Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Rogue Killer logs please!


  • This topic is locked This topic is locked
11 replies to this topic

#1 user3895

user3895

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 07 June 2015 - 05:07 PM

A few weeks ago I brought out my old laptop to retrieve some files from it. I hadn't used it for over a year so decided to run some scans out of curiosity to see if they would find anything that I hadn't known about before. I used to rely solely on Norton NIS and realise now that this was not a good idea and felt compelled to run some other scanners as I was curious to see if I'd had any new malware/RATs/Rootkits on the machine. Nothing came up as malware but the logs show a lot of stuff and I'm not sure if it's anything to be concerned about of or not. 
 
I never had much problem with it except for a bit of over-heating (when using graphic intensive software such as The Sims 3 and Autocad etc) in which my fan got really loud, the laptop got incredibly hot to the touch and would occasionally BSOD. Otherwise it was fine. 
 
I would be hugely appreciative if anyone take a look at my logs to see if there's anything fishy in them? (These are the logs of the latest scans I did)
Thanks
:)
 
 
MALWAREBYTES:

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 21/05/2015
Scan Time: 18:26:15
Logfile: malwarebytes log 21 05 15.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.05.21.03
Rootkit Database: v2015.05.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Aer
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 407701
Time Elapsed: 52 min, 25 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 2
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\LEMILGPBNFOECFJHPFCHANNNNKEEFJMJ, , [4304643256347fb7951574671ee503fd], 
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-583470079-4115952942-3311931298-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\LEMILGPBNFOECFJHPFCHANNNNKEEFJMJ, , [50f7cbcb3f4b0c2a9a1194470ff4ee12], 
 
Registry Values: 2
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\lemilgpbnfoecfjhpfchannnnkeefjmj|path, C:\Users\Aer\AppData\Local\CRE\lemilgpbnfoecfjhpfchannnnkeefjmj.crx, , [4304643256347fb7951574671ee503fd]
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-583470079-4115952942-3311931298-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\lemilgpbnfoecfjhpfchannnnkeefjmj|path, C:\Users\Aer\AppData\Local\CRE\lemilgpbnfoecfjhpfchannnnkeefjmj.crx, , [50f7cbcb3f4b0c2a9a1194470ff4ee12]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 
ROGUEKILLER
RogueKiller V10.5.9.0 (x64) [Apr  7 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Aer [Administrator]
Started from : C:\Users\Aer\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 05/20/2015  13:22:23
 
¤¤¤ Processes : 3 ¤¤¤
[Suspicious.Path] Password 2.exe(5084) -- C:\Windows\Temp\Password 2.exe[-] -> Killed [TermProc]
[Suspicious.Path] GoogleCrashHandler64.exe(4432) -- C:\Users\Aer\AppData\Local\Google\Update\1.3.26.9\GoogleCrashHandler64.exe[7] -> Killed [TermProc]
[Suspicious.Path] Password.exe(5284) -- C:\Windows\Temp\Password.exe[-] -> Killed [TermProc]
 
¤¤¤ Registry : 33 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Run | Google+ Auto Backup : "C:\Users\Aer\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart  -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Run | Google+ Auto Backup : "C:\Users\Aer\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart  -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run | Google+ Auto Backup : "C:\Users\Aer\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart  -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run | Google+ Auto Backup : "C:\Users\Aer\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SessionLauncher (c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{61BF1EC8-D6D3-4991-B396-979A03E0499F} | DhcpNameServer : 194.168.4.100 194.168.8.100 [X][X]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ADE99382-A0E6-454E-87B3-A99BEB97F13A} | DhcpNameServer : 161.73.0.42 [X]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{61BF1EC8-D6D3-4991-B396-979A03E0499F} | DhcpNameServer : 194.168.4.100 194.168.8.100 [X][X]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ADE99382-A0E6-454E-87B3-A99BEB97F13A} | DhcpNameServer : 161.73.0.42 [X]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{61BF1EC8-D6D3-4991-B396-979A03E0499F} | DhcpNameServer : 194.168.4.100 194.168.8.100 [X][X]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ADE99382-A0E6-454E-87B3-A99BEB97F13A} | DhcpNameServer : 161.73.0.42 [X]  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-583470079-4115952942-3311931298-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 2 ¤¤¤
[Suspicious.Path][File] Password 2.lnk -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Password 2.lnk [LNK@] C:\Windows\Temp\PASSWO~2.EXE /s /a -> Found
[Suspicious.Path][File] Password.lnk -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Password.lnk [LNK@] C:\Windows\Temp\Password.exe /s /a -> Found
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS)
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000BEKT-75KA9T0 ATA Device +++++
--- User ---
[MBR] f3fb51c534366ab7dc3cc5a7645589af
[BSP] 4228735e299fa72e7d4ddb3b38677e5d : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 80325 | Size: 18000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 36944325 | Size: 458899 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_04062015_174443.log - RKreport_SCN_04062015_201534.log - RKreport_SCN_04102015_213029.log - RKreport_SCN_04102015_220923.log
 
ESET ONLINE SCANNER

C:\Users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
C:\Program Files (x86)\NCH Software\VideoPad\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files (x86)\NCH Software\VideoPad\videopad.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files (x86)\NCH Software\VideoPad\vpsetup_v2.41.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files (x86)\NCH Software\WavePad\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files (x86)\NCH Software\WavePad\wavepad.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files (x86)\NCH Software\WavePad\wpsetup_v5.10.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Users\Aer\Downloads\ESDPK-MLX5-MoviePlusStarterEdition-EN.exe Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
C:\Users\Aer\Downloads\GraboidVideoSetup-2.03b-Complete.exe Win32/Graboid potentially unsafe application deleted - quarantined
C:\Users\Aer\Downloads\vpsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Users\Aer\Downloads\WiseConvert_2_1.exe Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
 
HITMAN PRO

 
HitmanPro 3.7.9.241
 
www.hitmanpro.com
 
 
 
Computer name . . . . : Aer-PC
 
Windows . . . . . . . : 6.1.1.7601.X64/4
 
User name . . . . . . : Aer-PC\Aer
 
UAC . . . . . . . . . : Enabled
 
License . . . . . . . : Free
 
 
 
Scan date . . . . . . : 2015-05-21 17:10:11
 
Scan mode . . . . . . : Normal
 
Scan duration . . . . : 12m 40s
 
Disk access mode . . : Direct disk access (SRB)
 
Cloud . . . . . . . . : Internet
 
Reboot . . . . . . . : No
 
 
 
Threats . . . . . . . : 0
 
Traces . . . . . . . : 10
 
 
 
Objects scanned . . . : 2,075,545
 
Files scanned . . . . : 88,108
 
Remnants scanned . . : 621,153 files / 1,366,284 keys
 
 
 
Potential Unwanted Programs _________________________________________________
 
 
 
HKLM\SOFTWARE\Classes\Applications\iLividSetupV1.exe\ (iLivid)
 
HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ (Yontoo)
 
HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ (Yontoo)
 
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo)
 
HKLM\SOFTWARE\Wow6432Node\Conduit\ (Conduit)
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\conduitinstaller_RASAPI32\ (Conduit)
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\conduitinstaller_RASMANCS\ (Conduit)
 
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Conduit\ (Conduit)
 
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ (Yontoo)
 
 
 
Cookies _____________________________________________________________________
 
 
 
C:\Users\Aer\AppData\Roaming\Mozilla\Firefox\Profiles\qo12qg9t.default\cookies.sqlite:ads.yahoo.com
 
 
 
 
 
 
 

Edited by Chris Cosgrove, 07 June 2015 - 05:25 PM.
Moved to Virus etc. logs


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 12 June 2015 - 08:23 AM

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Wait for further instructions.

#3 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 13 June 2015 - 04:08 AM

Hi nasdaq, 
Thanks for your help. I did the adwcleaner scan as requested. The only thing I unchecked for cleaning was norton safe web light as i assumed it was part of my norton package and probably shouldn't be deleted. Did i assume correct?
 
Also, speaking of Norton, when I try and download the farbar recovery tool, it marks it as highly malicious, quarantines/deletes it and never gives me the option to open it.
Are you sure that link/file is 100% safe? If so, how do I get around this Norton trouble?
 
Oh and one more thing: 'Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local;127.0.0.1:9421;<local>' from the Adwcleaner scan. What does the proxy override bit mean? Should I be concerned?
 
Thanks :)
 
 
# AdwCleaner v4.206 - Logfile created 13/06/2015 at 09:52:51
# Updated 01/06/2015 by Xplode
# Database : 2015-06-09.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Aer - Aer-PC
# Running from : C:\Users\Aer\Downloads\adwcleaner_4.206.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Tarma Installer
[x] Not Deleted : C:\Program Files (x86)\Norton Safe Web Lite
Folder Deleted : C:\Users\Aer\AppData\Local\PackageAware
Folder Deleted : C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
File Deleted : C:\Users\Aer\AppData\Roaming\Mozilla\Firefox\Profiles\qo12qg9t.default\user.js
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NST
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local;127.0.0.1:9421;<local>
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16750
 
 
-\\ Mozilla Firefox v14.0.1 (en-US)
 
 
-\\ Google Chrome v
 
 
*************************
 
AdwCleaner[R0].txt - [2666 bytes] - [13/06/2015 09:44:57]
AdwCleaner[S0].txt - [2298 bytes] - [13/06/2015 09:52:51]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2357  bytes] ##########


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 13 June 2015 - 08:55 AM



The only thing I unchecked for cleaning was norton safe web light as i assumed it was part of my norton package and probably shouldn't be deleted. Did i assume correct?


It's an optional Browser Object. No problems if you want to keep it.
===

The Farbar tool is safe. I get the same protection with my Norton.

De-quarantine the file.

===

Oh and one more thing: 'Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local;127.0.0.1:9421;<local>' from the Adwcleaner scan. What does the proxy override bit mean? Should I be concerned?

If you did not set the proxy then it was bad and not required.

Submit the FRST log from the Farbar tool and will take it from there.

#5 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 13 June 2015 - 10:03 AM

A quick question: So in terms of the proxy override, have you any idea how it could have got there? Malware perhaps? I have no recollection of ever having found malware on this laptop, especially since I got Norton in 2012 (there's no incidences of malware - just PUPs and tracking cookies - in the logs) though I cannot be sure for before that (when I used Mcafee). 

 

Once again, thanks.

 

Here's the FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2015
Ran by Aer (administrator) on Aer-PC on 13-06-2015 15:37:53
Running from C:\Users\Aer\Desktop
Loaded Profiles: Aer (Available Profiles: Aer)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\stacsv64.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchService.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
(DSGi) C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
() C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\nis.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
() C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
(Akamai Technologies, Inc.) C:\Users\Aer\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\Aer\AppData\Local\Akamai\netsession_win.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Update\1.3.27.5\GoogleCrashHandler.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DellDock.exe
(Dropbox, Inc.) C:\Users\Aer\AppData\Roaming\Dropbox\bin\Dropbox.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
() C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
() C:\Program Files (x86)\Bamboo Dock\BambooCore.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\nis.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\conathst.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\43.0.2357.124\nacl64.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\43.0.2357.124\nacl64.exe
(Google Inc.) C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1822504 2009-08-24] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-01-20] (IDT, Inc.)
HKLM\...\Run: [QuickSet] => C:\Program Files\Dell\QuickSet\QuickSet.exe [3217056 2010-04-02] (Dell Inc.)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe [2384896 2009-07-22] ()
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5470208 2009-12-16] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-11-18] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [PDVDDXSrv] => C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-12-29] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [Desktop Disc Tool] => c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [494064 2009-06-19] ()
HKLM-x32\...\Run: [DellSupportCenter] => C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421160 2011-04-27] (Apple Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
HKLM-x32\...\Run: [Conime] => %windir%\system32\conime.exe
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BambooCore] => C:\Program Files (x86)\Bamboo Dock\BambooCore.exe [646744 2012-12-12] ()
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] => C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe [559616 2011-10-11] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [Google Update] => C:\Users\Aer\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2015-01-22] (Google Inc.)
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4283256 2011-05-13] (Microsoft Corporation)
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [EA Core] => "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [Akamai NetSession Interface] => C:\Users\Aer\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.)
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [Google+ Auto Backup] => C:\Users\Aer\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe [3754312 2015-02-13] (Google Inc.)
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7799576 2015-05-21] (SUPERAntiSpyware)
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\MountPoints2: F - F:\Password.exe
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [241664 2010-11-20] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-04-04]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Password 2.lnk [2012-10-27]
ShortcutTarget: Password 2.lnk -> C:\Windows\Temp\Password 2.exe (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Password.lnk [2013-04-07]
ShortcutTarget: Password.lnk -> C:\Windows\Temp\Password.exe (No File)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-09-21]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-09-21]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Aer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk [2010-10-30]
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Aer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-05-20]
ShortcutTarget: Dropbox.lnk -> C:\Users\Aer\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Aer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2010-10-31]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2010-02-10] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Aer\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Aer\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Aer\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Aer\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Aer\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Aer\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Aer\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKLM -> {5A1602D2-199B-4D06-9234-C40E7B3BDB18} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {40A5D948-D10B-4F33-8021-DE8DFD2349A3} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> {40A5D948-D10B-4F33-8021-DE8DFD2349A3} URL = 
SearchScopes: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> {5A1602D2-199B-4D06-9234-C40E7B3BDB18} URL = 
SearchScopes: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine64\21.7.0.11\coIEPlg.dll [2015-03-05] (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-03-05] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL [2015-03-05] (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-04-04] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2012-03-02] (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-02-28] (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-04-04] (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.7.0.11\coIEPlg.dll [2015-03-05] (Symantec Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-02-28] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-03-05] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2012-03-02] (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
 
FireFox:
========
FF ProfilePath: C:\Users\Aer\AppData\Roaming\Mozilla\Firefox\Profiles\qo12qg9t.default
FF Homepage: www.yahoo.co.uk
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-04-29] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-29] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2011-04-27] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2013-12-23] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-04-04] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-04-04] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-04-04] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2011-05-26] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-20] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-20] (Google Inc.)
FF Plugin-x32: @wacom.com/wacom-plugin,version=1.1.0.10 -> C:\Program Files (x86)\TabletPlugins\npwacom.dll [2011-04-20] (Wacom, Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.0.0.1 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2011-05-31] (Wacom)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-09-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-583470079-4115952942-3311931298-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Aer\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-20] (Google Inc.)
FF Plugin HKU\S-1-5-21-583470079-4115952942-3311931298-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Aer\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-20] (Google Inc.)
FF Plugin HKU\S-1-5-21-583470079-4115952942-3311931298-1001: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2011-05-31] (Wacom)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2013-09-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2011-01-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2011-01-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2011-01-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2011-01-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2011-01-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll [2011-01-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll [2011-01-03] (Apple Inc.)
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2012-03-14]
FF HKLM-x32\...\Firefox\Extensions: [{203FB6B2-2E1E-4474-863B-4C483ECCE78E}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2.0.0.16\coFFNST
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.6.0.32\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.6.0.32\coFFPlgn [2015-06-13]
FF HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]
 
Chrome: 
=======
CHR Profile: C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (WOT) - C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2015-04-29]
CHR Extension: (AdBlock) - C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-04-09]
CHR Extension: (Norton Identity Safe) - C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-06-09]
CHR Extension: (Skype Click to Call) - C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-04-07]
CHR Extension: (Norton Security Toolbar) - C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2012-01-28]
CHR Extension: (Google Wallet) - C:\Users\Aer\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-04-07]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\Exts\Chrome.crx [2015-06-09]
CHR HKU\S-1-5-21-583470079-4115952942-3311931298-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lemilgpbnfoecfjhpfchannnnkeefjmj] - C:\Users\Aer\AppData\Local\CRE\lemilgpbnfoecfjhpfchannnnkeefjmj.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lemilgpbnfoecfjhpfchannnnkeefjmj] - C:\Users\Aer\AppData\Local\CRE\lemilgpbnfoecfjhpfchannnnkeefjmj.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2012-03-02]
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\Exts\Chrome.crx [2015-06-09]
StartMenuInternet: Google Chrome - C:\Users\Aer\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
R2 Advent AIO Network Discovery Service; C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe [361904 2010-09-30] (DSGi)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
R2 EPSON_EB_RPCV4_01; C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE [163840 2007-12-17] (SEIKO EPSON CORPORATION) [File not signed]
R2 EPSON_PM_RPCV4_01; C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE [126464 2007-01-11] (SEIKO EPSON CORPORATION) [File not signed]
R2 InstallFilterService; C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [60928 2009-06-23] () [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S4 mi-raysat_3dsmax2011_32; C:\Program Files (x86)\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [86016 2010-03-10] () [File not signed]
S4 mi-raysat_3dsmax2011_64; C:\Program Files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe [86016 2010-03-10] () [File not signed]
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\NIS.exe [276336 2015-03-07] (Symantec Corporation)
R2 NSL; C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe [244736 2010-01-20] (IDT, Inc.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4950016 2009-12-16] (Dell Inc.) [File not signed]
S2 SessionLauncher; c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 A2DDA; C:\EEK\bin\a2ddax64.sys [26176 2015-04-13] (Emsisoft GmbH)
R1 BHDrvx64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.6.0.32\Definitions\BASHDefs\20150602.001\BHDrvx64.sys [1640152 2015-06-02] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1507000.00B\ccSetx64.sys [162392 2014-02-21] (Symantec Corporation)
R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\0200000.010\ccSetx64.sys [167048 2011-08-09] (Symantec Corporation)
S3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2015-04-13] (Emsisoft GmbH)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [489776 2015-06-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [145200 2015-06-09] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.6.0.32\Definitions\IPSDefs\20150612.001\IDSvia64.sys [684248 2015-06-08] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton Internet Security\NortonData\21.6.0.32\Definitions\VirusDefs\20150612.016\ENG64.SYS [129752 2015-06-09] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Internet Security\NortonData\21.6.0.32\Definitions\VirusDefs\20150612.016\EX64.SYS [2137304 2015-06-09] (Symantec Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74240 2011-02-16] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SRTSP; C:\Windows\System32\Drivers\NISx64\1507000.00B\SRTSP64.SYS [876248 2014-08-26] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1507000.00B\SRTSPX64.SYS [37592 2014-08-26] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1507000.00B\SYMDS64.SYS [493656 2014-08-26] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1507000.00B\SYMEFA64.SYS [1148120 2014-08-26] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2015-06-09] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1507000.00B\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NISx64\1507000.00B\SYMNETS.SYS [593112 2014-08-26] (Symantec Corporation)
S3 MFE_RR; \??\C:\Users\Aer\AppData\Local\Temp\mfe_rr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-13 15:37 - 2015-06-13 15:38 - 00034292 _____ C:\Users\Aer\Desktop\FRST.txt
2015-06-13 15:34 - 2015-06-13 15:38 - 00000000 ____D C:\FRST
2015-06-13 15:33 - 2015-06-13 15:33 - 02108928 _____ (Farbar) C:\Users\Aer\Desktop\frst64.exe
2015-06-13 15:25 - 2015-06-13 15:25 - 00007881 _____ C:\Users\Aer\Desktop\RKreport_SCN_06132015_143908.log
2015-06-13 14:32 - 2015-06-13 14:32 - 00001835 _____ C:\Users\Aer\Desktop\mwb after adwc.txt
2015-06-13 09:56 - 2015-06-13 09:56 - 00002457 _____ C:\Users\Aer\Desktop\AdwCleaner[S0].txt
2015-06-13 09:44 - 2015-06-13 09:52 - 00000000 ____D C:\AdwCleaner
2015-06-13 09:40 - 2015-06-13 09:40 - 02231296 _____ C:\Users\Aer\Downloads\adwcleaner_4.206.exe
2015-06-13 09:36 - 2015-06-13 09:36 - 00000000 ____D C:\Users\Aer\AppData\Local\{553D22FE-A830-4ED4-8A01-3BA4A7E13295}
2015-06-12 21:25 - 2015-06-12 21:25 - 00000000 ____D C:\Windows\System32\Tasks\Norton Internet Security
2015-06-12 21:20 - 2015-06-12 21:20 - 00000000 ____D C:\Users\Aer\AppData\Local\{1669AF3A-3D27-4E59-8F98-EE830FE34317}
2015-06-09 23:30 - 2015-06-12 21:19 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
2015-06-09 23:23 - 2015-06-09 23:23 - 01021920 _____ (Symantec Corporation) C:\Users\Aer\Downloads\NortonNISDownloader.exe
2015-06-09 23:21 - 2015-06-09 23:22 - 01060640 _____ (Symantec Corporation) C:\Users\Aer\Downloads\AutoDetectPkg.exe
2015-06-09 23:03 - 2015-06-09 23:03 - 00002650 _____ C:\Users\Aer\Documents\a2scan_150609-225624.txt
2015-06-09 21:57 - 2015-06-09 21:57 - 00003592 _____ C:\{5F953334-6B88-4074-AEA8-1855CA4E3F10}
2015-06-09 21:55 - 2015-06-09 21:55 - 00003592 _____ C:\{88D2F1D3-5BCD-4F9F-B5E5-5467BED6E462}
2015-06-09 21:50 - 2015-06-09 21:50 - 00003600 _____ C:\{BA03221B-D275-4E37-BB0B-7D224F6C03D5}
2015-06-09 21:47 - 2015-06-09 21:47 - 00003600 _____ C:\{D94141F9-42C8-4E4F-B021-70B650D2CF95}
2015-06-09 21:00 - 2015-06-09 21:00 - 00000578 _____ C:\Users\Aer\Desktop\eset2.txt
2015-06-09 16:56 - 2015-06-09 16:56 - 00000740 _____ C:\Windows\KB893803v2.log
2015-06-09 15:28 - 2015-06-09 15:28 - 00000000 ____D C:\Users\Aer\AppData\Local\{D8F660B8-66A1-4A44-8268-64BADAA7A7BC}
2015-06-07 22:04 - 2015-06-07 22:04 - 00000000 ____D C:\Users\Aer\AppData\Local\{83C6C553-8F2A-4E7B-8B89-43C0E3FDF483}
2015-05-30 17:24 - 2015-05-30 17:03 - 51789024 _____ (Microsoft Corporation) C:\Users\Aer\Desktop\Windows-KB890830-x64-V5.24.exe
2015-05-30 17:23 - 2015-05-30 17:28 - 00002768 _____ C:\Users\Aer\Desktop\Rkill.txt
2015-05-30 17:23 - 2015-05-30 17:23 - 01063160 _____ (Bleeping Computer, LLC) C:\Users\Aer\Desktop\rkill64.exe
2015-05-30 17:23 - 2015-05-30 17:03 - 03060320 ____N (Symantec Corporation) C:\Users\Aer\Desktop\NPE.exe
2015-05-30 17:23 - 2015-05-30 17:00 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\Aer\Desktop\rkill.exe
2015-05-30 17:23 - 2015-05-30 16:55 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\Aer\Desktop\mbam-setup-2.1.6.1022.exe
2015-05-30 17:21 - 2015-05-30 17:21 - 00000000 ____D C:\Users\Aer\AppData\Local\{A2E496EB-4E0F-4CF9-81F1-2DDF6C1261D8}
2015-05-26 23:28 - 2015-05-26 23:28 - 00000000 ____D C:\Users\Aer\AppData\Local\{64A6EE61-5B9F-4C3C-B014-6E5302BFE0D7}
2015-05-25 02:38 - 2015-05-25 02:38 - 00003021 _____ C:\Users\Aer\Desktop\aswMBR2.txt
2015-05-25 02:38 - 2015-05-25 02:38 - 00000512 _____ C:\Users\Aer\Desktop\MBR.dat
2015-05-25 02:35 - 2015-05-25 02:35 - 00000624 _____ C:\Users\Aer\Desktop\aswMBR1.txt
2015-05-25 02:32 - 2015-05-25 02:32 - 05200384 _____ (AVAST Software) C:\Users\Aer\Downloads\aswmbr.exe
2015-05-25 02:27 - 2015-05-25 02:28 - 11427128 _____ (Bitdefender LLC) C:\Users\Aer\Downloads\BootkitRemoval_x64.exe
2015-05-25 02:25 - 2015-05-25 02:25 - 00000310 _____ C:\Users\Aer\Downloads\RootkitRemover_20150525_022533.log
2015-05-25 02:23 - 2015-05-25 02:24 - 00000310 _____ C:\Users\Aer\Downloads\RootkitRemover_20150525_022334.log
2015-05-25 02:23 - 2015-05-25 02:23 - 00783120 _____ (McAfee, Inc.) C:\Users\Aer\Downloads\rootkitremover.exe
2015-05-25 02:20 - 2015-05-25 02:20 - 00022164 _____ C:\Users\Aer\Desktop\gmer scan 25 05 15.log
2015-05-25 01:54 - 2015-05-25 01:54 - 00380416 _____ C:\Users\Aer\Downloads\48nfhxok.exe
2015-05-25 01:08 - 2015-05-25 01:08 - 00000000 ____D C:\Users\Aer\AppData\Local\{47CCB079-2B0A-45D5-9D8D-074723EA1506}
2015-05-24 17:42 - 2015-05-24 23:48 - 00000000 ____D C:\Users\Aer\AppData\Local\{BB758D43-3B36-4EE1-9365-1A54C3808965}
2015-05-21 23:42 - 2015-05-21 23:42 - 00002059 _____ C:\Users\Aer\Desktop\eset online scanner 21 5 15.txt
2015-05-21 21:08 - 2015-05-21 21:08 - 02347384 _____ (ESET) C:\Users\Aer\Downloads\esetsmartinstaller_enu (1).exe
2015-05-21 21:08 - 2015-05-21 21:08 - 00000000 ____D C:\Program Files (x86)\ESET
2015-05-21 21:07 - 2015-05-21 21:07 - 02347384 _____ (ESET) C:\Users\Aer\Downloads\esetsmartinstaller_enu.exe
2015-05-21 17:25 - 2015-05-21 17:25 - 00003524 _____ C:\Users\Aer\Desktop\HitmanPro_20150521_1725.log
2015-05-21 17:02 - 2015-05-21 17:03 - 00000000 ____D C:\Users\Aer\AppData\Local\{E9C73537-5AC1-4057-9AB0-06CCE5238CDF}
2015-05-20 16:01 - 2015-05-20 16:01 - 00002930 _____ C:\Users\Aer\Desktop\a2scan_150520-140528.txt
2015-05-20 14:04 - 2015-05-20 14:04 - 00002616 _____ C:\Users\Aer\Desktop\a2scan_150520-140237.txt
2015-05-20 13:26 - 2015-05-20 13:26 - 00009707 _____ C:\Users\Aer\Desktop\RKreport_SCN_05202015_132223(1).txt
2015-05-20 13:05 - 2015-05-20 13:05 - 00000000 ____D C:\Users\Aer\AppData\Local\{103BE240-022D-43EA-9AA5-AC6A3829DBC6}
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-13 15:38 - 2009-07-14 06:10 - 01382256 _____ C:\Windows\WindowsUpdate.log
2015-06-13 15:31 - 2009-07-14 06:13 - 00726444 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-13 14:45 - 2012-01-22 20:11 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-13 14:44 - 2010-10-30 19:54 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583470079-4115952942-3311931298-1001UA.job
2015-06-13 14:41 - 2013-03-22 22:59 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-13 14:33 - 2015-04-06 17:31 - 00037624 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-06-13 13:22 - 2015-04-01 08:53 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-13 11:25 - 2010-09-21 06:45 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2015-06-13 10:20 - 2009-07-14 05:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-13 10:20 - 2009-07-14 05:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-13 10:15 - 2012-03-14 12:27 - 00000000 ____D C:\Users\Aer\AppData\Roaming\Skype
2015-06-13 09:57 - 2012-03-07 22:28 - 00000000 ___RD C:\Users\Aer\Dropbox
2015-06-13 09:56 - 2012-03-07 22:25 - 00000000 ____D C:\Users\Aer\AppData\Roaming\Dropbox
2015-06-13 09:55 - 2010-11-28 15:03 - 00000000 ____D C:\Users\Aer\Tracing
2015-06-13 09:54 - 2012-01-22 20:10 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-13 09:54 - 2011-10-09 23:37 - 00000000 ____D C:\ProgramData\Advent
2015-06-13 09:54 - 2010-09-21 07:17 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2015-06-13 09:54 - 2010-09-21 07:17 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2015-06-13 09:54 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-13 09:54 - 2009-07-14 05:51 - 00164954 _____ C:\Windows\setupact.log
2015-06-13 09:44 - 2010-10-31 13:07 - 00000000 ____D C:\Users\Aer\AppData\Local\Adobe
2015-06-12 21:19 - 2012-08-26 19:54 - 00003234 _____ C:\Windows\System32\Tasks\Norton WSC Integration
2015-06-12 21:19 - 2012-08-26 19:54 - 00002503 _____ C:\Users\Public\Desktop\Norton Internet Security.lnk
2015-06-12 21:19 - 2012-08-26 19:53 - 00000000 ____D C:\Windows\system32\Drivers\NISx64
2015-06-12 21:18 - 2010-09-21 08:26 - 00838524 _____ C:\Windows\PFRO.log
2015-06-09 23:53 - 2015-04-29 22:19 - 00000000 ____D C:\Users\Aer\AppData\Local\NPE
2015-06-09 23:35 - 2012-01-28 17:35 - 00000000 ____D C:\ProgramData\Norton
2015-06-09 23:34 - 2012-01-28 17:35 - 00000000 ____D C:\Users\Aer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
2015-06-09 23:32 - 2012-01-28 17:35 - 00001295 _____ C:\Users\Aer\Desktop\Norton Installation Files.lnk
2015-06-09 23:26 - 2012-08-26 19:54 - 00177752 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2015-06-09 23:26 - 2012-08-26 19:54 - 00008222 _____ C:\Windows\system32\Drivers\SYMEVENT64x86.CAT
2015-06-09 23:25 - 2012-08-26 19:53 - 00000000 ____D C:\Program Files (x86)\Norton Internet Security
2015-06-09 22:18 - 2015-04-13 12:31 - 00000000 ____D C:\EEK
2015-06-09 16:43 - 2010-10-30 19:54 - 00000864 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583470079-4115952942-3311931298-1001Core.job
2015-05-30 18:54 - 2012-01-30 11:27 - 00000000 ____D C:\Users\Aer\Desktop\from usb
2015-05-30 17:26 - 2015-04-01 08:53 - 00001104 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-05-30 17:26 - 2015-04-01 08:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-05-30 17:26 - 2015-04-01 08:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-05-25 01:40 - 2015-04-14 22:14 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-05-25 01:38 - 2015-04-29 22:22 - 00000000 ____D C:\NPE
2015-05-22 02:29 - 2011-11-09 21:04 - 00000000 ____D C:\Users\Aer\AppData\Local\Akamai
2015-05-21 17:10 - 2015-04-29 23:20 - 00000000 ____D C:\ProgramData\HitmanPro
2015-05-21 17:09 - 2015-04-29 23:17 - 11024496 _____ (SurfRight B.V.) C:\Users\Aer\Downloads\hitmanpro_x64.exe
2015-05-21 17:06 - 2012-06-15 23:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-05-20 16:40 - 2012-01-22 20:11 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-05-20 16:39 - 2012-01-22 20:10 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-20 16:38 - 2010-10-30 19:54 - 00003890 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-583470079-4115952942-3311931298-1001UA
2015-05-20 16:38 - 2010-10-30 19:54 - 00003494 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-583470079-4115952942-3311931298-1001Core
2015-05-20 16:14 - 2012-03-07 22:28 - 00001029 _____ C:\Users\Aer\Desktop\Dropbox.lnk
2015-05-20 16:14 - 2012-03-07 22:26 - 00000000 ____D C:\Users\Aer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
 
==================== Files in the root of some directories =======
 
2014-03-09 22:25 - 2014-03-09 22:25 - 49940480 _____ () C:\Program Files (x86)\GUT1545.tmp
2015-01-22 12:09 - 2015-01-22 12:09 - 6000640 _____ () C:\Program Files (x86)\GUT24C0.tmp
2012-07-31 21:43 - 2012-07-31 21:43 - 0000288 _____ () C:\Users\Aer\AppData\Roaming\.backup.dm
2011-07-17 18:49 - 2012-04-05 15:21 - 0001848 _____ () C:\Users\Aer\AppData\Roaming\Rim.Desktop.Exception.log
2011-07-17 18:36 - 2011-07-17 18:54 - 0001960 _____ () C:\Users\Aer\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2011-07-17 19:02 - 2012-04-05 15:21 - 0001848 _____ () C:\Users\Aer\AppData\Roaming\Rim.DesktopHelper.Exception.log
2012-04-28 19:02 - 2012-04-28 19:04 - 0184371 _____ () C:\Users\Aer\AppData\Roaming\VideoPad.dmp
2010-12-08 03:07 - 2012-12-06 18:11 - 0057856 _____ () C:\Users\Aer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
Files to move or delete:
====================
C:\Users\Aer\Illustrator_15_LS1(2).exe
C:\Users\Aer\Illustrator_15_LS1.exe
 
 
Some files in TEMP:
====================
C:\Users\Aer\AppData\Local\Temp\AcDeltree.exe
C:\Users\Aer\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Aer\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpseqbsr.dll
C:\Users\Aer\AppData\Local\Temp\Quarantine.exe
C:\Users\Aer\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-06-13 15:05
 
==================== End of log ============================
 
 
 
 
I've got the Addition.txt but I can't seem to work out how to attach it. I might be being blind but I just can't work it out.
(Edit: I've worked it out. It's attached below) :)

Edited by user3895, 13 June 2015 - 11:06 AM.


#6 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 13 June 2015 - 10:58 AM

Addition.txt

Attached Files


Edited by user3895, 13 June 2015 - 11:05 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 13 June 2015 - 01:11 PM


A quick question: So in terms of the proxy override, have you any idea how it could have got there? Malware perhaps?

Most likely set set my malware. The post is not closed so nothing to worry about.

===

This is just a cleanup. No malware was found.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\...\Run: [AdobeBridge] => [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Password 2.lnk [2012-10-27]
ShortcutTarget: Password 2.lnk -> C:\Windows\Temp\Password 2.exe (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Password.lnk [2013-04-07]
ShortcutTarget: Password.lnk -> C:\Windows\Temp\Password.exe (No File)
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-583470079-4115952942-3311931298-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-583470079-4115952942-3311931298-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-583470079-4115952942-3311931298-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lemilgpbnfoecfjhpfchannnnkeefjmj] - C:\Users\Aer\AppData\Local\CRE\lemilgpbnfoecfjhpfchannnnkeefjmj.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lemilgpbnfoecfjhpfchannnnkeefjmj] - C:\Users\Aer\AppData\Local\CRE\lemilgpbnfoecfjhpfchannnnkeefjmj.crx [Not Found]
S2 SessionLauncher; c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X]
S3 MFE_RR; \??\C:\Users\Aer\AppData\Local\Temp\mfe_rr.sys [X]
C:\Users\Aer\AppData\Local\Temp\AcDeltree.exe
C:\Users\Aer\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Aer\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpseqbsr.dll
AlternateDataStreams: C:\Users\Aer\AppData\Local\493NWw49aG03InL:cpgfhxA1CHF4NtxqrErh3d6Fcp
AlternateDataStreams: C:\Users\Aer\AppData\Local\Temp:7ikeUaJ6WkWgTp4gjYJDmPtIfua5G

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 14 June 2015 - 02:54 PM

Thanks for your help :)

Just one last question, what do you mean by 'the post is not closed so nothing to worry about'? I'm not all that computer literate so I don't know what that means.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 15 June 2015 - 07:32 AM

My mistake it should read the PORT is CLOSED nothing to worry about.

#10 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 15 June 2015 - 02:07 PM

Thanks so much. Any idea what that port is usually used for/what malware could have used it for? (I know nothing about ports) Otherwise, if it seems like my laptop is malware free then we can close this thread :)


Edited by user3895, 15 June 2015 - 05:59 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 16 June 2015 - 07:07 AM

Ports are assigned by programs and the operating system when needed.
Some are good and some are used by malware.

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Do not spent too much time on it.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 22 June 2015 - 08:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users