Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started with Omiga.plus, now also pop-ups, sideads and redirects (ActiveCoupon)


  • Please log in to reply
5 replies to this topic

#1 Swayze

Swayze

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 07 May 2015 - 12:41 PM

Hello there! At first, my laptop has caught Omiga.plus, and I suspect the internet guide which I used to remove it might be shady and brought even more malware to my system. Right now, Omiga seems to be gone (not sure though), but now I have tons of side-ads, pop-ups and redirects on every site except FB, YT, gmail and similar (happening on Google Chrome and Firefox. Didn't use, IE but I suspect the same thing)Attached File  Addition.txt   328.2KB   3 downloads. Not sure what are the specific name of those malwares, maybe the names ActiveCoupon and Ads by Lyric appearing on the redirect will help with identyfying the issue.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2015 01
Ran by Michał (administrator) on YOSSARIAN on 07-05-2015 19:10:46
Running from C:\Users\Michał\Downloads
Loaded Profiles: Michał (Available profiles: UpdatusUser & Michał & Michal)
Platform: Windows 8.1 (X64) OS Language: Polski (Polska)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\JPN\JpnIME.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files\Realtek\Audio\HDA\FMAPP.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Synaptics) C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Akamai Technologies, Inc.) C:\Users\Michał\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\Michał\AppData\Local\Akamai\netsession_win.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12921488 2012-09-14] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1214608 2012-09-14] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] => C:\WINDOWS\system32\hkcmd.exe
HKLM\...\Run: [Persistence] => C:\WINDOWS\system32\igfxpers.exe
HKLM\...\Run: [SynLenovoGestureMgr] => C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe [656896 2012-09-20] (Synaptics)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe [4196432 2012-08-10] (Lenovo)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17080376 2013-01-16] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [191544 2013-01-16] (Lenovo(beijing) Limited)
HKLM\...\Run: [Nvtmru] => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1012000 2013-05-16] (NVIDIA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2874168 2012-09-17] (Synaptics Incorporated)
HKLM-x32\...\Run: [331BigDog] => C:\Program Files (x86)\USB Camera\VM331STI.EXE [548864 2012-05-02] (Vimicro)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [277504 2012-08-16] (Intel Corporation)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe [508656 2012-07-25] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2012-07-27] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167024 2012-07-27] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [217088 2012-04-18] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)
HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ComodoFSChrome] => "C:\Program Files (x86)\AdTrustMedia\PrivDog\FinalizeSetup.exe" /c
HKLM-x32\...\Run: [PrivDogService] => C:\Program Files (x86)\AdTrustMedia\PrivDog\2.2.0.14\trustedadssvc.exe [662184 2014-06-17] (AdTrustMedia)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2015-02-10] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-743600532-1301776689-3942748706-1002\...\Run: [Steam] => C:\Gry\Steam\Steam.exe [2889408 2015-05-01] (Valve Corporation)
HKU\S-1-5-21-743600532-1301776689-3942748706-1002\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3675352 2013-10-28] (Disc Soft Ltd)
HKU\S-1-5-21-743600532-1301776689-3942748706-1002\...\Run: [Akamai NetSession Interface] => C:\Users\Michał\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.)
HKU\S-1-5-21-743600532-1301776689-3942748706-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7404312 2015-02-10] (Piriform Ltd)
AppInit_DLLs: C:\WINDOWS\system32\nvinitx.dll => C:\WINDOWS\system32\nvinitx.dll [184048 2013-12-26] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\WINDOWS\SysWOW64\nvinit.dll => C:\WINDOWS\SysWOW64\nvinit.dll [156256 2013-12-26] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2013-01-16]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Michał\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\House of Cards 2013 S02 720p BluRay x264-DEMAND.lnk [2015-02-10]
ShortcutTarget: House of Cards 2013 S02 720p BluRay x264-DEMAND.lnk -> C:\ProgramData\{ad0b1f6b-4853-bdff-ad0b-b1f6b4857dad}\House of Cards 2013 S02 720p BluRay x264-DEMAND.exe (No File)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
HKU\S-1-5-21-743600532-1301776689-3942748706-1002\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-743600532-1301776689-3942748706-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF ProfilePath: C:\Users\Michał\AppData\Roaming\Mozilla\Firefox\Profiles\1277vvo5.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-04-14] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-14] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @ngm.nexoneu.com/NxGame -> C:\ProgramData\NexonEU\NGM\npnxgameEU.dll [2014-12-10] (Nexon)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2013-08-14] (Pando Networks)
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin -> C:\Gry\Perfect World Entertainment\Arc\Plugins\npArcPluginFF.dll [2014-10-21] (Perfect World Entertainment Inc)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll [2013-11-24] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll [2013-11-24] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-743600532-1301776689-3942748706-1002: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Michał\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2013-11-09] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-743600532-1301776689-3942748706-1002: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2013-08-14] (Pando Networks)
FF Extension: United States English Spellchecker - C:\Users\Michał\AppData\Roaming\Mozilla\Firefox\Profiles\1277vvo5.default\Extensions\en-US@dictionaries.addons.mozilla.org [2013-09-12]
FF Extension: jid05q424C3HVeyE2T4d9bkO7CpXNjUjetpack - C:\Users\Michał\AppData\Roaming\Mozilla\Firefox\Profiles\1277vvo5.default\Extensions\jid0-5q424C3HVeyE2T4d9bkO7CpXNjU@jetpack [2015-04-01]
FF Extension: jid14vUehhSALFNqCwjetpack - C:\Users\Michał\AppData\Roaming\Mozilla\Firefox\Profiles\1277vvo5.default\Extensions\jid1-4vUehhSALFNqCw@jetpack [2015-04-02]
FF HKU\S-1-5-21-743600532-1301776689-3942748706-1002\...\Firefox\Extensions: [PrivDog@AdTrustMedia.com] - C:\Users\Michał\AppData\Roaming\Mozilla\Firefox\Profiles\1277vvo5.default\extensions
StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox\firefox.exe
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Michał\AppData\Local\Google\Chrome\User Data\Default
CHR HKLM-x32\...\Chrome\Extension: [cmaiofennmphjldldcpphcechfnnohja] - C:\Program Files (x86)\AdTrustMedia\PrivDog\PrivDog_chrome.crx [2014-05-23]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ArcService; C:\Gry\Perfect World Entertainment\Arc\ArcService.exe [88400 2014-10-21] (Perfect World Entertainment Inc)
S2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2252504 2013-09-04] (Broadcom Corporation.)
S3 BRSptStub; C:\ProgramData\BitRaider\BRSptStub.exe [363208 2015-05-04] (BitRaider, LLC)
S4 BRSptSvc; C:\ProgramData\BitRaider\BRSptSvc.exe [477960 2014-01-11] (BitRaider, LLC)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2015-03-11] (Microsoft Corporation)
S4 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [957816 2012-10-21] (Broadcom Corporation.)
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [7618952 2015-03-12] (COMODO)
R3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265304 2015-03-12] (COMODO)
R2 DragonUpdater; C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2370240 2014-11-27] (Comodo Security Solutions, Inc.)
S4 IAStorDataMgrSvc; C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [7168 2012-08-16] (Intel Corporation) [File not signed]
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-10-01] (Intel Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S4 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [272176 2012-07-18] ()
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2015-02-10] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2015-02-10] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2015-02-10] (Safer-Networking Ltd.)
R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1026432 2015-04-21] (Enigma Software Group USA, LLC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-03-11] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-03-11] (Microsoft Corporation)
S4 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2699568 2012-07-18] (Intel® Corporation)
S4 Util WebConnect; "C:\Program Files (x86)\WebConnect\bin\utilWebConnect.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [170712 2013-09-04] (Broadcom Corporation.)
S3 BRDriver64; C:\ProgramData\BitRaider\BRDriver64.sys [75048 2013-09-06] (BitRaider)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-09-24] (Microsoft Corporation)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [20184 2015-01-30] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [807568 2015-01-30] (COMODO)
R1 cmdhlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [35080 2015-01-30] (COMODO)
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2013-11-22] (Disc Soft Ltd)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2015-04-21] (Enigma Software Group USA, LLC.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-04-21] ()
R1 inspect; C:\Windows\system32\DRIVERS\inspect.sys [126208 2015-01-30] (COMODO)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [136408 2015-05-05] (Malwarebytes Corporation)
R3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3344352 2013-07-08] (Intel Corporation)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-09-17] (Synaptics Incorporated)
R3 usb3Hub; C:\Windows\System32\drivers\usb3Hub.sys [47072 2012-10-09] (Windows ® Win 7 DDK provider)
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [975104 2012-08-24] (Vimicro Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-03-11] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
R3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188896 2012-10-09] (Windows ® Win 7 DDK provider)
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 EagleX64; \??\C:\WINDOWS\system32\drivers\EagleX64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-07 19:10 - 2015-05-07 19:11 - 00018730 _____ () C:\Users\Michał\Downloads\FRST.txt
2015-05-07 19:10 - 2015-05-07 19:10 - 00000000 ____D () C:\FRST
2015-05-07 19:09 - 2015-05-07 19:09 - 02102272 _____ (Farbar) C:\Users\Michał\Downloads\FRST64.exe
2015-05-07 18:24 - 2015-05-07 18:24 - 00000020 _____ () C:\Users\Michał\AppData\Roaming\appdataFr3.bin
2015-04-28 19:55 - 2015-04-28 19:55 - 11699712 _____ () C:\Users\Michał\Downloads\Święto 3 Maja.ppt
2015-04-22 00:48 - 2015-05-05 00:48 - 00136408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-04-22 00:47 - 2015-04-22 23:17 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-04-22 00:47 - 2015-04-22 23:17 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-04-22 00:47 - 2015-04-22 23:17 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-04-22 00:47 - 2015-04-22 23:17 - 00001125 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-04-22 00:47 - 2015-04-22 23:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-22 00:47 - 2015-04-22 23:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-04-22 00:47 - 2015-04-22 00:47 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-22 00:42 - 2015-04-22 00:43 - 21540440 _____ (Malwarebytes Corporation ) C:\Users\Michał\Downloads\mbam-setup-2.1.4.1018.exe
2015-04-21 20:21 - 2015-04-21 20:22 - 02556202 _____ () C:\sh4_service.log
2015-04-21 20:09 - 2015-04-21 18:16 - 00025472 _____ () C:\WINDOWS\system32\sh4native.exe
2015-04-21 18:17 - 2015-04-21 18:17 - 00003332 _____ () C:\WINDOWS\System32\Tasks\SpyHunter4Startup
2015-04-21 18:17 - 2015-04-21 18:17 - 00000000 ____D () C:\Users\Michał\AppData\Roaming\Enigma Software Group
2015-04-21 18:17 - 2015-04-21 18:17 - 00000000 _____ () C:\autoexec.bat
2015-04-21 18:16 - 2015-04-21 18:16 - 03109248 _____ (Enigma Software Group USA, LLC.) C:\Users\Michał\Downloads\sh-remover.exe
2015-04-21 18:16 - 2015-04-21 18:16 - 00022704 _____ () C:\WINDOWS\system32\Drivers\EsgScanner.sys
2015-04-21 18:16 - 2015-04-21 18:16 - 00000000 ____D () C:\sh4ldr
2015-04-21 18:16 - 2015-04-21 18:16 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-04-21 17:44 - 2015-04-21 17:44 - 00753184 _____ () C:\Users\Michał\Downloads\Adware-Removal-Tool-v3.9.1 (4).exe
2015-04-21 00:17 - 2015-04-21 17:58 - 00002377 _____ () C:\Users\Michał\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2015-04-20 23:53 - 2015-04-20 23:53 - 00753184 _____ () C:\Users\Michał\Downloads\Adware-Removal-Tool-v3.9.1 (3).exe
2015-04-20 23:49 - 2015-04-22 01:35 - 00000000 ____D () C:\Program Files (x86)\Twitch Stream
2015-04-20 23:48 - 2015-04-22 01:35 - 00000000 ____D () C:\Program Files (x86)\QuickuVieewer
2015-04-20 23:48 - 2015-04-20 23:49 - 00000000 ____D () C:\ProgramData\2824009466264387978
2015-04-17 04:34 - 2015-04-16 18:52 - 00792056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-04-17 04:34 - 2015-04-16 18:52 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-17 04:32 - 2015-05-03 13:00 - 00049062 _____ () C:\WINDOWS\PFRO.log
2015-04-17 04:29 - 2015-04-17 04:29 - 00000000 ____D () C:\WINDOWS\system32\appraiser
2015-04-14 22:42 - 2015-04-14 22:42 - 07476032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-04-14 22:42 - 2015-04-14 22:42 - 01733952 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 01498872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 00950784 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 00411648 _____ (Microsoft Corporation) C:\WINDOWS\system32\tracerpt.exe
2015-04-14 22:42 - 2015-04-14 22:42 - 00369152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tracerpt.exe
2015-04-14 22:42 - 2015-04-14 22:42 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\system32\sechost.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 00257216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sechost.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 00246272 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2015-04-14 22:42 - 2015-04-14 22:42 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 24980480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 19695616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 14397440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 12825600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 06025216 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 04305408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 02358784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 02278400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 01385256 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 01124352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00991552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
2015-04-14 22:41 - 2015-04-14 22:41 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00780800 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsm.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-04-14 22:41 - 2015-04-14 22:41 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00377152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys
2015-04-14 22:41 - 2015-04-14 22:41 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00075264 _____ (Microsoft Corporation) C:\WINDOWS\system32\clfsw32.dll
2015-04-14 22:41 - 2015-04-14 22:41 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clfsw32.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 03678720 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 02373632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00891392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00408064 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00259072 _____ (Microsoft Corporation) C:\WINDOWS\system32\pku2u.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\pku2u.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00133256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-04-14 22:39 - 2015-04-14 22:39 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-04-14 22:39 - 2015-04-14 22:39 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-04-14 22:39 - 2015-04-14 22:39 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
2015-04-14 22:39 - 2015-04-14 22:39 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wu.upgrade.ps.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 01111552 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 00957440 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 00769024 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 00419328 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 00192000 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2015-04-14 22:38 - 2015-04-14 22:38 - 00030720 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2015-04-11 18:14 - 2015-04-11 18:14 - 00000000 ____D () C:\Users\Michał\Documents\efile-backup
2015-04-11 17:32 - 2015-04-11 17:32 - 00003986 _____ () C:\WINDOWS\System32\Tasks\e-pity2015_styczen
2015-04-11 17:32 - 2015-04-11 17:32 - 00003986 _____ () C:\WINDOWS\System32\Tasks\e-pity2015_kwiecien
2015-04-11 17:32 - 2015-04-11 17:32 - 00001208 _____ () C:\Users\Michał\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\e-pity 2014 - program, pity roczne, e-deklaracje.lnk
2015-04-11 17:32 - 2015-04-11 17:32 - 00001178 _____ () C:\Users\Michał\Desktop\e-pity 2014 - program, pity roczne, e-deklaracje.lnk
2015-04-11 17:32 - 2015-04-11 17:32 - 00000000 ____D () C:\Users\Michał\AppData\Roaming\com.efile.epity2014
2015-04-11 17:31 - 2015-04-11 17:31 - 23718648 _____ (e-file sp. z o.o. ) C:\Users\Michał\Downloads\setup_e-pity2014.exe
2015-04-11 12:42 - 2015-04-11 12:42 - 08882669 _____ ( ) C:\Users\Michał\Downloads\DLLEscort_Setup.exe
2015-04-11 12:36 - 2015-04-11 12:37 - 00000000 ____D () C:\Users\Michał\Downloads\boko208
2015-04-10 19:21 - 2015-04-10 19:23 - 00000000 ___SD () C:\WINDOWS\system32\GWX
2015-04-10 19:21 - 2015-04-10 19:21 - 00000000 ___SD () C:\WINDOWS\SysWOW64\GWX
2015-04-10 18:46 - 2015-04-10 19:31 - 433407174 _____ () C:\Users\Michał\Downloads\boko208.zip
2015-04-10 18:42 - 2015-04-10 18:44 - 00000112 _____ () C:\Users\Michał\Downloads\RPGVXAce_RTP.zip
2015-04-10 18:12 - 2015-04-10 18:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RPG MAKER VX Ace Lite
2015-04-10 18:11 - 2015-04-10 18:44 - 00000000 ____D () C:\Program Files (x86)\Enterbrain
2015-04-10 18:06 - 2015-04-10 18:07 - 106966048 _____ (Enterbrain ) C:\Users\Michał\Downloads\RPGMaker_Lite.exe
2015-04-09 20:20 - 2015-04-09 20:27 - 118374782 _____ () C:\Users\Michał\Downloads\20141013 Ultimate Fighting Girl Extra Match - Head Scissors (MMD Mixed Fighting) (1).zip
2015-04-09 02:04 - 2015-04-09 02:20 - 118374782 _____ () C:\Users\Michał\Downloads\20141013 Ultimate Fighting Girl Extra Match - Head Scissors (MMD Mixed Fighting).zip
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-07 19:10 - 2014-05-23 17:40 - 00207634 _____ () C:\WINDOWS\system32\Drivers\fvstore.dat
2015-05-07 19:07 - 2015-02-10 21:19 - 01274587 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-07 19:04 - 2014-01-09 11:37 - 01474832 _____ () C:\WINDOWS\system32\Drivers\sfi.dat
2015-05-07 19:00 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-05-07 18:35 - 2013-10-11 08:20 - 00001068 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-05-07 18:17 - 2015-02-10 23:06 - 00000930 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-05-07 18:00 - 2014-01-09 11:44 - 00000000 ____D () C:\Comodo Diary
2015-05-07 17:36 - 2013-08-14 19:02 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-743600532-1301776689-3942748706-1002
2015-05-07 17:31 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-05-07 17:03 - 2014-11-08 05:07 - 00000000 ___RD () C:\Users\Michał\OneDrive
2015-05-07 17:02 - 2013-10-11 08:20 - 00001064 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-05-07 06:36 - 2014-11-07 04:03 - 00000000 ____D () C:\Users\Michał
2015-05-04 20:55 - 2013-09-14 21:12 - 00000000 ____D () C:\Users\Michał\AppData\Roaming\vlc
2015-05-04 20:04 - 2015-02-12 19:03 - 00009403 _____ () C:\WINDOWS\setupact.log
2015-05-04 18:01 - 2013-08-23 16:40 - 00000000 ____D () C:\ProgramData\BitRaider
2015-05-04 17:52 - 2013-09-04 23:28 - 00000000 ____D () C:\Users\Michał\AppData\Roaming\Azureus
2015-05-03 13:05 - 2013-10-11 08:20 - 00002220 ____H () C:\Users\Public\Desktop\Google Chrome.lnk
2015-05-03 13:01 - 2013-08-22 16:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-04-28 19:56 - 2014-09-24 17:08 - 02167336 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-04-28 19:56 - 2014-09-24 16:35 - 01056536 _____ () C:\WINDOWS\system32\perfh015.dat
2015-04-28 19:56 - 2014-09-24 16:35 - 00250142 _____ () C:\WINDOWS\system32\perfc015.dat
2015-04-22 01:37 - 2013-08-22 15:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2015-04-22 01:02 - 2014-09-09 22:11 - 00000000 ____D () C:\Users\Michał\Desktop\Gierki
2015-04-21 20:21 - 2015-02-10 00:01 - 00000000 ____D () C:\Program Files (x86)\bf5e44bc-23c7-4c44-a8bd-cceb5d547848
2015-04-21 20:21 - 2015-02-09 23:59 - 00000000 ____D () C:\Program Files (x86)\b277c0e7-e685-4428-ac27-1948735e6170
2015-04-21 20:21 - 2014-05-23 17:40 - 00000000 ____D () C:\Program Files (x86)\AdTrustMedia
2015-04-21 20:21 - 2013-12-25 12:58 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-04-21 20:19 - 2015-02-10 04:29 - 00000000 ____D () C:\ProgramData\{ad0b1f6b-4853-bdff-ad0b-b1f6b4857dad}
2015-04-21 19:06 - 2015-04-02 00:06 - 00000004 _____ () C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-04-21 17:45 - 2015-02-11 04:07 - 00290304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\subinacl.exe
2015-04-17 08:04 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\rescache
2015-04-17 07:26 - 2013-08-22 17:36 - 00000000 ____D () C:\WINDOWS\AppCompat
2015-04-17 04:29 - 2014-09-24 18:37 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel
2015-04-16 22:59 - 2013-08-15 10:28 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-04-16 22:47 - 2013-08-15 10:28 - 128913832 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-04-16 22:47 - 2012-07-26 09:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-04-14 22:38 - 2014-11-12 13:01 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaext.dll
2015-04-14 19:17 - 2015-02-10 23:06 - 00003818 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-04-11 17:32 - 2014-04-30 19:42 - 00000000 ____D () C:\Users\Michał\Documents\efile
2015-04-11 17:32 - 2014-04-30 19:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\e-pity
2015-04-11 17:32 - 2014-04-30 19:42 - 00000000 ____D () C:\Program Files (x86)\e-file
 
==================== Files in the root of some directories =======
 
2015-05-07 18:24 - 2015-05-07 18:24 - 0000020 _____ () C:\Users\Michał\AppData\Roaming\appdataFr3.bin
2015-03-31 10:14 - 2015-03-31 10:14 - 0005655 _____ () C:\Users\Michał\AppData\Roaming\FJ4MCAUT9jMELX7QTC28
2015-03-31 10:14 - 2015-03-31 10:14 - 0005655 _____ () C:\Users\Michał\AppData\Roaming\ILrqlqx0m2
2015-03-31 10:14 - 2015-03-31 10:14 - 0004387 _____ () C:\Users\Michał\AppData\Roaming\j1fnv8n4PItdxqwfnFm
2015-03-31 10:14 - 2015-03-31 10:14 - 0004387 _____ () C:\Users\Michał\AppData\Roaming\LhzR8BAn
2014-02-05 23:44 - 2014-02-05 23:44 - 0000017 _____ () C:\Users\Michał\AppData\Local\resmon.resmoncfg
2015-04-21 18:14 - 2015-04-21 18:14 - 0011806 _____ () C:\Users\Michał\AppData\Local\Temp-log.txt
2013-01-16 14:08 - 2013-01-16 14:08 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Files to move or delete:
====================
C:\Users\Michał\mon_que_2-patch.exe
C:\Users\Michał\nscript.dat
 
 
Some content of TEMP:
====================
C:\Users\Michał\AppData\Local\Temp\i4jdel0.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-05-03 16:47
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:10 AM

Posted 10 May 2015 - 12:39 PM

Hi Swayze,

 

Iam shelf life and will try to help you. Iam only online here once or twice per day, more on the weekends. Dont expect a flurry of replies from me.

 

We will get two downloads to start with. Both target adware:

 

     Please download AdwCleaner by Xplode and save to your Desktop.
 
     http://www.bleepingcomputer.com/download/adwcleaner/
 
    Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
    Click on the Scan button.
    AdwCleaner will begin to scan your computer.
    After the scan has finished click on the Clean button.
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

    Please download Junkware Removal Tool to your desktop.
 
     http://thisisudax.org/downloads/JRT.exe
 
    Shutdown your antivirus to avoid any conflicts.
    Double click the icon or Right click for Vista/W7,8 and select Run as administrator
    The tool will open and start scanning.
    Please be patient as this can take a while to complete.
    On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    Post the contents of JRT.txt into your next message

 

Posts the logs and we will go on from there.


How Can I Reduce My Risk to Malware?


#3 Swayze

Swayze
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 11 May 2015 - 11:35 AM

Hello shelf life, thanks for a reply. I did what you asked for, it removed some files, but the ads and redirects still happen. The logs are below.

 

Note: when I open Google Chrome I get a notification. Since it's in Polish i'm not sure if the translation will be 100% correct, but it goes something like this:

 

"An unsupported command flag was used: --extensions-on-chrome-urls. It has a negative impact on stability and security".

 

AdwCleaner log:

 

# AdwCleaner v4.203 - Logfile created 11/05/2015 at 17:39:10
# Updated 30/04/2015 by Xplode
# Database : 2015-05-09.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Michał - YOSSARIAN
# Running from : C:\Users\Michał\Downloads\adwcleaner_4.203.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\AdTrustMedia
Folder Deleted : C:\ProgramData\2730e5a5b707818a
Folder Deleted : C:\ProgramData\2824009466264387978
Folder Deleted : C:\ProgramData\{ad0b1f6b-4853-bdff-ad0b-b1f6b4857dad}
Folder Deleted : C:\Program Files (x86)\AdTrustMedia
Folder Deleted : C:\Program Files\AdTrustMedia
Folder Deleted : C:\Users\Michał\AppData\Local\AdTrustMedia
Folder Deleted : C:\Users\Michał\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\cmaiofennmphjldldcpphcechfnnohja
Folder Deleted : C:\Users\Michał\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dfhphepmmghimompopllneamgdbelkdd
File Deleted : C:\Users\Michał\AppData\Local\Comodo\Dragon\User Data\Default\Local Storage\chrome-extension_cmaiofennmphjldldcpphcechfnnohja_0.localstorage
File Deleted : C:\END
File Deleted : C:\Users\Michał\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
File Deleted : C:\Users\Michał\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [PrivDog@AdTrustMedia.com]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cmaiofennmphjldldcpphcechfnnohja
Key Deleted : HKLM\SOFTWARE\8824f131-1c2d-4c69-a16b-f46002285288
Key Deleted : HKLM\SOFTWARE\97cd813b-5574-4157-9f7d-d5f3ee649cdb
Key Deleted : HKLM\SOFTWARE\d1b24d7f-9147-450c-86b3-4840cbdd22a7
Key Deleted : HKLM\SOFTWARE\ded19b04-085b-4510-bd15-0bc13b956190
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}
Key Deleted : HKCU\Software\BI
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKLM\SOFTWARE\InstalledBrowserExtensions
Key Deleted : HKLM\SOFTWARE\WebConnect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B10BC31B-DBC6-56FE-DD3D-DD4E49A3E6CE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54BFE519-3276-4B64-A747-E89AEF5D9337}_is1
Key Deleted : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Mozilla Firefox v29.0.1 (pl)
 
 
-\\ Google Chrome v32.0.1700.41
 
[C:\Users\Michał\AppData\Local\Google\Chrome\User Data\Default\Preferences] - Deleted [Extension] : cmaiofennmphjldldcpphcechfnnohja
 
-\\ Comodo Dragon v36.1.1.21
 
 
*************************
 
AdwCleaner[R0].txt - [3566 bytes] - [11/05/2015 17:30:32]
AdwCleaner[S0].txt - [3342 bytes] - [11/05/2015 17:39:10]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3401  bytes] ##########
 
Junkware log:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.7.0 (05.09.2015:1)
OS: Windows 8.1 x64
Ran by Micha on 2015-05-11 at 17:46:29,49
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
Successfully stopped: [Service] util webconnect
Successfully deleted: [Service] util webconnect
 
 
 
~~~ Tasks
 
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\Optimize Start Menu Cache Files-S-1-5-21-743600532-1301776689-3942748706-1002
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\Optimize Start Menu Cache Files-S-1-5-21-743600532-1301776689-3942748706-1005
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\privdogservice
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Util WebConnect
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\Users\Micha\appdata\local\google\chrome\user data\default\local storage\http_static.audienceinsights.net_0.localstorage
Successfully deleted: [File] C:\Users\Micha\appdata\local\google\chrome\user data\default\local storage\http_static.audienceinsights.net_0.localstorage-journal
Successfully deleted: [File] C:\Users\Micha\appdata\local\google\chrome\user data\default\local storage\https_static.olark.com_0.localstorage
Successfully deleted: [File] C:\Users\Micha\appdata\local\google\chrome\user data\default\local storage\https_static.olark.com_0.localstorage-journal
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\WINDOWS\syswow64\ai_recyclebin
 
 
 
~~~ FireFox
 
Emptied folder: C:\Users\Micha\AppData\Roaming\mozilla\firefox\profiles\1277vvo5.default\minidumps [9 files]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2015-05-11 at 18:19:28,11
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 



#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:10 AM

Posted 11 May 2015 - 05:16 PM

ok thanks for the info. It looks like you will have to completely uninstall Chrome including your user profile- then reinstall it. you can backup your bookmarks first to reinstall them if you want before the uninstall:

 

Uninstall Chrome in Windows Vista/ Windows 7/ Windows 8

  1. Close all Chrome windows and tabs.
  2. Go to the Start menu > Control Panel. (Windows 8 users: Learn how to access the Control Panel)
  3. Click Programs and Features.
  4. Double-click Google Chrome.
  5. Click Uninstall from the confirmation dialog. If you want to delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete your browsing data" checkbox.

Reinstall source:

https://www.google.com/chrome/


How Can I Reduce My Risk to Malware?


#5 Swayze

Swayze
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 May 2015 - 10:17 AM

Hello shelf life!

 

I reinstalled Chrome. It seems to work. I surfed the net for a while, and didn't stumble upon any pop-up or redirect. Thank you a lot.

 

Should I post some more logs, to see if there's something more to get rid of?



#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:10 AM

Posted 12 May 2015 - 04:31 PM

hi,

 

Cruise around some more. Give it a day or two. Use IE and Firefox also. Make sure it all looks good then we can call it quits.

 

SpyHunter4: Nobody recommends this software as a antimalware app. You would much better off with the free version of Malwarebytes.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users