Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus infection


  • This topic is locked This topic is locked
32 replies to this topic

#1 famori

famori

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 02 June 2015 - 08:43 AM

Hi everyone,

 

first of all I'm sorry for my not so good english as my mother language is italian.

 

A couple of days ago while surfing I got a popup message from police ( with logo ) which warned me to pay a certain amount of money as the pc has been blocked because of breaking the law bla bla ... I suddenly realized that it was malware or similar and I did a google search to learn more.

It seems that I got a kind of trojan virus and actually I can't reboot pc in Safe mode as the virus doesn't allow. Unable to remove it in Safe mode I read a guide in italian that explained to use Combofix, which I did; now I have the log..

What's next step?

 

Thanks in advance

 

Fabio



BC AdBot (Login to Remove)

 


#2 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 04 June 2015 - 12:14 PM

Anyone can help please?

 

Here I'm posting the combofix log file :

 

ComboFix 15-05-31.01 - Fabio 02/06/2015  13.09.37.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.39.1040.18.3066.1558 [GMT 2:00]
Eseguito da: c:\users\Fabio\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\windows\msdownld.tmp
c:\windows\system32\AdobePDF.dll
.
.
(((((((((((((((((((((((((   Files Creati Da 2015-05-02 al 2015-06-02  )))))))))))))))))))))))))))))))))))
.
.
2015-06-02 12:08 . 2015-06-02 12:08 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2015-06-02 12:08 . 2015-06-02 12:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-06-02 08:45 . 2015-05-03 03:42 9265072 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DA223909-C5C9-4EF7-A7E9-85FD3823C418}\mpengine.dll
2015-05-15 02:01 . 2015-04-30 16:03 279040 ----a-w- c:\windows\system32\schannel.dll
2015-05-15 01:51 . 2015-04-19 21:24 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2015-05-15 01:51 . 2015-04-19 21:24 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2015-05-15 01:51 . 2015-04-19 21:24 189952 ----a-w- c:\windows\system32\d3d10core.dll
2015-05-15 01:51 . 2015-04-19 20:18 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2015-05-15 01:51 . 2015-04-19 20:13 682496 ----a-w- c:\windows\system32\d2d1.dll
2015-05-15 01:51 . 2015-04-19 21:24 1029120 ----a-w- c:\windows\system32\d3d10.dll
2015-05-15 01:51 . 2015-04-19 20:19 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2015-05-15 01:50 . 2015-04-19 04:59 2065408 ----a-w- c:\windows\system32\win32k.sys
2015-05-15 01:50 . 2015-04-19 20:12 801792 ----a-w- c:\windows\system32\FntCache.dll
2015-05-15 01:50 . 2015-04-19 20:12 1072640 ----a-w- c:\windows\system32\DWrite.dll
2015-05-15 01:45 . 2015-04-30 13:14 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-15 01:43 . 2015-04-08 01:11 939008 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2015-05-15 01:43 . 2015-04-07 23:35 1850880 ----a-w- c:\program files\Windows Journal\Journal.exe
2015-05-15 01:43 . 2015-04-08 01:11 1219584 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2015-05-15 01:43 . 2015-04-08 01:11 985088 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2015-05-15 01:43 . 2015-04-08 01:11 967168 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2015-05-15 01:11 . 2015-04-10 23:22 279552 ----a-w- c:\windows\system32\services.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-05-02 17:34 . 2014-10-20 18:03 96352 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2015-04-15 08:20 . 2012-05-26 09:05 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-04-15 08:20 . 2011-06-19 06:29 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-04-14 00:35 . 2015-04-14 00:35 875720 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2015-04-14 00:35 . 2015-04-14 00:35 536776 ----a-w- c:\windows\system32\msvcp120_clr0400.dll
2015-03-14 02:21 . 2015-04-16 01:17 1205168 ----a-w- c:\windows\system32\ntdll.dll
2015-03-13 01:51 . 2015-04-16 01:17 3604920 ----a-w- c:\windows\system32\ntkrnlpa.exe
2015-03-13 01:51 . 2015-04-16 01:17 3552184 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-03-09 01:01 . 2015-04-16 01:49 1249280 ----a-w- c:\windows\system32\msxml3.dll
2015-03-05 02:32 . 2015-04-16 01:19 244152 ----a-w- c:\windows\system32\clfs.sys
2015-03-05 02:24 . 2015-04-16 01:22 297984 ----a-w- c:\windows\system32\gdi32.dll
2015-03-05 02:23 . 2015-04-16 01:19 57344 ----a-w- c:\windows\system32\clfsw32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-10-27 10:05 40496 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 135168]
"Software Suite"="c:\program files\Packard Bell\Software Suite\PBSoftSuite.exe" [2009-10-01 3144736]
"Packard Bell Software Suite"="c:\program files\Packard Bell\Software Suite\PBSoftSuite.exe" [2009-10-01 3144736]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-10-31 59720]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-12-11 30877280]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2014-10-30 4826904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2009-01-20 156968]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2009-01-20 202024]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-27 30192]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-14 6814240]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-14 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-19 866824]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-02-17 248576]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTray.exe" [2009-02-19 707104]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2008-10-27 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2008-10-27 346672]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-12-26 173288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-03-20 60712]
"PosService"="c:\users\Public\Documents\AppData\PoApp\PLauncher.exe" [2011-12-16 218624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-11-16 3117384]
"ataDaemon"="c:\program files\AliceTiAiuta\McciTrayApp.exe" [2007-10-17 1007504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-10-02 421888]
"ApnTBMon"="c:\program files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" [2015-04-28 2004360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-04-06 157480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2015-04-30 334896]
.
c:\users\Fabio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitora avvisi inchiostro - HP Officejet 4630 series.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Officejet 4630 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN46K3B2320628;CONNECTION=USB;MONITOR=1; [2006-11-2 44544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-05-25 18:27 986440 ----a-w- c:\program files\Google\Chrome\Application\43.0.2357.81\Installer\chrmstp.exe
.
Contenuto della cartella 'Scheduled Tasks'
.
2015-06-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-26 08:20]
.
2015-06-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000Core.job
- c:\users\Fabio\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-18 21:31]
.
2015-06-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000UA.job
- c:\users\Fabio\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-18 21:31]
.
2015-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-05-31 10:34]
.
2015-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-05-31 10:34]
.
.
------- Scansione supplementare -------
.
mStart Page = hxxp://search.findeer.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{21FCF16E-41C2-4311-9CDA-660CC06DCB9F}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{3a539854-6a70-11db-887c-806e6f6e6963}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{5EDC29D6-919D-4A83-B530-EFF32CED60EF}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{C50B5E64-FEB9-43A5-8D7F-A5168348F856}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{DCB3032F-3001-4F81-A539-A9BE4A4F84E2}: NameServer = 8.8.8.8,8.8.4.4
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
c:\users\Fabio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk - c:\program files\Convesoft\Orion\Messenger.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Alice Ti Aiuta - c:\program files\AliceTiAiuta\Disinstalla Alice Ti Aiuta
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-06-02 14:08
Windows 6.0.6002 Service Pack 2 NTFS
.
scansione processi nascosti ... 
.
scansione entrate autostart nascoste ... 
.
Scansione files nascosti ... 
.
.
c:\users\Fabio\AppData\Local\Temp\catchme.dll 53248 bytes executable
c:\windows\TEMP\TMP0000008AB4918B313FE1EBAE 524288 bytes
.
Scansione completata con successo
Files nascosti: 2
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-13207523-3163739043-1031859072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ò%7']
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-13207523-3163739043-1031859072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ò%7'\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Ora fine scansione: 2015-06-02  14:13:36
ComboFix-quarantined-files.txt  2015-06-02 12:13
.
Pre-Run: 335.409.065.984 byte disponibili
Post-Run: 334.358.151.168 byte disponibili
.
- - End Of File - - EC5400382F57680CA0FC5DA2D301E937
BEEDF9B7F43A72A91456F7131AFC11B2
 
Thank you,


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 07 June 2015 - 08:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/578171 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 07 June 2015 - 11:22 AM

1. A couple of days ago while surfing I got a popup message from police ( with logo ) which warned me to pay a certain amount of money as the pc has been blocked because of breaking the law bla bla ... I suddenly realized that it was malware or similar and I did a google search to learn more.

It seems that I got a kind of trojan virus and actually I can't reboot pc in Safe mode as the virus doesn't allow.

 

2. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-06-2015

Ran by Fabio (administrator) on PC-FABIO on 07-06-2015 17:15:23
Running from C:\Users\Fabio\Downloads
Loaded Profiles: Fabio (Available Profiles: Fabio)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: Italiano (Italia)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(CyberLink Corp.) C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
(CyberLink) C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
(Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
() C:\Windows\PLFSetI.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Agere Systems) C:\Windows\System32\agrsmsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Motive Communications, Inc.) C:\Program Files\Common Files\Motive\McciCMService.exe
(EgisTec Inc.) C:\Program Files\EgisTec\MyWinLocker 3\x86\MWLService.exe
(NewTech Infosystems, Inc.) C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(NewTech Infosystems, Inc.) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
(Packard Bell Services) C:\Program Files\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Realtek Semiconductor Corp.) C:\Users\Fabio\AppData\Local\Temp\RtkBtMnt.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\LManager.exe
(NewTech Infosystems, Inc.) C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
(EgisTec Inc.) C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe
(EgisTec Inc.) C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
(Acer Corp.) C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Motive Communications, Inc.) C:\Program Files\AliceTiAiuta\McciTrayApp.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Acer Incorporated) C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Macrovision Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Nikon Corporation) C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(PService) C:\Users\Public\Documents\AppData\PoApp\PService.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Acer Incorporated) C:\Program Files\Packard Bell\Software Suite\pbDevDetect.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\conime.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ArcadeDeluxeAgent] => C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe [156968 2009-01-21] (CyberLink Corp.)
HKLM\...\Run: [CLMLServer] => C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe [202024 2009-01-21] (CyberLink)
HKLM\...\Run: [Google Desktop Search] => C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-27] (Google)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6814240 2009-02-14] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] => C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-02-14] (Realtek Semiconductor Corp.)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [200704 2008-07-29] ()
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1410344 2008-12-05] (Synaptics, Inc.)
HKLM\...\Run: [LManager] => C:\Program Files\Launch Manager\LManager.exe [866824 2009-02-19] (Dritek System Inc.)
HKLM\...\Run: [BackupManagerTray] => C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [248576 2009-02-17] (NewTech Infosystems, Inc.)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe [707104 2009-02-19] (Acer Incorporated)
HKLM\...\Run: [EgisTecLiveUpdate] => C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe [199464 2008-10-27] (EgisTec Inc.)
HKLM\...\Run: [mwlDaemon] => C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [346672 2008-10-27] (EgisTec Inc.)
HKLM\...\Run: [PlayMovie] => C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe [173288 2008-12-26] (Acer Corp.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM\...\Run: [PosService] => C:\Users\Public\Documents\AppData\PoApp\PLauncher.exe [218624 2011-12-16] (PLauncher)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [3117384 2012-11-16] (ESET)
HKLM\...\Run: [ataDaemon] => C:\Program Files\AliceTiAiuta\McciTrayApp.exe [1007504 2007-10-17] (Motive Communications, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2015-04-07] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [ProductReg] => C:\Program Files\Acer\WR_PopUp\ProductReg.exe [135168 2008-11-17] (Acer)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [Software Suite] => C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe [3144736 2009-10-01] (Acer Incorporated)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [Packard Bell Software Suite] => C:\Program Files\Packard Bell\Software Suite\PBSoftSuite.exe [3144736 2009-10-01] (Acer Incorporated)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [ISUSPM] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [205480 2007-08-30] (Macrovision Corporation)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [Xvid] => C:\Program Files\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [ApplePhotoStreams] => C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-10-31] (Apple Inc.)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [30877280 2014-12-11] (Skype Technologies S.A.)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-30] (Piriform Ltd)
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll => C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-07-27] (Google)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2010-07-25]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk [2010-08-08]
ShortcutTarget: Nikon Monitor.lnk -> C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
Startup: C:\Users\Fabio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitora avvisi inchiostro - HP Officejet 4630 series.lnk [2015-01-02]
ShortcutTarget: Monitora avvisi inchiostro - HP Officejet 4630 series.lnk -> C:\Program Files\HP\HP Officejet 4630 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll [2008-10-27] (EgisTec Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com/?pc=UP97&ocid=UP97DHP
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com
SearchScopes: HKU\S-1-5-21-13207523-3163739043-1031859072-1000 -> 5DF4658E8B3F4AA282F81ECA5103FCF1 URL = 
SearchScopes: HKU\S-1-5-21-13207523-3163739043-1031859072-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-13207523-3163739043-1031859072-1000 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=101293&mntrId=50e534e50000000000000022fa120a48
SearchScopes: HKU\S-1-5-21-13207523-3163739043-1031859072-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-13207523-3163739043-1031859072-1000 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=RQCHeMCo8CVjN151HvfRHkHmgcw?q={searchTerms}
SearchScopes: HKU\S-1-5-21-13207523-3163739043-1031859072-1000 -> {AE45FD87-4074-4F08-83BB-6FACB170F3D8} URL = http://it.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=971163&p={searchTerms}
SearchScopes: HKU\S-1-5-21-13207523-3163739043-1031859072-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://it.search.yahoo.com/search?p={searchTerms}&fr=chr-flv
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-02] (Oracle Corporation)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-02] (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-09] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{21FCF16E-41C2-4311-9CDA-660CC06DCB9F}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{3a539854-6a70-11db-887c-806e6f6e6963}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{5EDC29D6-919D-4A83-B530-EFF32CED60EF}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{C50B5E64-FEB9-43A5-8D7F-A5168348F856}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{DCB3032F-3001-4F81-A539-A9BE4A4F84E2}: [NameServer] 8.8.8.8,8.8.4.4
 
FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-02] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-02] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-20] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-20] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-13207523-3163739043-1031859072-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Fabio\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-07-24]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2013-01-19]
 
Chrome: 
=======
CHR Profile: C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-05-31]
CHR Extension: (Google Drive) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-31]
CHR Extension: (YouTube) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-05-31]
CHR Extension: (Google Search) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-05-31]
CHR Extension: (Bookmark Manager) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-17]
CHR Extension: (Skype Click to Call) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-05-31]
CHR Extension: (Google Wallet) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-31]
CHR Extension: (Gmail) - C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-05-31]
CHR HKLM\...\Chrome\Extension: [aaaaahlfahldnilidgnlikdckbfehhca] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [75048 2008-12-18] ()
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913184 2012-11-16] (ESET)
R2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [666144 2009-02-19] (Acer Incorporated)
R2 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [860160 2008-10-16] (Intel® Corporation) [File not signed]
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-27] (Google)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-03-13] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-03-13] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [303104 2007-09-07] (Motive Communications, Inc.) [File not signed]
R2 MWLService; C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [306736 2008-10-27] (EgisTec Inc.)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NTI IScheduleSvc; C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [44800 2009-02-17] (NewTech Infosystems, Inc.)
R2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [144632 2008-09-23] (NewTech Infosystems, Inc.)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S2 PowerOffer Service; C:\Users\Fabio\AppData\Local\PosService\Pos.exe [164352 2011-12-16] (PowerOfferService) [File not signed]
R2 PowerSave; C:\Program Files\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [1002016 2009-04-06] (Packard Bell Services)
R2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [466944 2008-10-16] (Intel® Corporation) [File not signed]
S2 ServUpdater; C:\Users\Fabio\AppData\Local\ServUpdater\ServiceUpd.exe [156160 2011-12-16] (ServiceUpd) [File not signed]
R3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation)
S2 RoxLiveShare9; No ImagePath
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [169120 2012-11-16] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [103112 2012-03-14] (ESET)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [19712 2007-10-12] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [18304 2007-10-12] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R2 mwlPSDFilter; C:\Windows\System32\DRIVERS\mwlPSDFilter.sys [19504 2008-10-09] (Egis Incorporated.)
R2 mwlPSDNServ; C:\Windows\System32\DRIVERS\mwlPSDNServ.sys [16432 2008-10-09] (Egis Incorporated.)
R2 mwlPSDVDisk; C:\Windows\System32\DRIVERS\mwlPSDVDisk.sys [59952 2008-10-09] (Egis Incorporated.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-21] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Fabio\AppData\Local\Temp\catchme.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; No ImagePath
S3 hwusbfake; system32\DRIVERS\ewusbfake.sys [X]
S3 IpInIp; No ImagePath
S3 lmimirr; No ImagePath
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 NwlnkFlt; No ImagePath
S3 NwlnkFwd; No ImagePath
S3 RimUsb; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-07 17:14 - 2015-06-07 17:15 - 00000000 ____D C:\FRST
2015-06-07 17:12 - 2015-06-07 17:12 - 01147904 _____ (Farbar) C:\Users\Fabio\Downloads\FRST.exe
2015-06-07 17:10 - 2015-06-07 17:15 - 00024400 _____ C:\Users\Fabio\Downloads\FRST.txt
2015-06-04 20:02 - 2015-06-04 20:02 - 01600288 _____ (NCH Software) C:\Users\Fabio\Downloads\debutpsetup.exe
2015-06-02 14:13 - 2015-06-02 14:13 - 00012941 _____ C:\ComboFix.txt
2015-06-02 13:04 - 2015-06-02 14:13 - 00000000 ____D C:\Qoobox
2015-06-02 13:04 - 2015-06-02 14:13 - 00000000 ____D C:\ComboFix
2015-06-02 13:04 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2015-06-02 13:04 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2015-06-02 13:04 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-06-02 13:04 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-06-02 13:04 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-06-02 13:04 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2015-06-02 13:04 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2015-06-02 13:04 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2015-06-02 13:03 - 2015-06-02 14:10 - 00000000 ____D C:\Windows\erdnt
2015-06-02 12:37 - 2015-06-02 12:39 - 05628238 ____R (Swearware) C:\Users\Fabio\Downloads\ComboFix.exe
2015-05-31 19:48 - 2015-05-31 19:48 - 00001824 _____ C:\Users\Fabio\Downloads\StartProRealTime (31).jnlp
2015-05-25 19:13 - 2015-05-25 19:13 - 00001825 _____ C:\Users\Fabio\Downloads\StartProRealTime (30).jnlp
2015-05-15 04:20 - 2015-06-02 14:25 - 00006994 _____ C:\Windows\PFRO.log
2015-05-15 04:01 - 2015-04-30 18:03 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-05-15 03:51 - 2015-04-19 23:24 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2015-05-15 03:51 - 2015-04-19 23:24 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2015-05-15 03:51 - 2015-04-19 23:24 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2015-05-15 03:51 - 2015-04-19 23:24 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2015-05-15 03:51 - 2015-04-19 22:19 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-05-15 03:51 - 2015-04-19 22:18 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2015-05-15 03:51 - 2015-04-19 22:13 - 00682496 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2015-05-15 03:50 - 2015-04-19 22:12 - 01072640 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-05-15 03:50 - 2015-04-19 22:12 - 00801792 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-05-15 03:50 - 2015-04-19 06:59 - 02065408 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-05-15 03:45 - 2015-04-30 15:14 - 00102608 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-15 03:11 - 2015-04-11 01:22 - 00279552 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-05-14 10:50 - 2015-04-10 17:30 - 12379136 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-05-14 10:50 - 2015-04-10 17:25 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-05-14 10:50 - 2015-04-10 17:25 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-05-14 10:50 - 2015-04-10 17:24 - 09750528 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-05-14 10:50 - 2015-04-10 17:21 - 01139200 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-05-14 10:50 - 2015-04-10 17:20 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-05-14 10:50 - 2015-04-10 17:20 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-05-14 10:50 - 2015-04-10 17:19 - 01804288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-05-14 10:50 - 2015-04-10 17:19 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-05-14 10:50 - 2015-04-10 17:19 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-05-14 10:50 - 2015-04-10 17:19 - 00421888 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-05-14 10:50 - 2015-04-10 17:19 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-05-14 10:50 - 2015-04-10 17:19 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-05-14 10:50 - 2015-04-10 17:19 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-05-14 10:50 - 2015-04-10 17:19 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-05-14 10:50 - 2015-04-10 17:18 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-05-14 10:50 - 2015-04-10 17:18 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-05-14 10:50 - 2015-04-10 17:18 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-05-14 10:50 - 2015-04-10 17:18 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-05-14 10:50 - 2015-04-10 17:18 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-05-14 10:50 - 2015-04-10 17:18 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-05-14 10:50 - 2015-04-10 17:18 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-07 17:12 - 2006-11-02 14:47 - 00003344 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-07 17:12 - 2006-11-02 14:47 - 00003344 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-07 17:04 - 2014-05-31 12:34 - 00001138 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-07 17:04 - 2012-06-16 08:35 - 00000978 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-07 17:04 - 2012-03-19 00:26 - 00001178 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000UA.job
2015-06-07 17:04 - 2010-07-31 20:29 - 00000000 ____D C:\Users\Fabio\AppData\Roaming\Skype
2015-06-07 17:04 - 2010-07-23 11:56 - 00031871 _____ C:\ProgramData\nvModes.001
2015-06-07 17:04 - 2010-07-23 04:04 - 01263426 _____ C:\Windows\WindowsUpdate.log
2015-06-07 10:50 - 2012-03-19 00:26 - 00001156 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000Core.job
2015-06-06 19:27 - 2014-05-31 12:34 - 00001134 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-06 14:11 - 2010-07-23 11:56 - 00031871 _____ C:\ProgramData\nvModes.dat
2015-06-02 17:12 - 2006-11-02 15:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-02 17:09 - 2006-11-02 15:01 - 00032548 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-06-02 14:13 - 2006-11-02 13:18 - 00000000 __RHD C:\Users\Default
2015-06-02 14:13 - 2006-11-02 13:18 - 00000000 ___RD C:\Users\Public
2015-06-02 14:08 - 2006-11-02 12:23 - 00000215 _____ C:\Windows\system.ini
2015-05-25 20:31 - 2014-05-31 12:37 - 00001933 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-05-17 11:45 - 2009-02-25 10:42 - 00717898 _____ C:\Windows\system32\perfh010.dat
2015-05-17 11:45 - 2009-02-25 10:42 - 00144366 _____ C:\Windows\system32\perfc010.dat
2015-05-17 11:45 - 2006-11-02 12:33 - 01614048 _____ C:\Windows\system32\PerfStringBackup.INI
2015-05-15 04:43 - 2006-11-02 13:18 - 00000000 ____D C:\Windows\Microsoft.NET
2015-05-15 04:22 - 2006-11-02 14:47 - 00397664 _____ C:\Windows\system32\FNTCACHE.DAT
2015-05-15 04:20 - 2010-07-30 14:26 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-05-15 04:18 - 2006-11-02 14:37 - 00000000 ____D C:\Windows\system32\XPSViewer
2015-05-15 04:18 - 2006-11-02 14:37 - 00000000 ____D C:\Program Files\Windows Journal
2015-05-15 04:00 - 2009-02-25 03:05 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-05-15 03:43 - 2013-07-18 03:01 - 00000000 ____D C:\Windows\system32\MRT
2015-05-15 03:15 - 2006-11-02 12:24 - 137310008 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-05-15 03:09 - 2010-07-30 14:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
 
==================== Files in the root of some directories =======
 
2010-08-08 22:53 - 2010-08-08 22:53 - 0000268 ___RH () C:\Users\Fabio\AppData\Roaming\Chorus
2011-10-17 08:01 - 2011-10-17 08:15 - 0000053 _____ () C:\Users\Fabio\AppData\Roaming\mainhst.zgh
2010-07-31 20:40 - 2014-10-11 20:10 - 0000274 _____ () C:\Users\Fabio\AppData\Roaming\wklnhst.dat
2010-07-23 12:49 - 2014-10-13 21:03 - 0008268 _____ () C:\Users\Fabio\AppData\Local\d3d9caps.dat
2010-07-31 10:54 - 2015-04-11 11:12 - 0082944 _____ () C:\Users\Fabio\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-08-12 10:10 - 2014-08-12 10:10 - 0000000 _____ () C:\Users\Fabio\AppData\Local\{3A95B3F7-441D-4368-9C13-584502262501}
2015-01-02 20:01 - 2015-01-02 20:01 - 0000057 _____ () C:\ProgramData\Ament.ini
2010-08-08 22:53 - 2010-08-08 22:53 - 0000268 ___RH () C:\ProgramData\Clips
2010-08-08 22:53 - 2010-08-08 22:53 - 0000012 ___RH () C:\ProgramData\Command Line Utility
2010-07-31 20:31 - 2010-07-31 20:31 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2013-11-06 21:02 - 2014-12-09 10:21 - 0001510 _____ () C:\ProgramData\hpzinstall.log
2010-07-23 11:56 - 2015-06-07 17:04 - 0031871 _____ () C:\ProgramData\nvModes.001
2010-07-23 11:56 - 2015-06-06 14:11 - 0031871 _____ () C:\ProgramData\nvModes.dat
2010-08-08 22:53 - 2013-07-17 19:23 - 0000020 ____H () C:\ProgramData\PKP_DLdu.DAT
 
Some files in TEMP:
====================
C:\Users\Fabio\AppData\Local\Temp\RtkBtMnt.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-06-02 17:18
 
==================== End of log ============================
 
3. I do not have Windows CD/DVD available


#5 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:47 AM

Posted 08 June 2015 - 01:39 AM

When you ran FRST it should have made an Addition.txt log file also.  Can you post that file please?


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#6 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 08 June 2015 - 02:47 AM

Hello DB,

thanks for helping, here is the addition.txt file:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 07-06-2015
Ran by Fabio at 2015-06-07 17:17:14
Running from C:\Users\Fabio\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-13207523-3163739043-1031859072-500 - Administrator - Disabled)
Fabio (S-1-5-21-13207523-3163739043-1031859072-1000 - Administrator - Enabled) => C:\Users\Fabio
Guest (S-1-5-21-13207523-3163739043-1031859072-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: ESET NOD32 Antivirus 5.2 (Enabled - Up to date) {77DEAFED-8149-104B-25A1-21771CA47CD1}
AS: ESET NOD32 Antivirus 5.2 (Enabled - Up to date) {CCBF4E09-A773-1FC5-1F11-1A056723366C}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
5600 (Version: 82.0.242.000 - Hewlett-Packard) Hidden
5600_Help (Version: 82.0.242.000 - Hewlett-Packard) Hidden
5600Trb (Version: 82.0.242.000 - Hewlett-Packard) Hidden
Acer Arcade Deluxe (HKLM\...\InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}) (Version: 2.5.6121 - CyberLink Corp.)
Acer Arcade Deluxe (Version: 2.5.6121 - CyberLink Corp.) Hidden
Acer eRecovery Management (HKLM\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.00.3005 - Acer Incorporated)
Acer GridVista (HKLM\...\GridVista) (Version: 2.72.317 - )
Acer PowerSmart Manager (HKLM\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 4.01.3004 - Acer Incorporated)
Acer Product Registration (HKLM\...\{DA20E1A8-07CB-4EE7-9B72-A7E28C953F0E}) (Version: 3.0.0.10 - Acer Incorporated)
Acer ScreenSaver (HKLM\...\Acer Screensaver) (Version: 1.0.0.0226 - Acer)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 15.0.0.249 - Adobe Systems Incorporated)
Adobe Download Assistant (HKLM\...\com.adobe.downloadassistant.AdobeDownloadAssistant) (Version: 1.2.9 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 - Italiano (HKLM\...\{AC76BA86-7AD7-1040-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated\0)
AIO_CDB_ProductContext (Version: 82.0.242.000 - Hewlett-Packard) Hidden
AIO_CDB_Software (Version: 82.0.242.000 - Hewlett-Packard) Hidden
AIO_Scan (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Airport Mania First Flight (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11505173}) (Version:  - Oberon Media)
Alice Messenger (HKLM\...\Alice Messenger) (Version: 3.1.0.1 - Telecom Italia S.p.A.)
Apple Mobile Device Support (HKLM\...\{E1DB0812-2D60-43DB-AE09-6C7027D93B28}) (Version: 8.1.1.3 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVS Screen Capture version 2.0.1 (HKLM\...\AVS Screen Capture_is1) (Version:  - Online Media Technologies Ltd.)
AVS Update Manager 1.0 (HKLM\...\AVS Update Manager_is1) (Version:  - Online Media Technologies Ltd.)
AVS Video Converter 8 (HKLM\...\AVS4YOU Video Converter 7_is1) (Version:  - Online Media Technologies Ltd.)
AVS Video Editor 6 (HKLM\...\AVS Video Editor_is1) (Version:  - Online Media Technologies Ltd.)
AVS Video Recorder 2.5 (HKLM\...\AVS Video Recorder_is1) (Version:  - Online Media Technologies Ltd.)
AVS4YOU Software Navigator 1.4 (HKLM\...\AVS4YOU Software Navigator_is1) (Version:  - Online Media Technologies Ltd.)
Backup Manager Basic (Version: 1.0.0.26 - NewTech Infosystems) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Gigabit NetLink Controller (HKLM\...\{9AF0B106-56F1-461B-A270-95BC1682E282}) (Version: 11.34.02 - Broadcom Corporation)
BufferChm (Version: 82.0.173.000 - Hewlett-Packard) Hidden
C:\Program Files\Acer GameZone\GameConsole (HKLM\...\{71C2828F-2678-4675-BDEC-895424861262}_is1) (Version: 2.0.1.5 - Oberon Media, Inc.)
Cake Mania 2 (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113297350}) (Version:  - Oberon Media)
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
Cooking Dash (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115443300}) (Version:  - Oberon Media)
Copy (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Cradle of Rome (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11219217}) (Version:  - Oberon Media)
CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Dairy Dash (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115053100}) (Version:  - Oberon Media)
Danea Easyfatt 2006 (HKLM\...\Danea Easyfatt 2006) (Version: 21 - Danea Soft)
Destinations (Version: 82.0.173.000 - Hewlett-Packard) Hidden
DeviceManagementQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
DocProc (Version: 8.1.0.0 - Hewlett-Packard) Hidden
DocProcQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Documatic (HKLM\...\{F958DA2E-388B-4DD9-96B2-237FCA6D8732}) (Version: 7.04.0001 - SoftWorks2000)
Dream Day Honeymoon (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113056167}) (Version:  - Oberon Media)
Dream Day Wedding (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112270203}) (Version:  - Oberon Media)
ESET NOD32 Antivirus (HKLM\...\{51D30FAC-95DC-4E28-A5F7-8D662608564C}) (Version: 5.2.15.1 - ESET, spol s r. o.)
eSobi v2 (Version: 2.0.3.000223 - esobi Inc.) Hidden
eSupportQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Facebook Video Calling 3.1.0.521 (HKLM\...\{2091F234-EB58-4B80-8C96-8EB78C808CF7}) (Version: 3.1.521 - Skype Limited)
Fax (Version: 82.0.188.000 - Hewlett-Packard) Hidden
FLV Player 2.0 (build 25) (HKLM\...\FLV Player) (Version: 2.0 (build 25) - Martijn de Visser)
Galapago (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}) (Version:  - Oberon Media)
Google Chrome (HKLM\...\Google Chrome) (Version: 43.0.2357.81 - Google Inc.)
Google Desktop (HKLM\...\Google Desktop) (Version: 5.9.1005.12335 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP)
HP FWUpdateEDO2 (HKLM\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Imaging Device Functions 8.0 (HKLM\...\HP Imaging Device Functions) (Version: 8.0 - HP)
HP OCR Software 8.0 (HKLM\...\HPOCR) (Version: 8.0 - HP)
HP Officejet 4630 series Aiuto (HKLM\...\{8E307C4D-9499-4F2E-B031-ADFD0E9BA45E}) (Version: 31.0.0 - Hewlett Packard)
HP Officejet 4630 series Software di base dispositivo (HKLM\...\{A52731F3-4768-48B0-9C8D-6E81B889A682}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP)
HP Solution Center 8.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 8.0 - HP)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (Version: 1.00.0001 - Microsoft) Hidden
HPProductAssistant (Version: 82.0.173.000 - Hewlett-Packard) Hidden
HPSSupply (HKLM\...\{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}) (Version: 2.1.3.0000 - Nome società)
I.R.I.S. OCR (HKLM\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
iCloud (HKLM\...\{79BD66B2-4DAE-4C3B-B08E-DC72E507C163}) (Version: 2.1.3.25 - Apple Inc.)
Installazione Guidata (HKLM\...\{83FAD26C-3CEA-4C41-B700-D916DA3943F4}) (Version:  - )
iTunes (HKLM\...\{CE1F04C7-79BC-4219-BE6A-BA490224D4B5}) (Version: 12.1.2.27 - Apple Inc.)
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Jewel Quest Solitaire (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111771833}) (Version:  - Oberon Media)
Launch Manager (HKLM\...\LManager) (Version: 2.0.02 - Acer Inc.)
Luxor 2 (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11170417}) (Version:  - Oberon Media)
Mahjong Escape Ancient China (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}) (Version:  - Oberon Media)
MarketResearch (Version: 82.0.174.000 - Hewlett-Packard) Hidden
MetaTrader - ActivTrades (HKLM\...\MetaTrader - ActivTrades) (Version: 4.00 - MetaQuotes Software Corp.)
MetaTrader 4.00 (HKLM\...\{3E5CBADD-2E51-47C1-BBE2-B802DB6DA56A}) (Version: 4.00 - MetaQuotes Software Corp.)
Microsoft .NET Framework 3.5 - Language Pack SP1 (italiano) (HKLM\...\Microsoft .NET Framework 3.5 Language Pack SP1 - ita) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Italiano) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1040) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM\...\{95140000-007A-0410-0000-0000000FF1CE}) (Version: 14.0.5118.5000 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (Italian) (HKLM\...\{95120000-00AF-0410-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Suite Activation Assistant (HKLM\...\{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}) (Version: 2.9 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual FoxPro 9.0 Professional - English (HKLM\...\Visual FoxPro 9.0 Professional - English) (Version:  - Microsoft)
Microsoft Works (HKLM\...\{34A08914-7A33-4040-A959-1577BF5AFF8A}) (Version: 9.7.0621 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyWinLocker (HKLM\...\{68301905-2DEA-41CE-A4D4-E8B443B099BA}) (Version: 3.1.36.0 - EgisTec)
Nikon Transfer (HKLM\...\{E9757890-7EC5-46C8-99AB-B00F07B6525C}) (Version: 1.0.2 - Nikon)
NTI Backup Now Standard (Version: 5.1.2.616 - NewTech Infosystems) Hidden
NTI Media Maker 8 (Version: 8.0.2.6509 - NewTech Infosystems) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - NVIDIA Corporation)
Ocean Express (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111232687}) (Version:  - Oberon Media)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Pacchetto di compatibilità per Office System 2007 (HKLM\...\{90120000-0020-0410-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Packard Bell Software Suite (HKLM\...\Packard Bell Software Suite) (Version: 2.01.3002 - Packard Bell)
Parking Dash (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11551977}) (Version:  - Oberon Media)
PDFCreator (HKLM\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 0.9.8 - Frank Heindörfer, Philip Chinery)
pdfforge Toolbar v4.7 (HKLM\...\{22CFB202-3D2D-44E2-BB7C-6F703B99919B}) (Version: 4.7 - Spigot, Inc.) <==== ATTENTION
PowerOffer 2.0 (HKLM\...\{0B500125-92A7-40BF-ACF0-45A9221ADE21}_is1) (Version: 2.0 - ) <==== ATTENTION
Puzzle Express (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110184263}) (Version:  - Oberon Media)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5791 - Realtek Semiconductor Corp.)
RTC Client API v1.3 msm (HKLM\...\{DF487E0B-8B2F-430B-A7F9-94DEF592555D}) (Version: 1.3 - Microsoft)
Safari (HKLM\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.13.13771 - Skype Technologies S.A.)
Skype™ 7.0 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Software Intel® PROSet/Wireless WiFi  (HKLM\...\{35C0A1E4-D02A-412C-841F-266DBB116ABB}) (Version: 12.02.0000 - Intel® Corporation)
SolutionCenter (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Splash Lite (HKLM\...\Mirillis Splash Lite) (Version: 1.8.0 - Mirillis)
Status (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Studio per il miglioramento dei prodotti HP Officejet 4630 series (HKLM\...\{3DEFDF6F-A6FE-49CA-81C6-2929A2ECF062}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
Supporto applicazioni Apple (32 bit) (HKLM\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.)
Toolbox (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Tradewinds 2 (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11037623}) (Version:  - Oberon Media)
TrayApp (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Tri-Peaks Solitaire To Go (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111205743}) (Version:  - Oberon Media)
Turbo Pizza (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113009953}) (Version:  - Oberon Media)
UnloadSupport (Version: 1.00.0000 - Hewlett-Packard) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Uranium Backup (HKLM\...\Uranium Backup) (Version:  - )
Vlc versione 1.1.8 (HKLM\...\{3E70F8B2-2ADE-4F83-8AD8-BDB602985E98}_is1) (Version: 1.1.8 - VideoLan Player)
WebReg (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Wedding Dash (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113494430}) (Version:  - Oberon Media)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{C63A1E60-B6A4-440B-89A5-1FC6E4AC1C94}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Sync (HKLM\...\{290F0D57-2D8C-4A17-8230-F12263173812}) (Version: 14.0.8050.1202 - Microsoft Corporation)
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
WinRAR 4.01 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH)
Xvid Video Codec (HKLM\...\Xvid Video Codec 1.3.2) (Version: 1.3.2 - Xvid Team)
Zuma Deluxe (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}) (Version:  - Oberon Media)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-13207523-3163739043-1031859072-1000_Classes\CLSID\{1FD1FE74-9E3C-4C1C-AEEB-AAB592AD770F}\localserver32 -> C:\Users\Fabio\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
CustomCLSID: HKU\S-1-5-21-13207523-3163739043-1031859072-1000_Classes\CLSID\{4052D303-74C5-49EA-BC6B-66099C8D4007}\InprocServer32 -> C:\Program Files\Google\Google Desktop Search\GoogleDesktopAPI2.dll (Google)
CustomCLSID: HKU\S-1-5-21-13207523-3163739043-1031859072-1000_Classes\CLSID\{49BBAA3C-C574-419E-8378-783C362E9C15}\InprocServer32 -> C:\Program Files\HP\Common\FWUpdateEDO2.dll (Hewlett-Packard Co.)
CustomCLSID: HKU\S-1-5-21-13207523-3163739043-1031859072-1000_Classes\CLSID\{5E71E4F3-E8C7-4906-9626-973E418762B6}\InprocServer32 -> C:\Users\Fabio\AppData\Local\Facebook\Update\1.2.205.0\goopdate.dll (Facebook Inc.)
CustomCLSID: HKU\S-1-5-21-13207523-3163739043-1031859072-1000_Classes\CLSID\{8B9F5BF4-0407-4BB2-9FED-4C0372DABD00}\localserver32 -> C:\Users\Fabio\AppData\Local\Facebook\Video\Skype\FacebookVideoCallingProxy.exe (Skype Limited)
CustomCLSID: HKU\S-1-5-21-13207523-3163739043-1031859072-1000_Classes\CLSID\{CBE9C57E-FFA9-4123-8354-AD360D6DD3CC}\InprocServer32 -> C:\Users\Fabio\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
 
==================== Restore Points =========================
 
26-05-2015 10:04:09 Windows Update
29-05-2015 21:40:54 Punto di controllo pianificato
30-05-2015 12:11:40 Punto di controllo pianificato
31-05-2015 20:47:29 Punto di controllo pianificato
02-06-2015 10:42:47 Windows Update
02-06-2015 17:04:14 Removed Shopping App by Ask
02-06-2015 17:06:00 Removed Search App by Ask
03-06-2015 12:08:52 Punto di controllo pianificato
05-06-2015 11:44:41 Punto di controllo pianificato
06-06-2015 12:01:33 Punto di controllo pianificato
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2006-11-02 12:23 - 2015-06-02 14:08 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {01B153A3-0DC7-4644-98DE-A98292E84409} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000Core => C:\Users\Fabio\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-11] (Facebook Inc.)
Task: {145E910A-D97A-4AD2-B232-5758FF0BB0BE} - System32\Tasks\HPCustParticipation HP Officejet 4630 series => C:\Program Files\HP\HP Officejet 4630 series\Bin\HPCustPartic.exe [2014-03-06] (Hewlett-Packard Co.)
Task: {3C3E8475-0031-441A-89BB-FBBF02476214} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-30] (Piriform Ltd)
Task: {3DC89C35-5D9A-4D15-92C4-7DDDBD17CA7A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-05-31] (Google Inc.)
Task: {525A3240-20BD-4C43-AA8B-29F5C6EE9D69} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000UA => C:\Users\Fabio\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-11] (Facebook Inc.)
Task: {5441E1AB-8060-4EB0-A405-3D4B6CECEBAA} - System32\Tasks\Acer\Burn Notification => C:\Program Files\Acer\Acer eRecovery Management\NotificationCenter\Notification.exe [2009-02-05] (Acer)
Task: {78B70375-F855-4144-A12B-647572074A5E} - System32\Tasks\Apple Diagnostics => C:\Program Files\Common Files\Apple\Internet Services\EReporter.exe [2013-10-31] (Apple Inc.)
Task: {96F1CC9F-00C7-4A39-93BA-E4C3DBCAA37B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {A5B35A65-7EB7-4A48-88A6-012761475627} - System32\Tasks\{37412EC5-F1A5-4DDA-8291-ED9A9B78C52D} => Chrome.exe http://ui.skype.com/ui/0/6.6.0.106/it/abandoninstall?page=tsBing
Task: {AF943F8A-D862-4DA8-B7BE-D0D765EB305C} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Signature Update => c:\program files\windows defender\MpCmdRun.exe [2008-01-21] (Microsoft Corporation)
Task: {B37A092E-A3D7-4929-9813-28AF61E27CB6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-05-31] (Google Inc.)
Task: {C47942ED-971E-421F-9FD0-10B6F2CCE272} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-15] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000Core.job => C:\Users\Fabio\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-13207523-3163739043-1031859072-1000UA.job => C:\Users\Fabio\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2011-10-17 11:30 - 2011-05-28 22:04 - 00140288 _____ () C:\Program Files\WinRAR\rarext.dll
2010-10-25 10:54 - 2001-10-28 17:42 - 00116224 _____ () C:\Windows\System32\pdfcmnnt.dll
2008-10-16 16:57 - 2008-10-16 16:57 - 00200704 _____ () C:\Program Files\Intel\WiFi\bin\IWMSPROV.DLL
2009-01-21 01:41 - 2009-01-21 01:41 - 00872448 _____ () C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMediaLibrary.dll
2009-01-21 01:41 - 2009-01-21 01:41 - 00007680 _____ () C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvcPS.dll
2010-07-23 04:15 - 2010-07-27 09:32 - 00034816 _____ () C:\Program Files\Google\Google Desktop Search\gzlib.dll
2010-07-23 04:18 - 2008-07-29 19:29 - 00200704 _____ () C:\Windows\PLFSetI.exe
2014-01-20 14:17 - 2014-01-20 14:17 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-01-20 23:35 - 2015-01-20 23:35 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2009-02-25 03:19 - 2008-12-18 14:51 - 00075048 _____ () C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
2009-02-01 21:28 - 2009-02-01 21:28 - 00460199 _____ () C:\Program Files\NewTech Infosystems\Acer Backup Manager\sqlite3.dll
2009-02-05 19:28 - 2009-02-05 19:28 - 01076224 _____ () C:\Program Files\NewTech Infosystems\Acer Backup Manager\ACE.dll
2010-07-23 08:51 - 2003-06-07 23:30 - 00057344 _____ () C:\Program Files\Launch Manager\PowerUtl.dll
2008-06-05 08:01 - 2008-06-05 08:01 - 00344064 _____ () C:\Program Files\Packard Bell\Software Suite\sqlite3.dll
2014-10-23 21:19 - 2014-10-23 21:19 - 00047104 _____ () C:\Program Files\CCleaner\lang\lang-1040.dll
2006-12-10 21:51 - 2006-12-10 21:51 - 00065536 ____R () C:\Program Files\HP\Digital Imaging\bin\crm\xmlparse.dll
2006-12-10 21:51 - 2006-12-10 21:51 - 00077824 ____R () C:\Program Files\HP\Digital Imaging\bin\crm\xmltok.dll
2014-05-31 12:53 - 2014-02-10 13:44 - 04592128 _____ () C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2014-05-31 12:53 - 2014-02-10 13:44 - 00112128 _____ () C:\Users\Fabio\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\Temp:3064D21D
AlternateDataStreams: C:\ProgramData\Temp:3B3A35EC
AlternateDataStreams: C:\ProgramData\Temp:41099CE9
AlternateDataStreams: C:\ProgramData\Temp:4F636E25
AlternateDataStreams: C:\ProgramData\Temp:ABE89FFE
AlternateDataStreams: C:\ProgramData\Temp:ADE16379
AlternateDataStreams: C:\ProgramData\Temp:B623B5B8
AlternateDataStreams: C:\ProgramData\Temp:CDFF58FE
AlternateDataStreams: C:\ProgramData\Temp:CE0A077E
AlternateDataStreams: C:\ProgramData\Temp:DCAF903C
AlternateDataStreams: C:\ProgramData\Temp:E1982A23
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-13207523-3163739043-1031859072-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\img1.jpg
DNS Servers: 8.8.8.8 - 8.8.4.4
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [{A958759E-E774-456E-BC2E-5E41C50BB48F}] => (Allow) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
FirewallRules: [{2C61F446-81B1-4E57-AE8F-F92BD9539287}] => (Allow) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
FirewallRules: [{A5706B44-9F5F-4945-8C9B-25CEEF239277}] => (Allow) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
FirewallRules: [{804B2F45-2B83-4E6F-B311-2BF777A97FB3}] => (Allow) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
FirewallRules: [{377FC928-2449-4FF0-8E40-92087E479DD4}] => (Allow) C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe
FirewallRules: [{2453951E-126D-41A7-AD50-CC62FF3D39FB}] => (Allow) C:\Program Files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe
FirewallRules: [{50C64C4B-18A6-4103-9BC1-04E30C1AC339}] => (Allow) C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
FirewallRules: [{0F88D4C3-C977-4D4E-9084-D906D28CF992}] => (Allow) C:\Program Files\Acer Arcade Deluxe\PlayMovie\PlayMovie.exe
FirewallRules: [{5AA1B5A1-AA19-4A25-A6BD-A021A1EF978C}] => (Allow) C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
FirewallRules: [{57536B6B-52E6-49A2-B87D-EC0086618B1F}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{8A2ECBE3-AB60-4B6C-BFFD-8D37FC513DB0}] => (Allow) LPort=80
FirewallRules: [{78E8C2E1-2340-4868-A5C1-CE83D4D0C869}] => (Allow) LPort=80
FirewallRules: [{FBE000C3-702F-446C-B086-AE1F33946CED}] => (Allow) LPort=80
FirewallRules: [TCP Query User{747035B9-941F-4E65-A31F-DFE752EB3896}C:\users\fabio\temp\teamviewer3\teamviewer.exe] => (Allow) C:\users\fabio\temp\teamviewer3\teamviewer.exe
FirewallRules: [UDP Query User{CEA9944D-48C2-4700-A856-2320F4B2AAE0}C:\users\fabio\temp\teamviewer3\teamviewer.exe] => (Allow) C:\users\fabio\temp\teamviewer3\teamviewer.exe
FirewallRules: [TCP Query User{63FC06F0-63B6-4AF2-BEB7-5B889344E787}C:\program files\metatrader - activtrades\terminal.exe] => (Allow) C:\program files\metatrader - activtrades\terminal.exe
FirewallRules: [UDP Query User{E10FEF42-45C7-430E-A156-3B8EE6E9CB81}C:\program files\metatrader - activtrades\terminal.exe] => (Allow) C:\program files\metatrader - activtrades\terminal.exe
FirewallRules: [{2C38400B-9FF3-462C-8CA4-547F6B1A53D7}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{6DC8304A-90F0-43B8-BDF0-C9435FFE63CC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{39F84BC2-4537-4554-94C5-D04AE84D1820}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{3F26B135-DA52-4BE7-8C8E-7E70418CEBE3}] => (Allow) C:\Users\Fabio\AppData\Local\Facebook\Video\Skype\FacebookVideoCalling.exe
FirewallRules: [{358D4B69-D5E4-4414-99E0-5FF79AD15601}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\bin\FaxApplications.exe
FirewallRules: [{D3B400CC-3A63-4B9E-9972-D3A8C21903A4}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\bin\DigitalWizards.exe
FirewallRules: [{A720ADB5-CA31-4936-920E-BA081B741FF0}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\bin\SendAFax.exe
FirewallRules: [{FCFC4BD1-7970-4F7B-866E-0D76C4612866}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\Bin\DeviceSetup.exe
FirewallRules: [{7059A205-9062-40D7-8EDA-633E88DEB7F1}] => (Allow) LPort=5357
FirewallRules: [{F3E9CF49-78B9-4C9A-A17D-E1F508180F00}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{3051C059-FB2C-41E9-BB06-714F34676444}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{F673A9D7-8F6C-47A3-B56A-6B8CA9D177F0}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/07/2015 05:04:00 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12643272
 
Error: (06/07/2015 05:04:00 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12643272
 
Error: (06/07/2015 05:04:00 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (06/07/2015 05:03:59 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12641541
 
Error: (06/07/2015 05:03:59 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12641541
 
Error: (06/07/2015 05:03:59 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (06/07/2015 05:03:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12640542
 
Error: (06/07/2015 05:03:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12640542
 
Error: (06/07/2015 05:03:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (06/07/2015 05:03:57 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12639528
 
 
System errors:
=============
Error: (06/04/2015 09:57:09 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: 30000wscsvc
 
Error: (06/03/2015 08:28:41 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: Il lease 192.168.1.138 dell'indirizzo IP della scheda di rete con indirizzo 0022FA120A48 è stato negato dal server DHCP 0.0.0.0. Il server DHCP ha inviato un messaggio DHCPNACK.
 
Error: (06/02/2015 05:12:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058
 
Error: (06/02/2015 05:12:32 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: Il lease 192.168.1.138 dell'indirizzo IP della scheda di rete con indirizzo 0022FA120A48 è stato negato dal server DHCP 0.0.0.0. Il server DHCP ha inviato un messaggio DHCPNACK.
 
Error: (06/02/2015 02:58:56 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: Il lease 192.168.1.138 dell'indirizzo IP della scheda di rete con indirizzo 0022FA120A48 è stato negato dal server DHCP 0.0.0.0. Il server DHCP ha inviato un messaggio DHCPNACK.
 
Error: (06/02/2015 02:56:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058
 
Error: (06/02/2015 02:42:29 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: Il lease 192.168.1.138 dell'indirizzo IP della scheda di rete con indirizzo 0022FA120A48 è stato negato dal server DHCP 0.0.0.0. Il server DHCP ha inviato un messaggio DHCPNACK.
 
Error: (06/02/2015 02:26:15 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058
 
Error: (06/02/2015 02:08:38 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: PEVSystemStart
 
Error: (06/02/2015 01:28:15 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: Il lease 192.168.1.138 dell'indirizzo IP della scheda di rete con indirizzo 0022FA120A48 è stato negato dal server DHCP 0.0.0.0. Il server DHCP ha inviato un messaggio DHCPNACK.
 
 
Microsoft Office:
=========================
Error: (03/14/2013 00:13:52 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2106 seconds with 2100 seconds of active time.  This session ended with a crash.
 
Error: (05/14/2011 08:49:47 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 9 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (05/04/2011 09:16:59 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6555.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4490 seconds with 1080 seconds of active time.  This session ended with a crash.
 
 
CodeIntegrity Errors:
===================================
  Date: 2013-11-21 10:14:18.076
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-11-21 10:14:17.495
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-11-21 09:37:14.531
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-11-21 09:37:13.923
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-11-04 18:01:39.771
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-11-04 18:01:39.030
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-11-04 17:57:08.643
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-11-04 17:57:08.082
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-08-16 20:20:48.250
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
  Date: 2013-08-16 20:20:48.054
  Description: Controllo dell'integrità del codice: impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll. Impossibile trovare l'insieme di hash dell'immagine per pagina nel sistema.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU P7450 @ 2.13GHz
Percentage of memory in use: 61%
Total physical RAM: 3065.9 MB
Available physical RAM: 1195.37 MB
Total Pagefile: 6334.62 MB
Available Pagefile: 4060.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1891.53 MB
 
==================== Drives ================================
 
Drive c: (ACER) (Fixed) (Total:455.99 GB) (Free:296.69 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 39D9FDDD)
Partition 1: (Not Active) - (Size=9.8 GB) - (Type=27)
Partition 2: (Active) - (Size=456 GB) - (Type=07 NTFS)
 
==================== End of log ============================


#7 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:47 AM

Posted 08 June 2015 - 10:43 AM

Thank you for the log file.  Please run the following and post the log here.

  • Download  RogueKiller (by tigzy) on to your desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until the Prescan has finished ...  (the Scan button will be enabled only after the Prescan is finished)
  • Click on Scan. Once finished, click on Report

Please post the contents of the RKreport.txt in your next Reply.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#8 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 08 June 2015 - 11:41 AM

Hello DB,

 

here is the content of the RKreport.txt:

 

RogueKiller V10.8.1.0 [Jun  3 2015] di Adlice Software
Discussione : http://www.adlice.com
 
Sistema Operativo : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Iniziato in : Modalità Normale
Utente : Fabio [Amministratore]
Iniziato da : c:\Users\Fabio\Downloads\RogueKiller.exe
Modalità : Scansione -- Data : 06/08/2015  18:31:10
 
¤¤¤ Processi : 2 ¤¤¤
[Suspicious.Path] RtkBtMnt.exe(3948) -- C:\Users\Fabio\AppData\Local\Temp\RtkBtMnt.exe[-] VT(1) -> Eliminato [TermProc]
[Suspicious.Path|VT.not-a-virus:AdWare.MSIL.PowerOfr.ev] PService.exe(552) -- C:\Users\Public\Documents\AppData\PoApp\PService.exe[-] VT(14) -> Eliminato [TermProc]
 
¤¤¤ Registro : 9 ¤¤¤
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Trovato
[Suspicious.Path|VT.not-a-virus:AdWare.MSIL.PowerOfr.a] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PosService : C:\Users\Public\Documents\AppData\PoApp\PLauncher.exe [-] -> Trovato
[Suspicious.Path|VT.Adware.Adpopup] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PowerOffer Service ("C:\Users\Fabio\AppData\Local\PosService\Pos.exe") -> Trovato
[PUP|Suspicious.Path|VT.not-a-virus:AdWare.MSIL.PowerOfr.a] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServUpdater ("C:\Users\Fabio\AppData\Local\ServUpdater\ServiceUpd.exe") -> Trovato
[Suspicious.Path|VT.Adware.Adpopup] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerOffer Service ("C:\Users\Fabio\AppData\Local\PosService\Pos.exe") -> Trovato
[PUP|Suspicious.Path|VT.not-a-virus:AdWare.MSIL.PowerOfr.a] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServUpdater ("C:\Users\Fabio\AppData\Local\ServUpdater\ServiceUpd.exe") -> Trovato
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.findeer.com  -> Trovato
[PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.findeer.com  -> Trovato
[PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.findeer.com  -> Trovato
 
¤¤¤ Attività : 0 ¤¤¤
 
¤¤¤ Archivi : 0 ¤¤¤
 
¤¤¤ Archivio Hosts : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 0 (Driver: Caricato) ¤¤¤
 
¤¤¤ Web Browser : 0 ¤¤¤
 
¤¤¤ Controllo MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000BEVT-00ZAT0 ATA Device +++++
--- User ---
[MBR] 2ffb4db5173ad374e1bed1abc4a7c1d6
[BSP] 200292096050c85de33b91ce804dbef7 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 10001 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 20482875 | Size: 466936 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
Thank you


#9 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:47 AM

Posted 09 June 2015 - 03:07 AM

Thank you for the report.  Now to let RogueKiller clean what it found...

  • Download  RogueKiller (by tigzy) on to your desktop (if you need to)
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until the Prescan has finished ...
  • Click on Scan. Wait for the scan to finish.
  • In the registry tab, make sure everything is checked.
  • Click on Delete.
  • Click on Report and copy/paste the content of the notepad

Please post the contents of the new RKreport.txt in your next Reply.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#10 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 09 June 2015 - 04:45 AM

Dear DB,

 

please find in attachment the file requested.

 

Thank you

Attached Files



#11 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:47 AM

Posted 09 June 2015 - 02:30 PM

How is your system running now?
 

FIRST >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v4111_zpsn56hzjza.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


SECOND >>>>


Malwarebytes' Anti-Malware
Please download the latest version of Malwarebytes' Anti-Malware from here .

Double Click on the mbam-setup.exe file to install the application.

Do not check on the Trial of Professional version.  Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
Main%20Screen_zpsnnwza0ky.png

Once updated, please select Settings > Detection and Protection.  Please ensure that "Scan for Rootkits" is selected along with Non-Malware Protection PUP and PUM are set to "Treat detections as malware"
Detection%20Settings_zpsaviydqil.png

Once the program has loaded and updated, select "Scan Now >>" to start the scan.
Main%20Screen_zpsnnwza0ky.png

The scan may take some time to finish, so please be patient.
mbam21-scaninprogress_zps38w26yvt.jpg

If any malware is found, you will be presented with a screen like the one below.
mbam21-removeselected_zpsg83p7wis.jpg

Make sure that everything is checked, and click Remove Selected.  when the removal is completed, a summary screen will be presented.
mbam21-saveresults_zpszocfy4qr.jpg

At the bottom of this screen, click on Save Results and then on Text file (*.txt).  Save the file to your desktop and click OK.  Click Finish to return to the main screen and then close Malwarebytes.
mbam21-finish_zpshfl56bcn.jpg

Double click on log file you saved to your desktop; the log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#12 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 10 June 2015 - 01:17 AM

Dear DB,

 

the system is running better, it seems more stable and a little bit faster while surfing the net.

I'm gonna do the next step and I will post the log file as you instructed.

 

Thanks



#13 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 10 June 2015 - 01:26 PM

Hello DB,

good news! I  could reboot the pc and start it in Safe Mode but the system seems still not completely stable 

 

Anyway I'm posting the files you told me.

 

Thanks

Attached Files



#14 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:47 AM

Posted 10 June 2015 - 08:59 PM

Hello DB,
good news! I  could reboot the pc and start it in Safe Mode ......


Did you mean Normal boot mode (just checking; Normal boot is great; Safe Mode boot is OK also)?

Let's get a fresh set of FRST logs and see what is left so far ...

  • If you still have the Addition.txt file on your desktop, please delete it now.
  • Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • If an update is available, the program will inform you and download the update. Allow it do this please. Otherwise, just wait for the "The tool is ready to use." message.
  • Please check the Addition.txt in the Option Scan section of FRST.
  • Press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The tool will generate will another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#15 famori

famori
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 11 June 2015 - 01:22 PM

Dear DB,

I meant that I could restart the pc in Safe Mode ( and I couldn't do before your help ). Then I tried again to reboot in Safe Mode but this timer the pc started in Normal Mode so I am a little confused right now ...

As you requested, I am posting the new set of FRST files.

 

Thanks

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users