01    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-04-18 13:34 . 2015-04-18 13:34    --------    d-----w-    c:\users\Admin\AppData\Local\Mozilla
2015-04-18 13:21 . 2015-03-14 08:06    9119072    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1C78AA4-870B-49B8-89E0-0C4C71188DAD}\mpengine.dll
2015-04-17 22:05 . 2015-04-17 22:05    --------    d-----w-    C:\7dfa042dcaa4f622f837d6aa2c67
2015-04-17 22:01 . 2015-04-11 18:18    908832    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1DE576B-64A9-4D39-8D48-8A93214A9379}\gapaengine.dll
2015-04-17 21:40 . 2015-04-17 21:42    --------    d-----w-    C:\016da9def16e57da540e
2015-04-11 18:21 . 2015-04-11 18:18    908832    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2015-04-11 18:18 . 2015-03-14 08:06    9119072    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-04-11 18:13 . 2015-04-11 18:13    --------    d-----w-    c:\program files\Microsoft Security Client
2015-04-11 16:47 . 2015-04-11 17:52    --------    d-----w-    c:\users\Admin\AppData\Local\Adobe
2015-04-11 16:02 . 2013-09-20 15:49    18968    ----a-w-    c:\windows\system32\sdnclean.exe
2015-04-11 16:02 . 2015-04-11 16:07    --------    d-----w-    c:\program files\Spybot - Search & Destroy 2
2015-04-11 13:48 . 2015-04-11 13:48    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2015-04-11 13:48 . 2015-03-17 11:15    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-04-11 13:48 . 2015-03-17 11:15    92888    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-04-11 13:48 . 2015-03-17 11:15    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-04-11 08:16 . 2015-04-11 08:16    --------    d-s---w-    c:\windows\system32\GWX
2015-04-10 06:12 . 2015-03-14 10:06    9119072    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{77D83E83-4B08-4D3D-8C58-9C29BFCEB665}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-14 22:51 . 2014-01-08 02:51    778416    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-04-14 22:51 . 2014-01-08 02:51    142512    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2015-04-12 00:58 . 2014-01-08 03:01    119512    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2015-03-06 05:15 . 2015-03-17 16:45    137656    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2015-03-06 05:15 . 2015-03-17 16:45    67512    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2015-03-06 05:10 . 2015-03-17 16:44    172032    ----a-w-    c:\windows\system32\wdigest.dll
2015-03-06 05:10 . 2015-03-17 16:44    65536    ----a-w-    c:\windows\system32\TSpkg.dll
2015-03-06 05:10 . 2015-03-17 16:44    15872    ----a-w-    c:\windows\system32\sspisrv.dll
2015-03-06 05:10 . 2015-03-17 16:44    100352    ----a-w-    c:\windows\system32\sspicli.dll
2015-03-06 05:10 . 2015-03-17 16:45    248832    ----a-w-    c:\windows\system32\schannel.dll
2015-03-06 05:10 . 2015-03-17 16:44    22016    ----a-w-    c:\windows\system32\secur32.dll
2015-03-06 05:10 . 2015-03-17 16:44    259584    ----a-w-    c:\windows\system32\msv1_0.dll
2015-03-06 05:10 . 2015-03-17 16:44    221184    ----a-w-    c:\windows\system32\ncrypt.dll
2015-03-06 05:10 . 2015-03-17 16:45    1061376    ----a-w-    c:\windows\system32\lsasrv.dll
2015-03-06 05:10 . 2015-03-17 16:45    550912    ----a-w-    c:\windows\system32\kerberos.dll
2015-03-06 05:10 . 2015-03-17 16:44    17408    ----a-w-    c:\windows\system32\credssp.dll
2015-03-06 05:09 . 2015-03-17 16:44    22528    ----a-w-    c:\windows\system32\lsass.exe
2015-03-06 05:09 . 2015-03-17 16:44    50176    ----a-w-    c:\windows\system32\auditpol.exe
2015-03-06 05:07 . 2015-03-17 16:44    60416    ----a-w-    c:\windows\system32\msobjs.dll
2015-03-06 05:07 . 2015-03-17 16:44    146432    ----a-w-    c:\windows\system32\msaudite.dll
2015-03-06 05:06 . 2015-03-17 16:44    686080    ----a-w-    c:\windows\system32\adtschema.dll
2015-02-26 03:11 . 2015-03-17 16:45    2381312    ----a-w-    c:\windows\system32\win32k.sys
2015-02-24 09:23 . 2014-01-06 03:18    246920    ------w-    c:\windows\system32\MpSigStub.exe
2015-02-20 04:13 . 2015-03-17 16:45    26624    ----a-w-    c:\windows\system32\lpk.dll
2015-02-20 04:13 . 2015-03-17 16:45    70656    ----a-w-    c:\windows\system32\fontsub.dll
2015-02-20 04:13 . 2015-03-17 16:45    10240    ----a-w-    c:\windows\system32\dciman32.dll
2015-02-20 04:13 . 2015-03-17 16:45    34304    ----a-w-    c:\windows\system32\atmlib.dll
2015-02-20 03:09 . 2015-03-17 16:45    299008    ----a-w-    c:\windows\system32\atmfd.dll
2015-02-20 02:22 . 2015-03-17 16:45    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2015-02-20 02:22 . 2015-03-17 16:45    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2015-02-20 02:09 . 2015-03-17 16:45    503296    ----a-w-    c:\windows\system32\vbscript.dll
2015-02-20 02:08 . 2015-03-17 16:45    62464    ----a-w-    c:\windows\system32\iesetup.dll
2015-02-20 02:08 . 2015-03-17 16:45    47616    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2015-02-20 02:06 . 2015-03-17 16:45    64000    ----a-w-    c:\windows\system32\MshtmlDac.dll
2015-02-20 01:56 . 2015-03-17 16:45    115712    ----a-w-    c:\windows\system32\ieUnatt.exe
2015-02-20 01:56 . 2015-03-17 16:45    102912    ----a-w-    c:\windows\system32\ieetwcollector.exe
2015-02-20 01:56 . 2015-03-17 16:45    620032    ----a-w-    c:\windows\system32\jscript9diag.dll
2015-02-20 01:50 . 2015-03-17 16:45    667648    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2015-02-20 01:41 . 2015-03-17 16:45    60416    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2015-02-20 01:30 . 2015-03-17 16:45    4300288    ----a-w-    c:\windows\system32\jscript9.dll
2015-02-20 01:24 . 2015-03-17 16:45    2052608    ----a-w-    c:\windows\system32\inetcpl.cpl
2015-02-20 01:23 . 2015-03-17 16:45    1155072    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2015-02-20 01:01 . 2015-03-17 16:45    1888256    ----a-w-    c:\windows\system32\wininet.dll
2015-02-04 02:54 . 2015-03-17 16:42    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2015-02-03 03:16 . 2015-03-17 16:40    3973048    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2015-02-03 03:16 . 2015-03-17 16:40    3917760    ----a-w-    c:\windows\system32\ntoskrnl.exe
2015-02-03 03:16 . 2015-03-17 16:40    78784    ----a-w-    c:\windows\system32\drivers\mountmgr.sys
2015-02-03 03:12 . 2015-03-17 16:40    617984    ----a-w-    c:\windows\system32\wmdrmsdk.dll
2015-02-03 03:12 . 2015-03-17 16:40    179200    ----a-w-    c:\windows\system32\wintrust.dll
2015-02-03 03:12 . 2015-03-17 16:46    1230848    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2015-02-03 03:12 . 2015-03-17 16:46    171520    ----a-w-    c:\windows\system32\ubpm.dll
2015-02-03 03:12 . 2015-03-17 16:40    400896    ----a-w-    c:\windows\system32\srcore.dll
2015-02-03 03:12 . 2015-03-17 16:40    43008    ----a-w-    c:\windows\system32\srclient.dll
2015-02-03 03:12 . 2015-03-17 16:39    4096    ----a-w-    c:\windows\system32\msdxm.ocx
2015-02-03 03:12 . 2015-03-17 16:39    4096    ----a-w-    c:\windows\system32\dxmasf.dll
2015-02-03 03:12 . 2015-03-17 16:39    50176    ----a-w-    c:\windows\system32\setbcdlocale.dll
2015-02-03 03:12 . 2015-03-17 16:40    1329664    ----a-w-    c:\windows\system32\quartz.dll
2015-02-03 03:12 . 2015-03-17 16:40    519680    ----a-w-    c:\windows\system32\qdvd.dll
2015-02-03 03:12 . 2015-03-17 16:40    442880    ----a-w-    c:\windows\system32\AUDIOKSE.dll
2015-02-03 03:12 . 2015-03-17 16:40    157184    ----a-w-    c:\windows\system32\pcasvc.dll
2015-02-03 03:12 . 2015-03-17 16:40    28160    ----a-w-    c:\windows\system32\pcadm.dll
2015-02-03 03:12 . 2015-03-17 16:39    8192    ----a-w-    c:\windows\system32\spwmp.dll
2015-02-03 03:12 . 2015-03-17 16:40    504320    ----a-w-    c:\windows\system32\msscp.dll
2015-02-03 03:12 . 2015-03-17 16:40    265216    ----a-w-    c:\windows\system32\msnetobj.dll
2015-02-03 03:12 . 2015-03-17 16:39    10752    ----a-w-    c:\windows\system32\msmmsp.dll
2015-02-03 03:12 . 2015-03-17 16:40    3209728    ----a-w-    c:\windows\system32\mf.dll
2015-02-03 03:12 . 2015-03-17 16:40    354816    ----a-w-    c:\windows\system32\mfplat.dll
2015-02-03 03:12 . 2015-03-17 16:40    103424    ----a-w-    c:\windows\system32\mfps.dll
2015-02-03 03:12 . 2015-03-17 16:40    489984    ----a-w-    c:\windows\system32\evr.dll
2015-02-03 03:12 . 2015-03-17 16:39    275968    ----a-w-    c:\windows\system32\EncDump.dll
2015-02-03 03:12 . 2015-03-17 16:40    988160    ----a-w-    c:\windows\system32\drmv2clt.dll
2015-02-03 03:12 . 2015-03-17 16:40    406016    ----a-w-    c:\windows\system32\drmmgrtn.dll
2015-02-03 03:12 . 2015-03-17 16:40    1174528    ----a-w-    c:\windows\system32\crypt32.dll
2015-02-03 03:12 . 2015-03-17 16:40    1005056    ----a-w-    c:\windows\system32\cryptui.dll
2015-02-03 03:12 . 2015-03-17 16:40    81408    ----a-w-    c:\windows\system32\cryptsp.dll
2015-02-03 03:12 . 2015-03-17 16:40    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2015-02-03 03:12 . 2015-03-17 16:40    143872    ----a-w-    c:\windows\system32\cryptsvc.dll
2015-02-03 03:12 . 2015-03-17 16:39    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2015-02-03 03:12 . 2015-03-17 16:40    744960    ----a-w-    c:\windows\system32\blackbox.dll
2015-02-03 03:12 . 2015-03-17 16:40    475136    ----a-w-    c:\windows\system32\audiosrv.dll
2015-02-03 03:12 . 2015-03-17 16:40    27648    ----a-w-    c:\windows\system32\appidsvc.dll
2015-02-03 03:12 . 2015-03-17 16:40    374784    ----a-w-    c:\windows\system32\AudioEng.dll
2015-02-03 03:12 . 2015-03-17 16:40    50688    ----a-w-    c:\windows\system32\appidapi.dll
2015-02-03 03:12 . 2015-03-17 16:40    195584    ----a-w-    c:\windows\system32\AudioSes.dll
2015-02-03 03:12 . 2015-03-17 16:40    69632    ----a-w-    c:\windows\system32\smss.exe
2015-02-03 03:11 . 2015-03-17 16:40    262656    ----a-w-    c:\windows\system32\rstrui.exe
2015-02-03 03:11 . 2015-03-17 16:40    50176    ----a-w-    c:\windows\system32\rrinstaller.exe
2015-02-03 03:11 . 2015-03-17 16:40    9728    ----a-w-    c:\windows\system32\pcawrk.exe
2015-02-03 03:11 . 2015-03-17 16:39    8192    ----a-w-    c:\windows\system32\pcalua.exe
2015-02-03 03:11 . 2015-03-17 16:40    23040    ----a-w-    c:\windows\system32\mfpmp.exe
2015-02-03 03:11 . 2015-03-17 16:40    100864    ----a-w-    c:\windows\system32\audiodg.exe
2015-02-03 03:11 . 2015-03-17 16:40    96768    ----a-w-    c:\windows\system32\appidpolicyconverter.exe
2015-02-03 03:11 . 2015-03-17 16:39    16896    ----a-w-    c:\windows\system32\appidcertstorecheck.exe
2015-02-03 03:11 . 2015-03-17 16:39    12625408    ----a-w-    c:\windows\system32\wmploc.DLL
2015-02-03 03:10 . 2015-03-17 16:39    8704    ----a-w-    c:\windows\system32\pcaevts.dll
2015-02-03 03:09 . 2015-03-17 16:39    2048    ----a-w-    c:\windows\system32\mferror.dll
2015-02-03 03:08 . 2015-03-17 16:39    6656    ----a-w-    c:\windows\system32\apisetschema.dll
2015-02-03 03:00 . 2015-03-17 16:40    593920    ----a-w-    c:\windows\system32\drivers\PEAuth.sys
2015-02-03 02:26 . 2015-03-17 16:40    50176    ----a-w-    c:\windows\system32\drivers\appid.sys
2015-01-31 03:33 . 2015-03-17 16:46    2744320    ----a-w-    c:\windows\system32\rdpcorets.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-18 4431872]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-01-30 978520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2013-04-22 822504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2015-03-17 1871160]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2015-03-17 1080120]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-11-15 95408]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-06-24 1738168]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-06-27 2088408]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-04-25 171928]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2013-06-27 523944]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2015-02-20 102912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-03-17 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2015-04-12 119512]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2015-03-17 51928]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2015-01-30 284472]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfswin7.sys [2013-06-27 584872]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaywin7.sys [2013-06-27 197800]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirwin7.sys [2013-06-27 24232]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvolwin7.sys [2013-06-27 20136]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2013-06-27 207528]
R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys [2011-03-15 10112]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2014-01-06 1343400]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 13120]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\DRIVERS\wisdpen.sys [2011-01-04 37232]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-06 20:43    1061704    ----a-w-    c:\program files\Google\Chrome\Application\41.0.2272.118\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-04-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-01-08 22:51]
.
2015-04-11 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2015-04-11 16:52]
.
2015-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-01-08 23:59]
.
2015-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-01-08 23:59]
.
2015-04-11 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2015-04-11 15:41]
.
2015-04-11 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2015-04-11 15:42]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqb7inus.default\
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-04-18  09:03:32
ComboFix-quarantined-files.txt  2015-04-18 14:03
.
Pre-Run: 76,491,214,848 bytes free
Post-Run: 76,233,900,032 bytes free
.
- - End Of File - - 6698F4944CB9BAE83B723850EFC01505
A36C5E4F47E84449FF07ED3517B43A31



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 18 April 2015 - 10:52 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

I followed the directions for installing and running the combo fix ...


Running from: c:\users\Admin\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

 
I don't think so... :lol:

Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 joyfulpixiegirl

joyfulpixiegirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 18 April 2015 - 12:17 PM

Here is the addtional.txt:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 18-04-2015 01
Ran by Admin at 2015-04-18 12:10:42
Running from C:\Users\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Auslogics Disk Defrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: version 3.2 - Auslogics Software Pty Ltd)
CCleaner (HKLM\...\CCleaner) (Version: 3.06 - Piriform)
Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
HijackThis 2.0.2 (HKLM\...\HijackThis) (Version: 2.0.2 - TrendMicro)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.1.4.1018 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.4.1018 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM\...\Office14.Click2Run) (Version: 14.0.6122.5000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.6137.5006 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.7.205.0 - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 en-US) (HKLM\...\Mozilla Firefox 26.0 (x86 en-US)) (Version: 26.0 - Mozilla)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - )
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Wise Disk Cleaner 6.32 (HKLM\...\Wise Disk Cleaner_is1) (Version:  - WiseCleaner.com, Inc.)
Wise Registry Cleaner 5.8.9 (HKLM\...\Wise Registry Cleaner_is1) (Version: 5.8.9 - ZhiQing Soft, Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

07-04-2015 17:08:12 Windows Update
11-04-2015 03:13:57 Windows Update
11-04-2015 12:41:44 Removed Adobe Reader XI (11.0.04).
11-04-2015 18:59:34 Windows Backup
11-04-2015 19:28:47 Removed Adobe Acrobat Reader DC.
14-04-2015 12:44:05 Windows Update
18-04-2015 11:01:05 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2014-01-07 22:22 - 00450660 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com

 

Here is the FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-04-2015 01
Ran by Admin (administrator) on USER-PC on 18-04-2015 11:51:44
Running from C:\Users\Admin\Desktop
Loaded Profiles: User & Admin (Available profiles: User & Admin & Guest)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Google Inc.) C:\Program Files\Google\Update\Install\{23492510-6185-4857-978A-559372715440}\42.0.2311.90_chrome_installer.exe
(Google Inc.) C:\Windows\temp\CR_65950.tmp\setup.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
(Microsoft Corporation) C:\Windows\System32\sdclt.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4431872 2007-04-18] (Realtek Semiconductor)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [978520 2015-01-30] (Microsoft Corporation)
HKU\S-1-5-21-3445521846-435950582-2971651481-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\ssText3d.scr [293888 2010-11-20] (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3445521846-435950582-2971651481-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3445521846-435950582-2971651481-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKU\S-1-5-21-3445521846-435950582-2971651481-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqb7inus.default
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL [2011-04-05] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)

Chrome:
=======
CHR DefaultSearchKeyword: Default -> google.com_
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-11]
CHR Extension: (Google Drive) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-11]
CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-11]
CHR Extension: (Google Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-11]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-11]
CHR Extension: (Google Wallet) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-11]
CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-11]
CHR HKLM\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - No Path Or update_url value
CHR HKLM\...\Chrome\Extension: [heoldelcflnigdllmlopiefhkkobendj] - No Path Or update_url value

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-03-17] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-03-17] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22184 2015-01-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [284472 2015-01-30] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 e1express; C:\Windows\System32\DRIVERS\e1e6232.sys [232312 2012-10-30] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-03-17] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2015-04-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-03-17] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [239224 2014-11-15] (Microsoft Corporation)
R1 MpKsl212c74cc; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A1C78AA4-870B-49B8-89E0-0C4C71188DAD}\MpKsl212c74cc.sys [39464 2015-04-18] (Microsoft Corporation)
R3 Sftfs; C:\Windows\System32\DRIVERS\Sftfswin7.sys [584872 2013-06-26] (Microsoft Corporation)
R3 Sftplay; C:\Windows\System32\DRIVERS\Sftplaywin7.sys [197800 2013-06-26] (Microsoft Corporation)
R3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirwin7.sys [24232 2013-06-26] (Microsoft Corporation)
R3 Sftvol; C:\Windows\System32\DRIVERS\Sftvolwin7.sys [20136 2013-06-26] (Microsoft Corporation)
R3 wisdpen; C:\Windows\System32\DRIVERS\wisdpen.sys [37232 2011-01-04] (Wacom Technology)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Admin\AppData\Local\Temp\catchme.sys [X]
U2 TMAgent; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-18 11:44 - 2015-04-18 12:01 - 00011117 _____ () C:\Users\Admin\Desktop\FRST.txt
2015-04-18 11:42 - 2015-04-18 11:52 - 00000000 ____D () C:\FRST
2015-04-18 11:40 - 2015-04-18 11:41 - 01137664 _____ (Farbar) C:\Users\Admin\Desktop\FRST.exe
2015-04-18 11:33 - 2015-04-18 11:33 - 01137664 _____ (Farbar) C:\Users\Admin\Downloads\FRST(1).exe
2015-04-18 11:31 - 2015-04-18 11:32 - 01137664 _____ (Farbar) C:\Users\Admin\Downloads\FRST.exe
2015-04-18 09:03 - 2015-04-18 09:03 - 00018864 _____ () C:\ComboFix.txt
2015-04-18 08:34 - 2015-04-18 08:34 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Mozilla
2015-04-18 08:34 - 2015-04-18 08:34 - 00000000 ____D () C:\Users\Admin\AppData\Local\Mozilla
2015-04-17 17:05 - 2015-04-17 17:05 - 00000000 ____D () C:\7dfa042dcaa4f622f837d6aa2c67
2015-04-17 16:40 - 2015-04-17 16:42 - 00000000 ____D () C:\016da9def16e57da540e
2015-04-11 19:43 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-04-11 19:43 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-04-11 19:43 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-04-11 19:43 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-04-11 19:43 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-04-11 19:43 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2015-04-11 19:43 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2015-04-11 19:43 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2015-04-11 19:42 - 2015-04-18 09:03 - 00000000 ____D () C:\Qoobox
2015-04-11 19:41 - 2015-04-18 09:01 - 00000000 ____D () C:\Windows\erdnt
2015-04-11 19:40 - 2015-04-18 08:35 - 05618696 ____R (Swearware) C:\Users\Admin\Downloads\ComboFix.exe
2015-04-11 19:22 - 2015-04-18 10:01 - 00001320 _____ () C:\Windows\PFRO.log
2015-04-11 13:13 - 2015-04-11 13:13 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-04-11 13:13 - 2015-04-11 13:13 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-04-11 13:08 - 2015-04-11 13:09 - 11530032 _____ (Microsoft Corporation) C:\Users\Admin\Downloads\mseinstall (2).exe
2015-04-11 13:00 - 2015-04-11 13:01 - 14160536 _____ (Microsoft Corporation) C:\Users\Admin\Downloads\MSEInstall (1).exe
2015-04-11 12:50 - 2015-04-11 12:50 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-04-11 12:50 - 2015-04-11 12:50 - 00002017 _____ () C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2015-04-11 12:49 - 2015-04-11 12:49 - 00000000 ____D () C:\Program Files\Adobe
2015-04-11 12:39 - 2015-04-18 12:02 - 00458712 _____ () C:\Windows\WindowsUpdate.log
2015-04-11 12:35 - 2015-04-18 10:01 - 00000560 _____ () C:\Windows\setupact.log
2015-04-11 12:35 - 2015-04-11 12:35 - 00000000 _____ () C:\Windows\setuperr.log
2015-04-11 11:47 - 2015-04-11 12:52 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe
2015-04-11 11:02 - 2015-04-11 11:07 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2015-04-11 11:02 - 2015-04-11 11:02 - 00002131 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-04-11 11:02 - 2015-04-11 11:02 - 00002119 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-04-11 11:02 - 2015-04-11 11:02 - 00000644 _____ () C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2015-04-11 11:02 - 2015-04-11 11:02 - 00000616 _____ () C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2015-04-11 11:02 - 2015-04-11 11:02 - 00000446 _____ () C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2015-04-11 11:02 - 2015-04-11 11:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-04-11 11:02 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-04-11 11:00 - 2015-04-11 11:01 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Admin\Downloads\spybot-2.4.exe
2015-04-11 10:56 - 2015-04-11 10:57 - 11530032 _____ (Microsoft Corporation) C:\Users\Admin\Downloads\mseinstall.exe
2015-04-11 10:45 - 2015-04-11 10:45 - 00001146 _____ () C:\Users\Admin\Desktop\Live PC Help.lnk
2015-04-11 08:48 - 2015-04-11 08:48 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-04-11 08:48 - 2015-04-11 08:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-11 08:48 - 2015-04-11 08:48 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-04-11 08:48 - 2015-03-17 06:15 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-04-11 08:48 - 2015-03-17 06:15 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-04-11 08:48 - 2015-03-17 06:15 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-04-11 08:45 - 2015-04-11 08:45 - 21540440 _____ (Malwarebytes Corporation ) C:\Users\User\Downloads\mbam-setup-2.1.4.1018.exe
2015-04-11 03:16 - 2015-04-11 03:16 - 00000000 ___SD () C:\Windows\system32\GWX

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-18 12:04 - 2014-01-08 18:59 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-18 11:58 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-04-18 11:49 - 2014-01-07 22:01 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2015-04-18 11:37 - 2014-01-07 21:51 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-18 11:29 - 2014-01-08 18:59 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-18 11:21 - 2010-11-20 16:01 - 00774870 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-18 10:54 - 2009-07-13 23:34 - 00028352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-18 10:54 - 2009-07-13 23:34 - 00028352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-18 10:01 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-18 09:33 - 2014-01-08 18:11 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-04-18 09:03 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
2015-04-18 09:01 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2015-04-17 17:07 - 2014-01-07 22:18 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-04-14 17:51 - 2014-01-07 21:51 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-04-14 17:51 - 2014-01-07 21:51 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-04-11 13:19 - 2014-01-07 22:10 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-04-11 12:50 - 2014-01-07 21:54 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2015-04-11 12:49 - 2014-01-07 21:53 - 00000000 ____D () C:\ProgramData\Adobe
2015-04-11 11:47 - 2014-01-09 16:36 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Adobe
2015-04-11 09:46 - 2014-08-11 12:49 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\systweak
2015-04-11 09:46 - 2014-08-11 12:49 - 00000000 ____D () C:\ProgramData\Systweak
2015-04-11 08:48 - 2014-01-07 22:01 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-10 02:14 - 2014-01-08 19:00 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-28 17:58 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2015-03-24 15:31 - 2015-01-23 17:44 - 00000000 ____D () C:\Users\User\AppData\Roaming\Tuneup Pro

==================== Files in the root of some directories =======

2014-03-31 15:16 - 2014-03-31 15:16 - 6000640 _____ () C:\Program Files\GUT8676.tmp
2014-01-25 08:32 - 2014-01-25 08:32 - 0000036 _____ () C:\Users\Admin\AppData\Local\housecall.guid.cache
2014-12-25 18:24 - 2014-12-25 18:24 - 0000000 _____ () C:\Users\Admin\AppData\Local\{CC00B8B9-E1FC-4CFD-AD09-4D0337F70663}

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-10 02:34

==================== End Of Log ============================



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 18 April 2015 - 12:28 PM

Hi, the Addition.txt isn't complete. Please re-post this log. Furthermore, is there anything like strange symptoms or alarms from your antivirus program that makes you fear you're infected?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 joyfulpixiegirl

joyfulpixiegirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 18 April 2015 - 12:41 PM

Sorry about not getting the whole Addition.txt.  Here it is:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 18-04-2015 01
Ran by Admin at 2015-04-18 12:10:42
Running from C:\Users\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Auslogics Disk Defrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: version 3.2 - Auslogics Software Pty Ltd)
CCleaner (HKLM\...\CCleaner) (Version: 3.06 - Piriform)
Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
HijackThis 2.0.2 (HKLM\...\HijackThis) (Version: 2.0.2 - TrendMicro)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.1.4.1018 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.4.1018 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM\...\Office14.Click2Run) (Version: 14.0.6122.5000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.6137.5006 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.7.205.0 - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 en-US) (HKLM\...\Mozilla Firefox 26.0 (x86 en-US)) (Version: 26.0 - Mozilla)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - )
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Wise Disk Cleaner 6.32 (HKLM\...\Wise Disk Cleaner_is1) (Version:  - WiseCleaner.com, Inc.)
Wise Registry Cleaner 5.8.9 (HKLM\...\Wise Registry Cleaner_is1) (Version: 5.8.9 - ZhiQing Soft, Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

07-04-2015 17:08:12 Windows Update
11-04-2015 03:13:57 Windows Update
11-04-2015 12:41:44 Removed Adobe Reader XI (11.0.04).
11-04-2015 18:59:34 Windows Backup
11-04-2015 19:28:47 Removed Adobe Acrobat Reader DC.
14-04-2015 12:44:05 Windows Update
18-04-2015 11:01:05 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2014-01-07 22:22 - 00450660 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {15437C31-1FB3-4803-ACB2-AF1D6238407F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-08] (Google Inc.)
Task: {3E5A324E-2001-4FA4-A58D-82589B4CFB64} - System32\Tasks\TitaniumInstaller => D:\setup.exe
Task: {642AEE5B-E16C-4996-B702-DB645E6E6B29} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-24] (Microsoft Corporation)
Task: {8FD94423-42DF-4431-9B99-D60A8DF7E25C} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {982D6D38-C082-45D4-88AC-550E262826EF} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {9D59373D-2E02-49C4-8684-983D6D938841} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {9DA69851-0352-41B3-A3E9-A35ADE393419} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-14] (Adobe Systems Incorporated)
Task: {AC92527B-3ABF-4C31-8449-367D1B893C1F} - \Advanced-System Protector_startup No Task File <==== ATTENTION
Task: {BFB95AA7-922D-4B48-9771-F9530500893B} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {CF661A58-D99E-4DF6-BC90-328E5C1C0B67} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-08] (Google Inc.)
Task: {E1C53CDB-91F1-445A-A3FC-0215FFB0F923} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-03-07] (Adobe Systems Incorporated)
Task: {F71DD6BB-9DD1-4898-BF39-5E6C5E165779} - System32\Tasks\Microsoft\Windows\TabletPC\InputPersonalization => C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe [2009-07-13] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe

==================== Loaded Modules (whitelisted) ==============

2015-04-11 11:02 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-04-11 11:02 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2015-04-11 11:02 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2015-04-11 11:02 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2015-04-11 11:02 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2014-01-08 18:11 - 2013-12-05 14:36 - 03559024 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3445521846-435950582-2971651481-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\User\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-3445521846-435950582-2971651481-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Admin (S-1-5-21-3445521846-435950582-2971651481-1001 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3445521846-435950582-2971651481-500 - Administrator - Disabled)
Guest (S-1-5-21-3445521846-435950582-2971651481-501 - Limited - Enabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-3445521846-435950582-2971651481-1003 - Limited - Enabled)
User (S-1-5-21-3445521846-435950582-2971651481-1000 - Limited - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

Name: Mass Storage Controller
Description: Mass Storage Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/18/2015 11:50:57 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FRST.exe version 18.4.2015.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 53c

Start Time: 01d079f69f6a9493

Termination Time: 738

Application Path: C:\Users\Admin\Desktop\FRST.exe

Report Id: 981e826e-e5ea-11e4-ae9f-0015b79a9f57

Error: (04/18/2015 10:02:30 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/18/2015 08:53:20 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\wbem\wmiprvse.exe; Description = ComboFix created restore point; Error = 0x8007043c).

Error: (04/18/2015 08:53:19 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.


Operation:
   Instantiating VSS server

Error: (04/18/2015 08:53:19 AM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]


Operation:
   Instantiating VSS server

Error: (04/18/2015 08:51:43 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/18/2015 08:51:43 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/18/2015 08:22:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/18/2015 08:05:35 AM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Error: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.
 ErrorCode: 14007(0x36b7).

Error: (04/17/2015 05:05:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/18/2015 10:49:12 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (04/18/2015 10:05:33 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (04/18/2015 09:03:44 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1068

Error: (04/18/2015 09:02:22 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1068

Error: (04/18/2015 09:01:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (04/18/2015 09:01:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (04/18/2015 09:01:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (04/18/2015 09:01:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (04/18/2015 09:01:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (04/18/2015 09:01:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (04/18/2015 11:50:57 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: FRST.exe18.4.2015.153c01d079f69f6a9493738C:\Users\Admin\Desktop\FRST.exe981e826e-e5ea-11e4-ae9f-0015b79a9f57

Error: (04/18/2015 10:02:30 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/18/2015 08:53:20 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\wbem\wmiprvse.exeComboFix created restore point0x8007043c

Error: (04/18/2015 08:53:19 AM) (Source: VSS) (EventID: 8193) (User: )
Description: CoCreateInstance0x8007043c, This service cannot be started in Safe Mode


Operation:
   Instantiating VSS server

Error: (04/18/2015 08:53:19 AM) (Source: VSS) (EventID: 18) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x8007043c, This service cannot be started in Safe Mode


Operation:
   Instantiating VSS server

Error: (04/18/2015 08:51:43 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\Admin\Downloads\HitmanPro_x64 (1).exe

Error: (04/18/2015 08:51:43 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Users\Admin\Downloads\HitmanPro_x64.exe

Error: (04/18/2015 08:22:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/18/2015 08:05:35 AM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Error: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.
 ErrorCode: 14007(0x36b7).

Error: (04/17/2015 05:05:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Processor: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of memory in use: 76%
Total physical RAM: 1015.18 MB
Available physical RAM: 236.06 MB
Total Pagefile: 2585.36 MB
Available Pagefile: 782.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1899.19 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:93.06 GB) (Free:69.88 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 93.2 GB) (Disk ID: DC156221)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=93.1 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#6 joyfulpixiegirl

joyfulpixiegirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 18 April 2015 - 12:46 PM

I forgot to answer your other questions about my anti-virus. No I am not getting any alarms or messages that would make me think I was infected.  My computer is just running really, really slow.  I think there may be hidden programs or something running in the backround.  I'm really not sure.  Thanks so much for your help!



#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 18 April 2015 - 01:06 PM

Thanks for letting me know. Total physical RAM: 1015.18 MB it's the minimum.
 
Let's run ESET to see what it turns up:
 

Step 1

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

Edited by deeprybka, 18 April 2015 - 01:06 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#8 joyfulpixiegirl

joyfulpixiegirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 18 April 2015 - 05:08 PM

This is the log from eset:

 

C:\Users\Admin\Downloads\tall_110805441681235987.exe Win32/Systweak.K potentially unwanted application deleted - quarantined

C:\Users\Admin\Downloads\tall_110805441962026657.exe Win32/Systweak.K potentially unwanted application deleted - quarantined

C:\Users\User\AppData\Roaming\Tuneup Pro\productSetup_Setup_2_25_2015.exe Win32/Systweak.K potentially unwanted application deleted - quarantined

C:\Users\User\AppData\Roaming\Tuneup Pro\productSetup_Setup_3_5_2015.exe Win32/Systweak.K potentially unwanted application deleted - quarantined

 

Do I check the box that says delete quartined files?



#9 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 19 April 2015 - 04:56 AM

Do I check the box that says delete quartined files?


No. Could you please post the ESET log as instructed?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#10 joyfulpixiegirl

joyfulpixiegirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 19 April 2015 - 08:25 AM

I can't find the log.  I thought I save it. But I searched my computer and it's not there. I don't remember if I quarantined the files either. I don't think I did. But I did say to uninstalled after fixed. I couldn't leave the message on the screen since this is my boyfriends computer and he needed to use it.  Should I run the scan again?  It only had for items on it and I think most of them had "windows' in them.  I know we are in different time zones so it makes it difficult to keep in touch and certain times of the day.  I do appreciate your help very much and the computer speed has picked up. So do you want me to run eset again?  Thanks!



#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 19 April 2015 - 10:18 AM

Anyway! In my opinion your issue isn't related to malware.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 20 April 2015 - 04:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users