Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Threat has been detected


  • This topic is locked This topic is locked
14 replies to this topic

#1 SS369

SS369

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 11 June 2015 - 05:34 PM

Good day.

 

I hope I can request some help.

I have read and followed the Preparation Guide, and performed the FRST scan and have saved the 2 .txt files.

 

I have a laptop that I use with Internet service through my Iphone as a personal hotspot. Each and everytime I plug into it, within a few seconds Avast Free announces a"A threat has been detected". I get a call and it happens once again. Any break in service, however brief, causes a new threat announcement. One of the threats is Http://bestdriver.star.net.. URL  MAL , another http://simplesitescan, etc. A couple of other addresses show up as well at different times.

These do not show up with the full system scans.

 

I also have run MBAM multiple times and it reports system is clean.

 

I am not being redirected or anything that I can see, but, I am concerned that my security has been breached and perhaps data is being mined(?).

 

 

Thank you ahead of time for helping!

 

SS369

 

Here is my FRST.txt file.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2015
Ran by SS (administrator) on SS-HP on 11-06-2015 18:00:05
Running from C:\Users\SS\Downloads
Loaded Profiles: SS (Available Profiles: SS)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Advanced Micro Devices, Inc.) C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NUSB3MON] => C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe [97280 2012-04-11] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7535832 2014-02-12] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2803440 2013-12-13] (Synaptics Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-03-12] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [YouCam Service] => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-09-01] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [581024 2012-09-07] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5512912 2015-04-11] (Avast Software s.r.o.)
HKU\S-1-5-21-3368360199-2112976728-2396414000-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [21969480 2015-05-19] (Google)
HKU\S-1-5-21-3368360199-2112976728-2396414000-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8322328 2015-05-08] (Piriform Ltd)
HKU\S-1-5-21-3368360199-2112976728-2396414000-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7799576 2015-05-15] (SUPERAntiSpyware)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-04-11] (Avast Software s.r.o.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT13/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3368360199-2112976728-2396414000-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
HKU\S-1-5-21-3368360199-2112976728-2396414000-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT13/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3368360199-2112976728-2396414000-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3368360199-2112976728-2396414000-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-04-11] (Avast Software s.r.o.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-04-11] (Avast Software s.r.o.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Tcpip\Parameters: [DhcpNameServer] 198.224.178.135 198.224.181.135

FireFox:
========
FF ProfilePath: C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\bctwlml0.default
FF DefaultSearchEngine.US: Bing
FF Homepage: hxxp://www.bing.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_188.dll [2015-05-25] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_188.dll [2015-05-25] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-06] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-27] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll No File
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF Extension: NoScript - C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\bctwlml0.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-06-04]
FF Extension: Adblock Plus - C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\bctwlml0.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-06-04]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-04-11]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-04-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-11]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-03-12] (Advanced Micro Devices, Inc.) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-04-11] (Avast Software s.r.o.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-02-12] (Realtek Semiconductor)
R2 tbaseprovisioning; C:\Windows\SysWOW64\tbaseprovisioning.exe [51712 2014-02-24] (Advanced Micro Devices, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-06-19] (Microsoft Corporation)
S3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 amdkmcsp; C:\Windows\System32\DRIVERS\amdkmcsp.sys [81096 2014-02-24] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36608 2013-12-14] (Advanced Micro Devices, Inc.)
R1 amdpsp; C:\Windows\System32\DRIVERS\amdpsp.sys [233672 2014-02-24] (Advanced Micro Devices, Inc. )
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-04-11] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [88408 2015-04-11] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-04-11] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-04-11] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-04-11] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [442264 2015-04-11] (Avast Software s.r.o.)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [136752 2015-04-11] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [271200 2015-04-11] ()
R1 CLVirtualDrive; C:\Windows\System32\DRIVERS\CLVirtualDrive.sys [90608 2011-12-27] (CyberLink)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [136408 2015-06-11] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
R3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [291544 2014-01-03] (Realtek Semiconductor Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver_AMDASF.sys [29936 2013-12-13] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\system32\drivers\Smb_driver_Intel.sys [31472 2013-12-13] (Synaptics Incorporated)
S3 OATool; \??\C:\Windows\TEMP\OAToolx64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-11 18:00 - 2015-06-11 18:00 - 00015713 _____ C:\Users\SS\Downloads\FRST.txt
2015-06-11 17:59 - 2015-06-11 18:00 - 00000000 ____D C:\FRST
2015-06-11 17:58 - 2015-06-11 17:58 - 02108928 _____ (Farbar) C:\Users\SS\Downloads\FRST64.exe
2015-06-10 14:16 - 2015-06-10 14:16 - 00461336 _____ C:\Windows\Minidump\061015-21964-01.dmp
2015-06-10 09:46 - 2015-06-10 14:16 - 416201042 _____ C:\Windows\MEMORY.DMP
2015-06-10 09:46 - 2015-06-10 09:46 - 00461336 _____ C:\Windows\Minidump\061015-26348-01.dmp
2015-06-06 08:34 - 2015-06-06 08:34 - 00000000 ____D C:\Users\SS\Desktop\Google Drive
2015-06-05 22:30 - 2015-06-05 22:30 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2015-06-05 22:30 - 2015-06-05 22:30 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2015-06-05 07:24 - 2015-06-11 06:51 - 00000448 _____ C:\Windows\setupact.log
2015-06-05 07:24 - 2015-06-05 07:24 - 00000000 _____ C:\Windows\setuperr.log
2015-06-03 19:35 - 2015-06-03 19:35 - 00000000 ____D C:\Users\SS\AppData\Roaming\SUPERAntiSpyware.com
2015-06-03 19:34 - 2015-06-03 19:35 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-06-03 19:34 - 2015-06-03 19:34 - 00001808 _____ C:\Users\SS\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-06-03 19:34 - 2015-06-03 19:34 - 00000000 ____D C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-06-03 19:34 - 2015-06-03 19:34 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2015-06-03 18:48 - 2015-06-03 18:48 - 00002778 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-06-03 18:48 - 2015-06-03 18:48 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-06-03 18:48 - 2015-06-03 18:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-06-03 18:48 - 2015-06-03 18:48 - 00000000 ____D C:\Program Files\CCleaner
2015-06-03 18:32 - 2015-06-03 18:39 - 00000000 ____D C:\ProgramData\HitmanPro
2015-06-03 17:17 - 2015-06-03 17:17 - 00001151 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-05-28 17:10 - 2015-05-28 17:10 - 00003584 _____ C:\Users\SS\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-05-28 17:06 - 2015-05-28 17:06 - 00001894 _____ C:\Users\SS\Desktop\IrfanView Thumbnails.lnk
2015-05-28 17:06 - 2015-05-28 17:06 - 00001002 _____ C:\Users\SS\Desktop\IrfanView.lnk
2015-05-28 17:06 - 2015-05-28 17:06 - 00000000 ____D C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView
2015-05-28 17:05 - 2015-05-28 17:05 - 00000000 ____D C:\Users\SS\AppData\Roaming\IrfanView
2015-05-28 17:05 - 2015-05-28 17:05 - 00000000 ____D C:\Program Files (x86)\IrfanView
2015-05-27 19:05 - 2015-06-11 07:04 - 00000000 ___RD C:\Users\SS\Google Drive
2015-05-27 19:03 - 2015-06-05 22:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-05-27 18:55 - 2015-06-11 17:06 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-05-27 18:55 - 2015-06-11 06:51 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-05-27 18:55 - 2015-05-27 20:01 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-05-27 18:55 - 2015-05-27 20:01 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-27 18:55 - 2015-05-27 19:03 - 00000000 ____D C:\Users\SS\AppData\Local\Google
2015-05-27 18:55 - 2015-05-27 19:03 - 00000000 ____D C:\Program Files (x86)\Google
2015-05-27 17:23 - 2015-05-27 17:23 - 00000000 ____D C:\Users\SS\AppData\Local\Macromedia
2015-05-20 22:17 - 2015-06-09 12:07 - 00000320 _____ C:\Windows\Tasks\HPCeeScheduleForSS.job
2015-05-20 22:17 - 2015-06-08 23:56 - 00003168 _____ C:\Windows\System32\Tasks\HPCeeScheduleForSS
2015-05-20 18:21 - 2015-05-20 18:21 - 00000000 ____D C:\Users\SS\Documents\GomPlayer
2015-05-13 20:10 - 2015-05-13 20:10 - 00000000 ____D C:\ProgramData\2a3ac4ef00003492
2015-05-12 20:07 - 2015-05-12 20:07 - 00000000 ____D C:\Users\SS\BOOKS

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-11 15:50 - 2015-04-13 12:57 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-11 15:31 - 2015-04-07 13:22 - 01943580 _____ C:\Windows\WindowsUpdate.log
2015-06-11 08:44 - 2015-04-15 18:05 - 00000000 ____D C:\Users\SS\Documents\KNOTS
2015-06-11 07:11 - 2015-04-07 13:24 - 00003902 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{03C8F58B-3C86-486F-AD9A-F17CF0F5FB2E}
2015-06-11 06:59 - 2009-07-14 00:45 - 00034208 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-11 06:59 - 2009-07-14 00:45 - 00034208 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-11 06:52 - 2015-04-07 13:25 - 00000000 ____D C:\Users\SS\Documents\Youcam
2015-06-11 06:52 - 2015-03-03 17:17 - 03709368 _____ C:\Windows\SysWOW64\rootpa.e2e
2015-06-11 06:51 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-11 01:57 - 2015-03-03 17:16 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2015-06-10 14:16 - 2015-04-16 23:06 - 00000000 ____D C:\Windows\Minidump
2015-06-10 09:47 - 2009-07-14 01:08 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-06-09 00:04 - 2015-04-11 15:53 - 00000000 ____D C:\Users\SS\Documents\Calibre Library
2015-06-08 23:56 - 2015-04-07 13:20 - 00000000 ____D C:\Users\SS
2015-06-08 23:55 - 2015-04-11 16:30 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-06-07 20:01 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2015-06-04 17:53 - 2014-06-19 05:50 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-06-04 17:53 - 2014-06-19 05:50 - 00002019 _____ C:\Users\Public\Desktop\Adobe Reader X.lnk
2015-06-04 13:05 - 2007-01-01 21:25 - 00000000 ____D C:\Windows\Panther
2015-06-03 20:31 - 2015-04-22 20:24 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2015-06-03 18:49 - 2015-04-19 08:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-05-28 18:07 - 2009-07-14 01:13 - 00779724 _____ C:\Windows\system32\PerfStringBackup.INI
2015-05-26 14:17 - 2015-04-11 15:53 - 00000000 ____D C:\Users\SS\AppData\Roaming\calibre
2015-05-25 23:28 - 2015-04-10 17:41 - 00000000 ____D C:\Users\SS\AppData\Local\Adobe
2015-05-25 23:28 - 2014-06-19 05:41 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-05-25 23:28 - 2014-06-19 05:41 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-05-20 22:17 - 2015-04-07 13:22 - 00000000 ____D C:\Users\SS\AppData\Local\Hewlett-Packard
2015-05-13 20:32 - 2015-04-11 16:13 - 00000000 ____D C:\Users\SS\Desktop\Transfer
2015-05-13 18:26 - 2015-04-10 21:16 - 00000000 ____D C:\Users\SS\AppData\Roaming\UpdaterService

==================== Files in the root of some directories =======

2015-05-28 17:10 - 2015-05-28 17:10 - 0003584 _____ () C:\Users\SS\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-04 21:45

==================== End of log ============================



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 16 June 2015 - 07:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll No File
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-04-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-11]
S3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [X]
S3 OATool; \??\C:\Windows\TEMP\OAToolx64.sys [X]

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

If this fails to fix your problem then I suspect that your router is compromised.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

How is it now?

#3 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 16 June 2015 - 06:11 PM

Good day nasdaq.

 

I have performed the tasks you've recommended.

 

Here is the Fixlog. txt .

 

Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by SS at 2015-06-16 18:33:43 Run:1
Running from C:\Users\SS\Downloads
Loaded Profiles: SS (Available Profiles: SS)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CloseProcesses:
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll No File
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-04-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-11]
S3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [X]
S3 OATool; \??\C:\Windows\TEMP\OAToolx64.sys [X]

End
*****************

Processes closed successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
GamesAppService => Service removed successfully
OATool => Service removed successfully

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-06-16 18:34:56)<=

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx" => Could not move
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Could not move

==== End of Fixlog 18:34:56 ====

 

 

 

I went through the Firefox reset, losing all the add ons and i don't know how to get them back besides going through the search and download process again.

 

The link you provided >>> Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

opens a page with info on IE which I do not use. So, I used CCleaner which I have installed already.

 

I do not use a router, just my Iphone as a personal hotspot.

 

To check if this worked I disconnect and reconnect my phone or turn off and turn back on my personal hotspot. This I did and I get the very same "Threat has been detected" alert.

 

As I have mentioned in the first post, I have run numerous full system scans using both Avast and Mbam. Neither indicates anything found.

So, I don't think anything has been fixed yet.

 

What can you suggest to do next?

 

Thank you.

 

SS



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 17 June 2015 - 07:32 AM

Looks like you iPhone has been corrupted.

Start a new topic in this forum. Someone with experience with iphone can help better than I can.
This is not my forte.

http://www.bleepingcomputer.com/forums/f/216/android-os/

I will leave this topic open for 5 days.
If you need to return please do.

#5 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 17 June 2015 - 08:04 AM

Thank you nasdaq.

 

Doing my best to search for anything concerning my challenge, I fail to find information concerning virus or malware corruption on an iphone that even remotely suggests that this is my situation. Searching many ways, although I might just be missing it, this forum lacks anything related to iphone corruption.

 

Might there be someone at BleepingComputer whose forte might include this that we can pass to?

 

Is there even a scanner for an iphone?

 

SS



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 17 June 2015 - 09:30 AM

Is this sub forum more appro...
http://www.bleepingcomputer.com/forums/f/215/tablets-mobile-devices/

#7 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 17 June 2015 - 11:43 AM

Nothing there for this challenge except to post what I have done here.

 

I took it upon myself to run an ESET online scan. It came up with some items the FRST, AVAST and MBAM did not discover.

 

C:\Users\SS\Downloads\APPS\ac3filter_2_5b.exe    Win32/OpenCandy potentially unsafe application    deleted - quarantined
C:\Users\SS\Downloads\APPS\ccsetup506.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\SS\Downloads\APPS\gom-player.exe    Win32/OpenCandy potentially unsafe application    deleted - quarantined
C:\Users\SS\Downloads\APPS\gom-player_setup.exe    a variant of Win32/InstallCore.YV potentially unwanted application    cleaned by deleting - quarantined

 

It seems that it is not related to my phone(?) except that my phone provides internet service for the exploit/threat..

 

What do you make of this and what should I do to insure that this is not going to reinfect over and over? Is there better or additional scans to use for diagnosing this?

 

SS
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 17 June 2015 - 01:25 PM

Sorry I cannot help you with your iphone.

This link may also be of interest to you.
https://www.google.ca/search?q=iphone+corruption&oq=iphone+corruption&aqs=chrome..69i57&sourceid=chrome&es_sm=93&ie=UTF-8

===

All that E-set did is to delete files in your Download folder.

#9 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 17 June 2015 - 05:25 PM

Well thank you for your help so far nasdaq.

 

As I was checking the links you gave me I received a call thus breaking my internet connection, which is normal for this to occur. As soon as the call was terminated and net service reestablished I invariably heard the threat alert from AVAST.

I captured one of the alerts with print screen and am including it with this post.

 

I'm not inclined to give up and just blame my phone as this seems very much like a virus or malware on the laptop. My iPhone is standard, all apps (very, very few) work, it is not jail broken or whatever you call that and nowhere have I read where the problem I am experiencing is caused by an iPhone.

 

Hopefully you can suggest something else to try.

 

SS

 

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 18 June 2015 - 07:11 AM

This is the same type of message you would get if you were using a router/modem.

Lets eliminate any issues that may be caused by your computer.

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

If this fails to clear you problem good.
If not the you will have to check further your iPhone.

#11 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 18 June 2015 - 05:14 PM

Thank you nasdaq for your continued help.

 

Since I didn't believe my iPhone is/was the culprit and I did do the browser reset and cache cleaning with no results except losing some Add-ons, I decided to dig on my own further here in BleepingComputer Forum.

 

I found some sort of similar threads and saw some common instructions for the OP to perform.

I ran Farbar, AdwCleaner and Combofix.

 

Adwcleaner found some items, perhaps inconsequential.

The real help came from Combofix.

 

Since the running of these programs I am not experiencing the challenge of my original post.

 

Thank you again for your assistance.

 

SS



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 19 June 2015 - 08:29 AM

Thank you for the feedback.

If you kept the Combofix log I would like to see what was removed.
It may help in the future.

Thanks.

#13 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 19 June 2015 - 04:27 PM

You are welcome nasdaq.

 

Here is my Combofix log. I hope it helps someone, some time. It is quite confusing, so if you find something, I will be interested in reading about it.

Thank you.

 

SS

 

ComboFix 15-06-09.01 - SS 06/17/2015  18:53:11.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3545.2268 [GMT -4:00]
Running from: c:\users\SS\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\SS\AppData\Local\Temp\_MEI27042\_ctypes.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\_elementtree.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\_hashlib.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\_multiprocessing.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\_psutil_windows.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\_socket.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\_ssl.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\_yappi.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\common.time34.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\hashobjs_ext.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\pyexpat.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\pysqlite2._sqlite.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\python27.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\pythoncom27.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\PyWinTypes27.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\select.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\unicodedata.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\usb_ext.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32api.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32com.shell.shell.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32crypt.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32event.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32file.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32gui.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32inet.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32pdh.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32pipe.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32process.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32profile.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32security.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\win32ts.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\windows._lib_cacheinvalidation.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._animate.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._controls_.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._core_.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._gdi_.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._html2.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._misc_.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._windows_.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wx._wizard.pyd
c:\users\SS\AppData\Local\Temp\_MEI27042\wxbase294u_net_vc90.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\wxbase294u_vc90.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\wxmsw294u_adv_vc90.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\wxmsw294u_core_vc90.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\wxmsw294u_html_vc90.dll
c:\users\SS\AppData\Local\Temp\_MEI27042\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2015-05-17 to 2015-06-17  )))))))))))))))))))))))))))))))
.
.
2015-06-17 23:02 . 2015-06-17 23:02    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-06-17 22:36 . 2015-06-17 22:39    --------    d-----w-    C:\AdwCleaner
2015-06-17 13:25 . 2015-06-17 13:25    --------    d-----w-    c:\program files (x86)\ESET
2015-06-11 21:59 . 2015-06-16 22:34    --------    d-----w-    C:\FRST
2015-06-06 02:30 . 2015-06-06 02:30    --------    d-----w-    c:\users\Default\AppData\Local\Google
2015-06-03 23:35 . 2015-06-03 23:35    --------    d-----w-    c:\users\SS\AppData\Roaming\SUPERAntiSpyware.com
2015-06-03 23:34 . 2015-06-16 22:26    --------    d-----w-    c:\program files\SUPERAntiSpyware
2015-06-03 23:34 . 2015-06-03 23:34    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2015-06-03 22:48 . 2015-06-03 22:48    --------    d-----w-    c:\program files\CCleaner
2015-06-03 22:32 . 2015-06-03 22:39    --------    d-----w-    c:\programdata\HitmanPro
2015-05-28 21:05 . 2015-05-28 21:05    --------    d-----w-    c:\users\SS\AppData\Roaming\IrfanView
2015-05-28 21:05 . 2015-05-28 21:05    --------    d-----w-    c:\program files (x86)\IrfanView
2015-05-27 23:05 . 2015-06-17 22:43    --------    d-----r-    c:\users\SS\Google Drive
2015-05-27 22:55 . 2015-05-27 23:03    --------    d-----w-    c:\program files (x86)\Google
2015-05-27 22:55 . 2015-05-27 23:03    --------    d-----w-    c:\users\SS\AppData\Local\Google
2015-05-27 21:23 . 2015-05-27 21:23    --------    d-----w-    c:\users\SS\AppData\Local\Macromedia
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-06-17 23:03 . 2015-03-03 21:16    65536    ----a-w-    c:\windows\system32\spu_storage.bin
2015-06-17 21:07 . 2015-04-13 16:57    136408    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-05-26 03:28 . 2014-06-19 09:41    778416    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-05-26 03:28 . 2014-06-19 09:41    142512    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-04-14 13:37 . 2015-04-13 16:56    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-04-14 13:37 . 2015-04-13 16:56    107736    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-04-14 13:37 . 2015-04-13 16:56    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-04-11 20:29 . 2015-04-11 20:30    442264    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2015-04-11 20:29 . 2015-04-11 20:30    271200    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2015-04-11 20:29 . 2015-04-11 20:30    136752    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2015-04-11 20:29 . 2015-04-11 20:30    88408    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2015-04-11 20:29 . 2015-04-11 20:30    65736    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2015-04-11 20:29 . 2015-04-11 20:30    93528    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2015-04-11 20:29 . 2015-04-11 20:30    29168    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2015-04-11 20:29 . 2015-04-11 20:29    364472    ----a-w-    c:\windows\system32\aswBoot.exe
2015-04-11 20:29 . 2015-04-11 20:29    43112    ----a-w-    c:\windows\avastSS.scr
2015-04-11 20:29 . 2015-04-11 20:30    1047320    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2015-04-09 21:29 . 2012-07-17 21:37    23768    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2015-05-19 21969480]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2015-05-08 8322328]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2015-05-15 7799576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2014-03-12 767200]
"YouCam Service"="c:\program files (x86)\CyberLink\YouCam\YouCamService.exe" [2013-09-02 267224]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-09-08 581024]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-19 1022152]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-04-11 5512912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"RequireSignedAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 amdkmcsp;AMD Kernel Mode CSP Service;c:\windows\system32\DRIVERS\amdkmcsp.sys;c:\windows\SYSNATIVE\DRIVERS\amdkmcsp.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 SmbDrv;SmbDrv;c:\windows\system32\drivers\Smb_driver_AMDASF.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_AMDASF.sys [x]
R3 SmbDrvI;SmbDrvI;c:\windows\system32\drivers\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_Intel.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\drivers\amdkmpfd.sys;c:\windows\SYSNATIVE\drivers\amdkmpfd.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 amdpsp;AMD PSP 1.0 Service;c:\windows\system32\DRIVERS\amdpsp.sys;c:\windows\SYSNATIVE\DRIVERS\amdpsp.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe [x]
S2 tbaseprovisioning;tbaseprovisioning;c:\windows\SysWOW64\tbaseprovisioning.exe;c:\windows\SysWOW64\tbaseprovisioning.exe [x]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\drivers\amdhub30.sys;c:\windows\SYSNATIVE\drivers\amdhub30.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\drivers\amdxhc.sys;c:\windows\SYSNATIVE\drivers\amdxhc.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsP2Stor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2015-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-05-27 22:55]
.
2015-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-05-27 22:55]
.
2015-06-16 c:\windows\Tasks\HPCeeScheduleForSS.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 11:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-04-11 20:29    722400    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2015-05-19 19:22    774984    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2015-05-19 19:22    774984    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2015-05-19 19:22    774984    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2015-05-19 19:22    774984    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2015-05-19 19:22    774984    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe" [2012-04-11 97280]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2014-02-13 7535832]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uLocal Page = c:\windows\system32\blank.htm
TCP: DhcpNameServer = 198.224.178.135 198.224.181.135
FF - ProfilePath - c:\users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\as2geyue.default-1434494900188\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{438363A8-F486-4C37-834C-4955773CB3D3} - msiexec
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App - c:\program files (x86)\WildTangent Games\App\Uninstall.exe
AddRemove-{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp - c:\program files (x86)\WildTangent Games\Touchpoints\hp\Uninstall.exe
AddRemove-{8C696B4B-6AB1-44BC-9416-96EAC474CABE} - c:\program files (x86)\InstallShield Installation Information\{8C696B4B-6AB1-44BC-9416-96EAC474CABE}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_44_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_44_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
c:\program files\AVAST Software\Avast\AvastEmUpdate.exe
.
**************************************************************************
.
Completion time: 2015-06-17  19:08:51 - machine was rebooted
ComboFix-quarantined-files.txt  2015-06-17 23:08
.
Pre-Run: 420,577,767,424 bytes free
Post-Run: 420,305,076,224 bytes free
.
- - End Of File - - A8EEE3E3C7240AF8A90FD7517BFC2B29
A36C5E4F47E84449FF07ED3517B43A31
 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 20 June 2015 - 07:48 AM

I will know better next time to ask for the Addition.txt that was created when your executed the Farbar tool.
The files that were removed might be listed in the log.
I do know that they are from an infection.

Remove ComboFix using the instructions on this page.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

===


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 26 June 2015 - 08:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users