Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is my Windows 7 computer infected?


  • Please log in to reply
8 replies to this topic

#1 BobTroll

BobTroll

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, UK
  • Local time:10:25 PM

Posted 19 May 2015 - 07:50 AM

I operate several different email accounts and I use Windows Live Mail to access all of my emails.  I opened an email that had been sent by a friend to one of my Hotmail accounts.  I attach the suspect email - and have also sent a copy to Avast.
 
I clicked on a link in the email and Avast Free Antivirus did not detect any problem.  However, the malware stole my password and sent identical emails to most of the contacts in the sent folder for that account.  Microsoft detected malicious activity and blocked the account.  I followed their instructions to recover the account and changed the password.  I also deleted cookies and sent warnings to those contacts who had might have received spurious emails.  Then, I used the following programs to scan my computer:
 
Avast Free Antivirus
ESET on-line scanner
SUPERAntiSpyware
Malwarebytes Anti-Malware
CCleaner
Temporary Files Cleaner,
AdwCleaner,
Junkware Removal Tool
Secunia Personal Software Inspector
 
None of these programs detected major problems, apart from a few PUPs.
 
However, I am concerned that the malware might have installed a key logger on my computer.  Consequently, I should be grateful if one of the experts on this forum could advise me whether I need to take any further action. 
 
Thank you.

Edited by Queen-Evie, 19 May 2015 - 08:09 AM.
moved from Windows 7 to Am I Infected. Also removed suspected malicious email attachment and which included email addresses which could be harvested by spammers


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:25 PM

Posted 19 May 2015 - 08:24 AM

Please post the Malwarebytes log in your topic.
 

To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.
 
==========
 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.
 
Note:  The log may be very long.  You may need to break it into parts to post the whole log.
 
==========
 

Please download and install Emsisoft.
 
1.  When Emsisoft opens click on Update.
 
emsisoft6_zpsace019ac.png
 
2.  Click on Full Scan.
 
emsisoft7_zps9186dacd.png
 
3.  After the scan has completed the results will be displayed.  Make sure there is a check in the box of each item found, then click on Quarantine.
 
emsisoft9_zpsf493a30a.png
 
4.  After the items have been quarantined click on OK.
 
emsisoft10_zpscd89d5de.png
 
5.  After the quarantine has been completed click on Logs.
 
emsisoft11_zps7f976399.png
 
6.  Click on Export and save the log to a location which you will be able to find and open.  Open the log, copy and then paste the log in your topic.
 
emsisoft12_zpsb7365391.png

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 BobTroll

BobTroll
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, UK
  • Local time:10:25 PM

Posted 20 May 2015 - 04:58 AM

Thank you.  I have tried to follow your instructions.

Malwarebytes produced the following log file:

mbam-check result log version:     2.1.1.1001
========================================

User Account type:                 Administrator
OS:                                Windows 7 Service Pack 1 Service Pack 1 64 bit Operating System
Current Version and Build:         6.1.7601.0
Malwarebytes Anti-Malware:         2.1.6.1022
Installed On:                      2015/04/27
Malware Database:                  0000.00.00.00
Rootkit Database:                  0000.00.00.00
Remediation Database:              0000.00.00.00
IP Database:                       0000.00.00.00
Domain Database:                   0000.00.00.00
License:                           Free
Malware Protection:                4 (The service is running.)
Malicious Website Protection:      1 (The service is not running.)
Chameleon:                         0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon
Log Created:                       2015/05/19 16:07:04
Compatibility Flag Settings:
=================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
 SIGN.IE=01128760 AdobeAIRInstaller.exeREG_SZ  VISTARTM
 C:\Users\Bob Lucas\Downloads\Adobe Air\AdobeAIRInstaller.exeREG_SZ  VISTARTM
 C:\Users\Bob Lucas\Downloads\Cute Writer (PDF)\converter.exeREG_SZ  WINXPSP2
 C:\Program Files (x86)\OLYMPUS\CAMEDIA Master Pro\CAMEDIA Master.exeREG_SZ  WINXPSP3 RUNASADMIN
 SIGN.IE=010E6C18 AdobeAIRInstaller.exeREG_SZ  VISTARTM
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
 C:\Program Files (x86)\Xirrus\Xirrus Wi-Fi Inspector\Xirrus Wi-Fi Inspector.exeREG_SZ  # WINXPSP2

Malwarebytes Anti-Malware Shell Extension Block Check:
======================================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked:

MBAM Startup Entries:
=====================
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Malwarebytes Anti-Malware Service and Driver Status:
=======================================================

--------------Driver File Info:--------------
C:\windows\system32\drivers\mbam.sys
File Size: 25816     BYTES FileVersion: 0.1.15.0 MD5: [1e9e32aec3e1eb1b31b8169f33168b56]
C:\windows\system32\drivers\mwac.sys
File Size: 63704     BYTES FileVersion: 1.0.6.0 MD5: [f49fb3c88e263ae9a246593b0bb29294]
C:\windows\system32\drivers\mbamswissarmy.sys
File Size: 136408    BYTES FileVersion: 0.2.21.0 MD5: [e9cd058c79ea15b4aa93e259fa713b07]
C:\windows\system32\drivers\mbamchameleon.sys
File Size: 107736    BYTES FileVersion: 1.1.13.0 MD5: [54d70409de6932e9efa117779611e7a9]

--------------MBAMProtector:--------------
Type:                   2
State:                  4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0

--------------MBAMService:--------------
Type:                   16
State:                  1 (The service is not running.) (State is stopped)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0

--------------MBAMScheduler:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMScheduler
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A

--------------MBAMChameleon:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A

--------------MBAMWebAccessControl:--------------
Type:                   2
State:                  1 (The service is not running.) (State is stopped)
WIN32_EXIT_CODE:        1077
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0

Required Dependencies:
======================

--------------BFE:--------------
Type:                   32
State:                  4 (The service is running.)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
 DisplayName                   REG_SZ  @%SystemRoot%\system32\bfe.dll,-1001
 Group                         REG_SZ  NetworkProvider
 ImagePath                     REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
 Description                   REG_SZ  @%SystemRoot%\system32\bfe.dll,-1002
 ObjectName                    REG_SZ  NT AUTHORITY\LocalService
 ErrorControl                  REG_DWORD  1
 Start                         REG_DWORD  2
 Type                          REG_DWORD  32
 DependOnService               REG_MULTI_SZ RpcSs

 ServiceSidType                REG_DWORD  3
 RequiredPrivileges            REG_MULTI_SZ SeAuditPrivilege

 FailureActions                REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters
 ServiceDll                    REG_EXPAND_SZ %SystemRoot%\System32\bfe.dll
 ServiceDllUnloadOnStop        REG_DWORD  1
 ServiceMain                   REG_SZ  BfeServiceMain
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy\BootTime
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy\BootTime\Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy\Persistent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy\Persistent\Callout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy\Persistent\Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy\Persistent\Provider
 {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}REG_BINARY Binary Data

 {4b153735-1049-4480-aab4-d1b9bdc03710}REG_BINARY Binary Data

 {1bebc969-61a5-4732-a177-847a0817862a}REG_BINARY Binary Data

 {aa6a7d87-7f8f-4d2a-be53-fda555cd5fe3}REG_BINARY Binary Data

 {d4bd4a0f-7591-4da2-ae67-3aa97c3c34c2}REG_BINARY Binary Data

 {91842344-b99c-4dcb-afce-fb6f7462f55b}REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy\Persistent\SubLayer
 {b3cdd441-af90-41ba-a745-7c6008ff2300}REG_BINARY Binary Data

 {b3cdd441-af90-41ba-a745-7c6008ff2301}REG_BINARY Binary Data

 {b3cdd441-af90-41ba-a745-7c6008ff2302}REG_BINARY Binary Data

 {9ba30013-c84e-47e5-ac6e-1e1aed72fa69}REG_BINARY Binary Data

--------------fltmgr:--------------
Type:                   2
State:                  4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr
 AttachWhenLoaded              REG_DWORD  1
 DisplayName                   REG_SZ  @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
 Group                         REG_SZ  FSFilter Infrastructure
 ImagePath                     REG_EXPAND_SZ system32\drivers\fltmgr.sys
 Description                   REG_SZ  @%SystemRoot%\system32\drivers\fltmgr.sys,-10000
 ErrorControl                  REG_DWORD  3
 Start                         REG_DWORD  0
 Tag                           REG_DWORD  1
 Type                          REG_DWORD  2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Enum
 0                             REG_SZ  Root\LEGACY_FLTMGR\0000
 Count                         REG_DWORD  1
 NextInstance                  REG_DWORD  1

C:\windows\system32\drivers\fltmgr.sys
File Size: 289664    BYTES FileVersion: 6.1.7601.17514 MD5: [da6b67270fd9db3697b20fce94950741]
C:\windows\SysWOW64\olepro32.dll
File Size: 90112     BYTES FileVersion: 6.1.7601.17514 MD5: [703ffd301ab900b047337c5d40fd6f96]

MBAM Registry Settings and License Info:
========================================
--------------Settings:--------------
Advanced:
    AutomaticQuarantine:                                       true
    AutostartProtection:                                       true
    LimitedMode:                                               false
    StartSilentMode:                                           false
    StartupDelay:                                              -15
ApplicationState:
    First-Run-After-Installation:                              false
General:
    DaysUntilNotifyExpiration:                                 5
    Language:                                                  en
    RightClickAccess:                                          true
    SilentErrors:                                              false
Logging:
    ExportLog:                                                 true
Marketing:
    LastPostScanMarketingIndex:                                3
Notification:
ProtectionTray:
    DisplayMilliseconds:                                       3000
ScanHistory:
    Duration_Complete:                                         902629
    Duration_Driver:                                           20927
    Duration_Filesystem:                                       2879
    Duration_Heuristics:                                       1109597
    Duration_Loading:                                          0
    Duration_MasterBootRecord:                                 19
    Duration_Memory:                                           40000
    Duration_PreScan:                                          36008
    Duration_Registry:                                         19772
    Duration_Sector:                                           0
    Duration_Startup:                                          35260
    ItemCount_Complete:                                        323365
    ItemCount_Driver:                                          396
    ItemCount_Filesystem:                                      66211
    ItemCount_Heuristics:                                      15869
    ItemCount_Loading:                                         0
    ItemCount_MasterBootRecord:                                1
    ItemCount_Memory:                                          2797
    ItemCount_PreScan:                                         36000
    ItemCount_Registry:                                        658
    ItemCount_Sector:                                          0
    ItemCount_Startup:                                         1988
    LastScanDateEpoch:                                         1431873427490
    LastScanType:                                              1 (Threat Scan)
Update:
    LastUpdate:                                                2015-05-17T14:35:53
    NotifyInstallReady:                                        true
    NotifyOutdatedDatabase:                                    7
    ProxyPassword:                                            
    ProxyPort:                                                 0
    ProxyServer:                                              
    ProxyUsername:                                            
    UseProxy:                                                  false
    UseProxyAuthentication:                                    false
--------------Account:--------------
  Account Status:                                              Free
  Expiration Time:                                            
  Activation Time:                                            
  Trial Used:                                                  false
--------------Access Policies:--------------

Scheduler Queue:
================

Pending File Rename Operations:
================================
If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.
Pending File Rename Operations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
 PendingFileRenameOperations REG_MULTI_SZ \??\C:\ProgramData\cis88B2.exe

MBAMProtector Registry Values:
==============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector
 Type                          REG_DWORD  2
 Start                         REG_DWORD  3
 ErrorControl                  REG_DWORD  1
 ImagePath                     REG_EXPAND_SZ \??\C:\windows\system32\drivers\mbam.sys
 Group                         REG_SZ  FSFilter Anti-Virus
 DependOnService               REG_MULTI_SZ FltMgr

 WOW64                         REG_DWORD  1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances
 DefaultInstance               REG_SZ  MBAMProtector Instance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance
 Altitude                      REG_SZ  328800
 Flags                         REG_DWORD  0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Parameters
 PassThruFile                  REG_SZ  mbampt.exe
 ProductPath                   REG_SZ  C:\Program Files (x86)\Malwarebytes Anti-Malware
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Enum
 0                             REG_SZ  Root\LEGACY_MBAMPROTECTOR\0000
 Count                         REG_DWORD  1
 NextInstance                  REG_DWORD  1

MBAMService Registry Values:
============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService
 Type                          REG_DWORD  16
 Start                         REG_DWORD  2
 ErrorControl                  REG_DWORD  1
 ImagePath                     REG_EXPAND_SZ "C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe"
 DependOnService               REG_MULTI_SZ MBAMProtector

 WOW64                         REG_DWORD  1
 ObjectName                    REG_SZ  LocalSystem
 Description                   REG_SZ  Malwarebytes Anti-Malware service
 DelayedAutostart              REG_DWORD  0

MBAMScheduler Registry Values:
==============================

Terminal Services Status for (null) entries in PM logs and GetUserToken errors:
===============================================================================

--------------TERMService:--------------
Type:                   32
State:                  1 (The service is not running.) (State is stopped)
WIN32_EXIT_CODE:        1077
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0

TermService Start is set to: 3 (Manual Startup)

Proxy Status: No proxy is Set

LAN Settings:
=============

No Settings are Set  <--NOT DETECTING SETTING AUTOMATICALLY

SystemPartition:
================

HKEY_LOCAL_MACHINE\SYSTEM\Setup\
 SystemPartition REG_SZ  \Device\HarddiskVolume1

Balloon Tips Status:
====================

Enabled

Time Format Settings:
=====================

Should be:
  h:mm:ss tt
  AM
  PM
  :

Currently:
REG_SZ  HH:mm:ss
REG_SZ  AM
REG_SZ  PM
REG_SZ  :

Language and Regional Settings:
===============================

ACP:  Language is English (United States)
MACCP:  Language is English (United States)
OEMCP: 850 Please refer to this link for details: Here

Startup Folders for Error_Expanding_Variables Check:
====================================================

All Users Startup Folder Exists.
Current User's Startup Folder Exists.

Context Menu Entries:
=====================

HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt
 (Default):                    REG_SZ  {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\MBAMShlExt
 (Default):                    REG_SZ  {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt
 (Default):                    REG_SZ  MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID
 (Default):                    REG_SZ  {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer
 (Default):                    REG_SZ  MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1
 (Default):                    REG_SZ  MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID
 (Default):                    REG_SZ  {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}
 (Default):                    REG_SZ  IMBAMShlExt
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32
 (Default):                    REG_SZ  {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib
 (Default):                    REG_SZ  {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
 Version                       REG_SZ  1.0
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}
 (Default):                    REG_SZ  MBAMShlExt Class
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32
 (Default):                    REG_SZ  C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll
 ThreadingModel                REG_SZ  Apartment
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID
 (Default):                    REG_SZ  MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib
 (Default):                    REG_SZ  {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID
 (Default):                    REG_SZ  MBAMExt.MBAMShlExt

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0
 (Default):                    REG_SZ  MBAMExt 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32
 (Default):                    REG_SZ  C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS
 (Default):                    REG_SZ  0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR
 (Default):                    REG_SZ  C:\Program Files (x86)\Malwarebytes Anti-Malware
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0
 (Default):                    REG_SZ  MBAMExt 1.0 Type Library
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32
 (Default):                    REG_SZ  C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS
 (Default):                    REG_SZ  0
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR
 (Default):                    REG_SZ  C:\Program Files (x86)\Malwarebytes Anti-Malware

List of MBAM Related Directories:
=================================

C:\Program Files (x86)\Malwarebytes Anti-Malware\
7z.dll                                   File Size: 920888    BYTES FileVersion:  9.20.0.0       MD5: [3c88cad475b8b4b30b62199e40b2498c]
changes.txt                              File Size: 577       BYTES FileVersion:  N/A            MD5: [58354dbb59bc2955d070559338f970a4]
license.rtf                              File Size: 42936     BYTES FileVersion:  N/A            MD5: [b22cb49aa8d1359b08eb9e4a4e13899b]
master.conf                              File Size: 1258      BYTES FileVersion:  N/A            MD5: [9702ca5e82d3756c6d8af34a2ababaea]
mbam.dll                                 File Size: 602936    BYTES FileVersion:  1.0.35.0       MD5: [296e2ee79be1a6cf197ad38ae3bd58d9]
mbam.exe                                 File Size: 6212920   BYTES FileVersion:  1.0.2.929      MD5: [7e212e742bf06bf678ae35e9c1b74b8f]
mbamcore.dll                             File Size: 1971000   BYTES FileVersion:  1.2.0.0        MD5: [043835a4a31239fe57b891ec960e6075]
mbamdor.exe                              File Size: 54072     BYTES FileVersion:  1.0.1.0        MD5: [b83bd7a2c8c2c03d06859c9c46358de7]
mbamext.dll                              File Size: 310584    BYTES FileVersion:  3.0.6.0        MD5: [2f3e8b9ee709180e01b197929b3dd4eb]
mbampt.exe                               File Size: 39736     BYTES FileVersion:  1.0.0.0        MD5: [416c41110833b3e1c14c7188b71ae70f]
mbamscheduler.exe                        File Size: 1871160   BYTES FileVersion:  3.1.2.0        MD5: [516e29ad03bdf610cc36a95ae692fe42]
mbamservice.exe                          File Size: 1080120   BYTES FileVersion:  3.1.0.0        MD5: [2b983f067aee3f9eb4df5e97f45d21d1]
mbamsrv.dll                              File Size: 3847992   BYTES FileVersion:  1.2.7.0        MD5: [22c7bd320a5c2ae3ae24c529768702f9]
msvcp100.dll                             File Size: 421688    BYTES FileVersion:  10.0.40219.325 MD5: [83c628fb6b293d61f7bfbbc3d8f88ac9]
msvcr100.dll                             File Size: 774456    BYTES FileVersion:  10.0.40219.325 MD5: [e8115316a914da20529e984f0c52828d]
QtCore4.dll                              File Size: 2582840   BYTES FileVersion:  4.8.5.0        MD5: [f8e05dc5365f07d0337ef56be17b3e04]
QtGui4.dll                               File Size: 8420152   BYTES FileVersion:  4.8.5.0        MD5: [fd1d67dd57309ffe4ae508c14b71b561]
QtNetwork4.dll                           File Size: 909112    BYTES FileVersion:  4.8.5.0        MD5: [d966279de7fa2193eb84cfb859e704a6]
unins000.dat                             File Size: 126225    BYTES FileVersion:  N/A            MD5: [3a4296843070cadb62a8b40acaffeca3]
unins000.exe                             File Size: 718037    BYTES FileVersion:  51.52.0.0      MD5: [d2796ecf50731e696f0c065d24c0827a]

C:\Program Files (x86)\Malwarebytes Anti-Malware\\accessible
qtaccessiblewidgets4.dll                 File Size: 198968    BYTES FileVersion:  4.8.4.0        MD5: [9ba27dab5412b71cb8238740d6619d1d]

C:\Program Files (x86)\Malwarebytes Anti-Malware\\Chameleon

C:\Program Files (x86)\Malwarebytes Anti-Malware\\Chameleon\Windows
chameleon.chm                            File Size: 235882    BYTES FileVersion:  N/A            MD5: [c4190b71f037714aa77aba294434ba5b]
firefox.com                              File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
firefox.exe                              File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
firefox.pif                              File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
firefox.scr                              File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
iexplore.exe                             File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
mbam-chameleon.com                       File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
mbam-chameleon.exe                       File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
mbam-chameleon.pif                       File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
mbam-chameleon.scr                       File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
mbam-killer.exe                          File Size: 1445176   BYTES FileVersion:  3.0.9.0        MD5: [99345356e450a5a403488280d3520550]
rundll32.exe                             File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
svchost.exe                              File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
windows.exe                              File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]
winlogon.exe                             File Size: 878392    BYTES FileVersion:  3.1.16.0       MD5: [4518dd9a09b4fef7db3b13f0ddddd36e]

C:\Program Files (x86)\Malwarebytes Anti-Malware\\imageformats
qgif4.dll                                File Size: 32568     BYTES FileVersion:  4.8.4.0        MD5: [769d18b10c86186dc31a389979d33c27]

C:\Program Files (x86)\Malwarebytes Anti-Malware\\Languages
lang_ar.qm                               File Size: 102066    BYTES FileVersion:  N/A            MD5: [1601bc6ef4bec7d2ab9ba68a7f989a37]
lang_bg.qm                               File Size: 124167    BYTES FileVersion:  N/A            MD5: [1353a08c12f1de3f9daf8d4accf005de]
lang_bs.qm                               File Size: 145523    BYTES FileVersion:  N/A            MD5: [6ab7a6274d4f9f7553c944f5c66201ba]
lang_ca.qm                               File Size: 107459    BYTES FileVersion:  N/A            MD5: [5549692fe8f9e43e0012a088f6a94450]
lang_cs.qm                               File Size: 119884    BYTES FileVersion:  N/A            MD5: [585ff91200e8e356bc713f5ee7dd78a5]
lang_da.qm                               File Size: 102643    BYTES FileVersion:  N/A            MD5: [ef3261171bcaebac883893f374ad4024]
lang_de.qm                               File Size: 130017    BYTES FileVersion:  N/A            MD5: [7558ad2d9a5f23f95bcb9d50f7458250]
lang_el.qm                               File Size: 128427    BYTES FileVersion:  N/A            MD5: [4450767b6eaaa6869ee410d389a5e9ed]
lang_en.qm                               File Size: 100191    BYTES FileVersion:  N/A            MD5: [2b85d8e24659bf96f2c8a666bead54c4]
lang_es.qm                               File Size: 129307    BYTES FileVersion:  N/A            MD5: [74e57ce8c0dc024d7c5fcb068debb3a0]
lang_et.qm                               File Size: 122063    BYTES FileVersion:  N/A            MD5: [ff11420bba00002307e14b288c4ce19f]
lang_fi.qm                               File Size: 103951    BYTES FileVersion:  N/A            MD5: [89d33b2b7175fb7b3924d9864cdf2230]
lang_fr.qm                               File Size: 131783    BYTES FileVersion:  N/A            MD5: [d2b1267fbbb51c39e79f975fbe2182a7]
lang_he.qm                               File Size: 112817    BYTES FileVersion:  N/A            MD5: [a2614d9a5d9aba7817fbae878a92de2c]
lang_hr.qm                               File Size: 139841    BYTES FileVersion:  N/A            MD5: [3e3737fe86eb595c5f6817eebf731aa7]
lang_hu.qm                               File Size: 123254    BYTES FileVersion:  N/A            MD5: [c64b7919827df30fd55d9e9f40cf87a7]
lang_id.qm                               File Size: 120134    BYTES FileVersion:  N/A            MD5: [dffed4516bf61605021d9e8861c01951]
lang_it.qm                               File Size: 126353    BYTES FileVersion:  N/A            MD5: [4736f333e32d0c8f091ca9afe3fa4e71]
lang_ja.qm                               File Size: 87363     BYTES FileVersion:  N/A            MD5: [d982d5194aaa6e24e7191ee908491f9d]
lang_ko.qm                               File Size: 99039     BYTES FileVersion:  N/A            MD5: [5211e95dd40ea3b4cde5c831490822c9]
lang_lt.qm                               File Size: 105352    BYTES FileVersion:  N/A            MD5: [d610679ecb6929ee3ce82cac8f8d00a1]
lang_lv.qm                               File Size: 105344    BYTES FileVersion:  N/A            MD5: [985309298c683a35571fdb9486708287]
lang_nl.qm                               File Size: 125821    BYTES FileVersion:  N/A            MD5: [018c55baa051080bb012e63cb446b203]
lang_no.qm                               File Size: 120529    BYTES FileVersion:  N/A            MD5: [c2ee34817e0dfed9d5a5a85bc667e73c]
lang_pl.qm                               File Size: 125910    BYTES FileVersion:  N/A            MD5: [56e9a207bf8f4b564fd71e9defa96d4b]
lang_pt_BR.qm                            File Size: 124022    BYTES FileVersion:  N/A            MD5: [46a048872f4091a6a9862a54457c3a2c]
lang_pt_PT.qm                            File Size: 129551    BYTES FileVersion:  N/A            MD5: [99eb0c042faad4ee276f267a870a7abf]
lang_ro.qm                               File Size: 104981    BYTES FileVersion:  N/A            MD5: [0cbdb05b7927831d8331eb14d4638f32]
lang_ru.qm                               File Size: 126972    BYTES FileVersion:  N/A            MD5: [0febf393c35f2f1a3cd914b838da66dc]
lang_sk.qm                               File Size: 103656    BYTES FileVersion:  N/A            MD5: [d3fd5aa90bdae21984139a21058f4d71]
lang_sl.qm                               File Size: 122126    BYTES FileVersion:  N/A            MD5: [59911addc36e105cc55ba2ee31d09b7a]
lang_sr.qm                               File Size: 143261    BYTES FileVersion:  N/A            MD5: [377d15c0da0249f4a7a58978b6307d81]
lang_sv.qm                               File Size: 121593    BYTES FileVersion:  N/A            MD5: [f96d43155d3c98e43d7682983c0a9898]
lang_th.qm                               File Size: 137957    BYTES FileVersion:  N/A            MD5: [6a24ece552172d805cd428853255d294]
lang_tr.qm                               File Size: 103127    BYTES FileVersion:  N/A            MD5: [12b05f94c8e397c62f324485e3059b07]
lang_vi.qm                               File Size: 119896    BYTES FileVersion:  N/A            MD5: [651b66fb4a9cfa95b640876670be7a27]
lang_zh_tr.qm                            File Size: 110870    BYTES FileVersion:  N/A            MD5: [f223d83580b1ee35edea13293cb2c80d]

C:\Program Files (x86)\Malwarebytes Anti-Malware\\Plugins
fixdamage.exe                            File Size: 821560    BYTES FileVersion:  1.1.0.1010     MD5: [796973043d5b665178150dd1cfb41a43]

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware
actions.ref                              File Size: 1064      BYTES FileVersion:  N/A            MD5: [82d5c75c4414aca1215937ee1713407b]
domains.ref                              File Size: 84        BYTES FileVersion:  N/A            MD5: [11061fd93cbfc792dff939fdc202128e]
exclusions.dat                           File Size: 0         BYTES FileVersion:  N/A            MD5: [d41d8cd98f00b204e9800998ecf8427e]
ips.ref                                  File Size: 80        BYTES FileVersion:  N/A            MD5: [a5459c6d3de2b4b4b09dfff07e13b2fc]
mbam-setup.exe                           File Size: 19828376  BYTES FileVersion:  2.0.3.1025     MD5: [33398d340008a0577507fca7fd443622]
rules.ref                                File Size: 12111490  BYTES FileVersion:  N/A            MD5: [4f2bd322e0ad51eb6da8ba57226e37a7]
swissarmy.ref                            File Size: 25026     BYTES FileVersion:  N/A            MD5: [2faeecad62c6cd17da73db9cd08c1de7]

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Configuration
build.conf                               File Size: 4601      BYTES FileVersion:  N/A            MD5: [6ffd490b184fe9addde2fc0d90f9e215]
database.conf                            File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
gatekeeper.conf                          File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
license.conf                             File Size: 780       BYTES FileVersion:  N/A            MD5: [495ca0ddfc84670d0ccce56cd5aa827b]
manifest.conf                            File Size: 1803      BYTES FileVersion:  N/A            MD5: [c69c3c774d4dc9681022040fa8f43683]
marketing.conf                           File Size: 11163     BYTES FileVersion:  N/A            MD5: [5ae2d2735ac9e32afd2ddbab1d604496]
net.conf                                 File Size: 6901      BYTES FileVersion:  N/A            MD5: [5872d716a26386b1ff770e6f9829b23b]
notifications.conf                       File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
scheduler.conf                           File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
settings.conf                            File Size: 2050      BYTES FileVersion:  N/A            MD5: [50a6c4c54b7ad51f2994bbf6b4276deb]
statistics.conf                          File Size: 597       BYTES FileVersion:  N/A            MD5: [b3efc7297b8df915c480547c4433876f]

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Configuration\Restore
build.conf                               File Size: 4182      BYTES FileVersion:  N/A            MD5: [a6f4892a9a602a54ecfc8681294103bb]
database.conf                            File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
gatekeeper.conf                          File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
license.conf                             File Size: 23        BYTES FileVersion:  N/A            MD5: [0ec01df616b565180556881d8042255b]
manifest.conf                            File Size: 1576      BYTES FileVersion:  N/A            MD5: [af6de7a6ee83d328eb7211c854c57c67]
marketing.conf                           File Size: 11163     BYTES FileVersion:  N/A            MD5: [5ae2d2735ac9e32afd2ddbab1d604496]
net.conf                                 File Size: 6085      BYTES FileVersion:  N/A            MD5: [2e9986b0f3babad30e41fd2468197e94]
notifications.conf                       File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
scheduler.conf                           File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]
settings.conf                            File Size: 1725      BYTES FileVersion:  N/A            MD5: [5454026126dac24f6e96eeb0c64123d3]
statistics.conf                          File Size: 4         BYTES FileVersion:  N/A            MD5: [2261e7eca4cd0615a97263c0ad5045c2]

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs
mbam-log-2014-07-04 (17-26-38).xml       File Size: 3040      BYTES FileVersion:  N/A            MD5: [8a4dd72a00c1bb34db5f80e57d2eb639]
mbam-log-2014-07-16 (17-12-54).xml       File Size: 2500      BYTES FileVersion:  N/A            MD5: [f03111194291308ce40635f124bbb6b8]
mbam-log-2014-10-20 (18-51-26).xml       File Size: 3724      BYTES FileVersion:  N/A            MD5: [e4c8559866db7506f7a7672ab9521eba]
mbam-log-2014-11-16 (17-00-35).xml       File Size: 2488      BYTES FileVersion:  N/A            MD5: [8e5a06423f22ff6e6aae81a230eb164e]
mbam-log-2014-11-17 (13-42-40).xml       File Size: 2498      BYTES FileVersion:  N/A            MD5: [9b57b4c0969d937334fbb4abdd192262]
mbam-log-2014-12-22 (14-00-05).xml       File Size: 2498      BYTES FileVersion:  N/A            MD5: [9fbb6a91097819a1e88a8849c7f6e0c7]
mbam-log-2015-01-06 (21-54-39).xml       File Size: 2496      BYTES FileVersion:  N/A            MD5: [f12fb0a2dff1c00613664e92023fe39a]
mbam-log-2015-01-08 (11-24-28).xml       File Size: 2488      BYTES FileVersion:  N/A            MD5: [b42eabe63e25644532226498155fb57e]
mbam-log-2015-01-18 (12-25-59).xml       File Size: 2496      BYTES FileVersion:  N/A            MD5: [fbd27488a1522ea25ff570b3f03ebc67]
mbam-log-2015-01-25 (09-10-00).xml       File Size: 2496      BYTES FileVersion:  N/A            MD5: [faf1e12539a682b09371893dbdd19139]
mbam-log-2015-01-25 (10-25-04).xml       File Size: 2940      BYTES FileVersion:  N/A            MD5: [25e0aecf1fc9a57783f820cee5585b19]
mbam-log-2015-02-18 (10-17-04).xml       File Size: 2496      BYTES FileVersion:  N/A            MD5: [ff3979f5b4270c47147759c556aefec4]
mbam-log-2015-04-20 (16-03-37).xml       File Size: 2500      BYTES FileVersion:  N/A            MD5: [d50c0c5057e15485ba1d890df9f0d353]
mbam-log-2015-04-27 (16-30-52).xml       File Size: 2500      BYTES FileVersion:  N/A            MD5: [76348dafe97c4f4d9d6192594b6651ea]
mbam-log-2015-05-17 (15-36-05).xml       File Size: 2500      BYTES FileVersion:  N/A            MD5: [b8a9f03ff1b8fbae9631d91dd93a0d62]
protection-log-2014-07-04.xml            File Size: 677       BYTES FileVersion:  N/A            MD5: [cea2ba9228d51f4930343df38e0a64c6]
protection-log-2014-07-16.xml            File Size: 678       BYTES FileVersion:  N/A            MD5: [d5f7484c1a4c52d382c7b8ead04cb5d5]
protection-log-2014-10-20.xml            File Size: 682       BYTES FileVersion:  N/A            MD5: [b3d200db06a515c8b98ce2e907a74513]
protection-log-2014-11-17.xml            File Size: 1980      BYTES FileVersion:  N/A            MD5: [0d422a848a4d81ddc92ef2bb4cfa9abc]
protection-log-2014-12-20.xml            File Size: 1000      BYTES FileVersion:  N/A            MD5: [08020931fd3c22d30e158dedb234c87c]
protection-log-2014-12-22.xml            File Size: 743       BYTES FileVersion:  N/A            MD5: [5f48c35bd5c60dbca08a2fe59eb27279]
protection-log-2015-01-06.xml            File Size: 1053      BYTES FileVersion:  N/A            MD5: [688ec18a72ef54a0ee2a71134c2840b8]
protection-log-2015-01-08.xml            File Size: 428       BYTES FileVersion:  N/A            MD5: [34a2201dd020414a3b5a5421178ad35e]
protection-log-2015-01-18.xml            File Size: 1051      BYTES FileVersion:  N/A            MD5: [ca78b0a736e41f1e7e40d753f60350e9]
protection-log-2015-01-25.xml            File Size: 1111      BYTES FileVersion:  N/A            MD5: [cfab64ccce0fc405742f4a2cdf11e4b0]
protection-log-2015-02-18.xml            File Size: 1051      BYTES FileVersion:  N/A            MD5: [a00e85caf15ebd6baebbf2c74c76ec48]
protection-log-2015-04-07.xml            File Size: 1766      BYTES FileVersion:  N/A            MD5: [1f6d02c02ae24290aa15764f09dbac52]
protection-log-2015-04-09.xml            File Size: 912       BYTES FileVersion:  N/A            MD5: [7a902d39b675c92c96295cde2e0a5b56]
protection-log-2015-04-20.xml            File Size: 1369      BYTES FileVersion:  N/A            MD5: [ea6e22d6eb360ac1f1a8cbbdf51e427e]
protection-log-2015-04-27.xml            File Size: 1370      BYTES FileVersion:  N/A            MD5: [3a254eccaea90794b3c8152aa0f6e0a5]
protection-log-2015-05-02.xml            File Size: 912       BYTES FileVersion:  N/A            MD5: [c50e8248c34eb1b1f5022c2068373264]
protection-log-2015-05-05.xml            File Size: 912       BYTES FileVersion:  N/A            MD5: [f9aa5fb72325d685d439dd831dbae741]
protection-log-2015-05-06.xml            File Size: 912       BYTES FileVersion:  N/A            MD5: [e95549e9fc21e72c490e400561afd806]
protection-log-2015-05-08.xml            File Size: 912       BYTES FileVersion:  N/A            MD5: [5cd65f9e5c2f4f67b8acd49759c6567e]
protection-log-2015-05-13.xml            File Size: 912       BYTES FileVersion:  N/A            MD5: [467a00d496a26ba63dbd6c438e2f786e]
protection-log-2015-05-14.xml            File Size: 912       BYTES FileVersion:  N/A            MD5: [47c71a964a616bf543f62d5354b4e37f]
protection-log-2015-05-16.xml            File Size: 1766      BYTES FileVersion:  N/A            MD5: [37428eca8f6528ac404d8947171c721c]
protection-log-2015-05-17.xml            File Size: 2226      BYTES FileVersion:  N/A            MD5: [229611707ebe5dbf894c6acebd63d65a]
protection-log-2015-05-19.xml            File Size: 1766      BYTES FileVersion:  N/A            MD5: [ce22a16f2061d96c1d5f0bb3bf2967f2]

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Quarantine

Malware Exclusions:
===================
Unable to access exclusion information: Error code 20001Web Exclusions:
================
Unable to access exclusion information: Error code 20001Quarantined Items:
===================
Unable to access quarantine information: Error code 20001===============================================================
END OF FILE

There were no quarantined items.

 

__________________________________________________________________________________________________________________________

 

I experienced a few problems with TDSKiller, because the Kaspersky site was under maintenance.  However, I was able to download the program from www.bleepingcomputer.com/download/tdsskiller/.

The first time I ran the program and changed the parameters to include scanning for loaded modules, it instructed me to reboot my computer.  Following the reboot, it tried to run a program, which I assume was the Extended Monitoring Driver.  The program failed and the error message stated that had been blocked by Group Policy.  I suspect that occurred, because my registry includes entries at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\paths, which are intended to block the installation of the Cryptolocker virus.

I deleted these policy entries (temporarily) and ran TDS Killer again.  This time, it did not instruct me to re-boot my computer.

The program did not detect any threats and produced two log files.  The second log file ended with Detected object count: 0 and Actual detected object count: 0.  Consequently, I have truncated the log file.

TDSSKiller.3.0.0.44_19.05.2015_15.39.41_log

 

15:39:41.0721 0x2508  TDSS rootkit removing tool 3.0.0.44 Jan 22 2015 08:27:04
15:39:49.0951 0x2508  ============================================================
15:39:49.0951 0x2508  Current date / time: 2015/05/19 15:39:49.0951
15:39:49.0951 0x2508  SystemInfo:
15:39:49.0951 0x2508
15:39:49.0951 0x2508  OS Version: 6.1.7601 ServicePack: 1.0
15:39:49.0951 0x2508  Product type: Workstation
15:39:49.0951 0x2508  ComputerName: SAMSUNG-LAPTOP
15:39:49.0951 0x2508  UserName: Bob Lucas
15:39:49.0951 0x2508  Windows directory: C:\windows
15:39:49.0951 0x2508  System windows directory: C:\windows
15:39:49.0951 0x2508  Running under WOW64
15:39:49.0951 0x2508  Processor architecture: Intel x64
15:39:49.0951 0x2508  Number of processors: 4
15:39:49.0951 0x2508  Page size: 0x1000
15:39:49.0951 0x2508  Boot type: Normal boot
15:39:49.0951 0x2508  ============================================================
15:39:50.0801 0x2508  KLMD registered as C:\windows\system32\drivers\21917688.sys
15:39:51.0601 0x2508  System UUID: {D010987F-AE6A-94AE-D4EE-54445BC27D02}
15:39:52.0481 0x2508  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 ( 465.76 Gb ), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
15:39:52.0491 0x2508  ============================================================
15:39:52.0491 0x2508  \Device\Harddisk0\DR0:
15:39:52.0491 0x2508  MBR partitions:
15:39:52.0491 0x2508  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
15:39:52.0491 0x2508  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x37398800
15:39:52.0491 0x2508  ============================================================
15:39:52.0521 0x2508  C: <-> \Device\Harddisk0\DR0\Partition2
15:39:52.0541 0x2508  E: <-> \Device\Harddisk0\DR0\Partition1
15:39:52.0541 0x2508  ============================================================
15:39:52.0541 0x2508  Initialize success
15:39:52.0541 0x2508  ============================================================
15:40:53.0671 0x12c8  KLMD registered as C:\windows\system32\drivers\75498802.sys
15:40:54.0291 0x12c8  Deinitialize success

__________________________________________________________________________________________________________________________

 

TDSSKiller.3.0.0.44_19.05.2015_15.52.19_log

15:52:20.0014 0x1768  TDSS rootkit removing tool 3.0.0.44 Jan 22 2015 08:27:04
15:52:26.0904 0x1768  ============================================================
15:52:26.0904 0x1768  Current date / time: 2015/05/19 15:52:26.0904
15:52:26.0904 0x1768  SystemInfo:
15:52:26.0904 0x1768
15:52:26.0904 0x1768  OS Version: 6.1.7601 ServicePack: 1.0
15:52:26.0904 0x1768  Product type: Workstation
15:52:26.0904 0x1768  ComputerName: SAMSUNG-LAPTOP
15:52:26.0904 0x1768  UserName: Bob Lucas
15:52:26.0904 0x1768  Windows directory: C:\windows
15:52:26.0904 0x1768  System windows directory: C:\windows
15:52:26.0904 0x1768  Running under WOW64
15:52:26.0904 0x1768  Processor architecture: Intel x64
15:52:26.0904 0x1768  Number of processors: 4
15:52:26.0904 0x1768  Page size: 0x1000
15:52:26.0904 0x1768  Boot type: Normal boot
15:52:26.0904 0x1768  ============================================================
15:52:26.0944 0x1768  BG loaded
15:52:27.0894 0x1768  System UUID: {D010987F-AE6A-94AE-D4EE-54445BC27D02}
15:52:28.0944 0x1768  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 ( 465.76 Gb ), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
15:52:28.0984 0x1768  ============================================================
15:52:28.0984 0x1768  \Device\Harddisk0\DR0:
15:52:28.0984 0x1768  MBR partitions:
15:52:28.0984 0x1768  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
15:52:28.0984 0x1768  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x37398800
15:52:28.0984 0x1768  ============================================================
15:52:29.0024 0x1768  C: <-> \Device\Harddisk0\DR0\Partition2
15:52:29.0054 0x1768  E: <-> \Device\Harddisk0\DR0\Partition1
15:52:29.0054 0x1768  ============================================================
15:52:29.0054 0x1768  Initialize success
15:52:29.0054 0x1768  ============================================================
15:52:48.0644 0x0b48  ============================================================
15:52:48.0644 0x0b48  Scan started
15:52:48.0644 0x0b48  Mode: Manual; SigCheck; TDLFS;
15:52:48.0644 0x0b48  ============================================================
15:52:48.0644 0x0b48  KSN ping started
15:52:51.0534 0x0b48  KSN ping finished: true
15:52:58.0114 0x0b48  ================ Scan system memory ========================

<snip>

15:54:39.0604 0x0b48  ============================================================
15:54:39.0604 0x0b48  Scan finished
15:54:39.0604 0x0b48  ============================================================
15:54:39.0614 0x137c  Detected object count: 0
15:54:39.0614 0x137c  Actual detected object count: 0
15:56:27.0074 0x19d0  Deinitialize success

__________________________________________________________________________________________________________________________

I also ran the Emsisoft Emergency Kit program, which detected and quarantined one file - C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe, which it identified as Application.Win32.InstallTool (A).  This file appears to be related to the Zone Alarm Free Firewall.

The program interface did not seem to generate a log and the export function was not available.  However, I found the following log file in the C:\EEK\bin\Reports folder:

a2scan_150519-161831.txt

Emsisoft Emergency Kit - Version 9.0
Last update: 19/05/2015 16:17:03
User account: SAMSUNG-LAPTOP\Bob Lucas

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, E:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 19/05/2015 16:18:31
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe  detected: Application.Win32.InstallTool (A)

Scanned 285005
Found 1

Scan end: 19/05/2015 18:11:10
Scan time: 1:52:39

C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe Quarantined Application.Win32.InstallTool (A)

Quarantined 1

 



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:25 PM

Posted 20 May 2015 - 11:02 AM

Please run AdwCleaner
 
Please download AdwCleaner and install it.
 
When AdwCleaner opens you will see an image like the one below.
 
adwcleaner11_zps48314883.png
 
Click on Scan to start the scan.
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.

Edited by dc3, 20 May 2015 - 11:07 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 BobTroll

BobTroll
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, UK
  • Local time:10:25 PM

Posted 20 May 2015 - 11:52 AM

AdwCleaner found nothing.  This is the log:

 

# AdwCleaner v4.204 - Logfile created 20/05/2015 at 17:43:22
# Updated 12/05/2015 by Xplode
# Database : 2015-05-20.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Bob Lucas - SAMSUNG-LAPTOP
# Running from : C:\Users\Bob Lucas\Downloads\AdwCleaner\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17801

-\\ Mozilla Firefox v38.0.1 (x86 en-US)

-\\ Google Chrome v43.0.2357.65

*************************

AdwCleaner[R0].txt - [1499 bytes] - [07/12/2013 13:00:34]
AdwCleaner[R10].txt - [2110 bytes] - [16/07/2014 17:35:05]
AdwCleaner[R11].txt - [2127 bytes] - [20/10/2014 19:18:06]
AdwCleaner[R12].txt - [3083 bytes] - [17/11/2014 15:27:18]
AdwCleaner[R13].txt - [3256 bytes] - [22/12/2014 16:13:59]
AdwCleaner[R14].txt - [3378 bytes] - [18/01/2015 14:14:27]
AdwCleaner[R15].txt - [3541 bytes] - [25/01/2015 09:49:49]
AdwCleaner[R16].txt - [3389 bytes] - [18/02/2015 10:24:58]
AdwCleaner[R17].txt - [20592 bytes] - [20/04/2015 16:40:42]
AdwCleaner[R18].txt - [20653 bytes] - [20/04/2015 17:03:09]
AdwCleaner[R19].txt - [3678 bytes] - [17/05/2015 19:01:53]
AdwCleaner[R1].txt - [1069 bytes] - [10/12/2013 11:32:56]
AdwCleaner[R20].txt - [2903 bytes] - [20/05/2015 17:37:34]
AdwCleaner[R2].txt - [1130 bytes] - [10/12/2013 11:52:05]
AdwCleaner[R3].txt - [1090 bytes] - [10/12/2013 12:42:10]
AdwCleaner[R4].txt - [1210 bytes] - [10/12/2013 12:51:45]
AdwCleaner[R5].txt - [1272 bytes] - [17/12/2013 21:57:57]
AdwCleaner[R6].txt - [1333 bytes] - [17/01/2014 10:47:46]
AdwCleaner[R7].txt - [1608 bytes] - [18/03/2014 16:59:15]
AdwCleaner[R8].txt - [1668 bytes] - [18/03/2014 17:05:16]
AdwCleaner[R9].txt - [2093 bytes] - [17/05/2014 09:44:39]
AdwCleaner[S0].txt - [1545 bytes] - [07/12/2013 13:01:44]
AdwCleaner[S10].txt - [3450 bytes] - [18/01/2015 14:18:06]
AdwCleaner[S11].txt - [3615 bytes] - [25/01/2015 09:56:56]
AdwCleaner[S12].txt - [3464 bytes] - [18/02/2015 10:28:34]
AdwCleaner[S13].txt - [4263 bytes] - [20/04/2015 17:05:39]
AdwCleaner[S14].txt - [3751 bytes] - [17/05/2015 19:05:35]
AdwCleaner[S15].txt - [2296 bytes] - [20/05/2015 17:43:22]
AdwCleaner[S1].txt - [1196 bytes] - [10/12/2013 11:56:31]
AdwCleaner[S2].txt - [1152 bytes] - [10/12/2013 12:43:56]
AdwCleaner[S3].txt - [1394 bytes] - [17/01/2014 10:49:12]
AdwCleaner[S4].txt - [1692 bytes] - [18/03/2014 17:06:40]
AdwCleaner[S5].txt - [2162 bytes] - [17/05/2014 09:45:58]
AdwCleaner[S6].txt - [2176 bytes] - [16/07/2014 17:37:15]
AdwCleaner[S7].txt - [1986 bytes] - [20/10/2014 19:21:37]
AdwCleaner[S8].txt - [3153 bytes] - [17/11/2014 15:30:59]
AdwCleaner[S9].txt - [3326 bytes] - [22/12/2014 16:18:21]

########## EOF - C:\AdwCleaner\AdwCleaner[S15].txt - [2887  bytes] ##########



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:25 PM

Posted 20 May 2015 - 12:10 PM

How is the computer running?


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 BobTroll

BobTroll
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, UK
  • Local time:10:25 PM

Posted 20 May 2015 - 01:20 PM

Everything seems to working OK, with no unusual or excessive hard drive activity.

 

I am hoping the virus did nothing worse than harvesting the account details and password for one Hotmail account.  None of my other email accounts show any unauthorised activity.



#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:25 PM

Posted 20 May 2015 - 02:30 PM

Sounds good.  Let me know if you experience any other problems.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#9 BobTroll

BobTroll
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, UK
  • Local time:10:25 PM

Posted 21 May 2015 - 06:06 AM

Thank you very much.  I am relieved that none of your programs has detected any problems on my computer.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users