Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus keeps spawning after startup


  • This topic is locked This topic is locked
23 replies to this topic

#1 The_Killer

The_Killer

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 14 June 2015 - 12:10 PM

I have Avast Free Antivirus installed. Whenever I turn on my pc, it says it found some viruses and deleted them (but it happens every time). The problem started to happen after my friend installed something. The thing is he can not remember what he did and I didn't use this computer before. I hope we can get rid of these viruses.

 

------------------------------------------------------------- FRST.txt --------------------------------------------------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-06-2015
Ran by Mr_Minh (administrator) on MINH on 14-06-2015 23:58:43
Running from C:\Documents and Settings\Mr_Minh\Desktop\Fix
Loaded Profiles: Mr_Minh (Available Profiles: Mr_Minh)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 6 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(VIA Technologies, Inc.) C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
() C:\Program Files\HCC\ccon.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\avastui.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Dell) C:\Documents and Settings\Mr_Minh\Local Settings\Apps\2.0\T6TG1MOY.JRT\V1B6ON30.MPT\dell..tion_0f612f649c4a10af_0005.0004_3ddfe37344028d2c\DellSystemDetect.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Bandoo Media Inc.) C:\Program Files\Music App\Datamngr\DatamngrCoordinator.exe
(XTab system) C:\Program Files\XTab\ProtectService.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(SearchProtect) C:\Program Files\XTab\CmdShell.exe
(TorchMedia Inc.) C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(XTab system) C:\Program Files\XTab\HPNotify.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [33587200 2009-01-21] (VIA Technologies, Inc.)
HKLM\...\Run: [ccons] => C:\Program Files\HCC\ccon.exe [3422720 2012-02-01] ()
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-06] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-06] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-05-11] (Avast Software s.r.o.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [4351216 2009-05-26] (Yahoo! Inc.)
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [DellSystemDetect] => C:\Documents and Settings\Mr_Minh\Start Menu\Programs\Dell\Dell System Detect.appref-ms
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [GarenaPlus] => "D:\Games\Garena Plus\GarenaMessenger.exe" -autolaunch
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_17_0_0_134_Plugin.exe [962224 2015-03-25] (Adobe Systems Incorporated)
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\searchinstaller.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\searchsettings.exe: [Debugger] tasklist.exe
IFEO\searchsettings64.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\umbrella.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
IFEO\websteroids.exe: [Debugger] tasklist.exe
IFEO\websteroidsservice.exe: [Debugger] tasklist.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2013-11-09]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mtdEVAShelf 300.lnk [2014-09-30]
ShortcutTarget: mtdEVAShelf 300.lnk -> C:\Program Files\MTD300\QSHLFMTD.EXE ()
HKLM\...\AppCertDlls: [x64] -> c:\program files\music app\datamngr\x64\apcrtldr.dll <===== ATTENTION
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-05-06] (Avast Software s.r.o.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled
ProxyServer: [.DEFAULT] => http=localhost:8081
ProxyServer: [S-1-5-21-73586283-1972579041-839522115-1003] => http=;https=
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-73586283-1972579041-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=ds&ts=1431016931&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
HKU\S-1-5-21-73586283-1972579041-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dts.search.ask.com/sidebar.html?src=ssb&gct=ds&appid=0&systemid=102
HKU\S-1-5-21-73586283-1972579041-839522115-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=ds&ts=1431016931&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
URLSearchHook: HKU\S-1-5-21-73586283-1972579041-839522115-1003 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
SearchScopes: HKLM -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10011&barid={BD492F0E-229C-11E2-B458-001966C7C6D4}
SearchScopes: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
SearchScopes: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=wpc&utm_campaign=install_ie&utm_content=ds&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&ts=1431016957&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=wpc&utm_campaign=install_ie&utm_content=ds&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&ts=1431016957&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
SearchScopes: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=wpc&utm_campaign=install_ie&utm_content=ds&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&ts=1431016957&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=wpc&utm_campaign=install_ie&utm_content=ds&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&ts=1431016957&type=default&q={searchTerms}
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
Toolbar: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Toolbar: HKU\S-1-5-21-73586283-1972579041-839522115-1003 -> No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
DPF: {7D6142C3-203A-4186-B2A7-F33998BF0BCF} http://khanhviet2010.dyndns.tv/DvrWeb.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\Profiles\um2prnk7.default-1434299730627
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-03-25] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-06] ()
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2009-05-26] (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @t.garena.com/garenatalk -> D:\Games\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-30] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-30] (Google Inc.)
FF Plugin: TorchVLC -> C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Torch\Plugins\Video\VLC\npvlc.dll [2013-07-31] (VideoLAN)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\5giay.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\Ask.xml [2015-04-06]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\baambootratuav.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\creativecommons.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\muare.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\zing-mp3.xml [2015-05-09]
FF Extension: OneClickDownloader - C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\profiles\extensions\OneClickDownload@OneClickDownload.com [2012-09-24]
FF Extension: GoPhotoIt - C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\profiles\extensions\gophoto@gophoto.it.xpi [2012-07-31]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-10-01]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-12-09]
FF HKLM\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\Profiles\2bidr9ai.default\extensions\searchengine@gmail.com
FF HKLM\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\Profiles\2bidr9ai.default\extensions\fftoolbar2014@etech.com
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-04-24]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-24]
CHR Extension: (Podio Notifications) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\efaafmmmpabgogfimjhfakfcemahdbaf [2015-05-07]
CHR Extension: (Avast SafePrice) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-10-17]
CHR Extension: (Bookmark Manager DEV) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-06-01]
CHR Extension: (Avast Online Security) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-10-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-29]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-07]
CHR Extension: (GoPhoto.it) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk [2013-04-24]
CHR HKLM\...\Chrome\Extension: [dkinklhnkmkhkhofcnapakaoehijaoih] - C:\Program Files\OnlineHD.TV\onhd10.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswwebrepchrome-sp.crx [2014-08-30]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-05-06]
CHR HKLM\...\Chrome\Extension: [jcdgjdiieiljkfkdcloehkohchhpekkn] - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetFB.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetNT.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [pfmopbbadnfoelckkcmjjeaaegjpjjbk] - C:\Program Files\Gophoto.it\gophotoit14.crx [2012-07-31]
CHR HKLM\...\Chrome\Extension: [pmlghpafmmnmmkjdhacccolfgnkiboco] - C:\Program Files\1ClickDownload\oneclickdownloader11.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2013-11-09] () [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-05-06] (Avast Software s.r.o.)
R2 DatamngrCoordinator; C:\Program Files\Music App\Datamngr\DatamngrCoordinator.exe [3204296 2015-03-23] (Bandoo Media Inc.)
R2 IHProtect Service; C:\Program Files\XTab\ProtectService.exe [158816 2015-03-16] (XTab system)
R2 TorchCrashHandler; C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe [1217032 2015-05-12] (TorchMedia Inc.) <==== ATTENTION
S2 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24144 2015-05-06] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [74976 2015-05-06] (Avast Software s.r.o.)
R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-05-06] (Avast Software s.r.o.)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49904 2015-05-06] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787760 2015-05-06] (Avast Software s.r.o.)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [427992 2015-05-06] (Avast Software s.r.o.)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57888 2015-05-06] (Avast Software s.r.o.)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [209048 2015-05-06] ()
R1 F06DEFF2-5B9C-490D-910F-35D3A91196222; C:\Program Files\Music App\Datamngr\setmgrc3.cfg [38472 2015-03-23] (Bandoo Media Inc.)
R3 monfilt; C:\WINDOWS\System32\drivers\monfilt.sys [1389056 2008-02-14] (Creative Technology Ltd.)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
R3 VIAHdAudAddService; C:\WINDOWS\System32\drivers\viahduaa.sys [1050112 2009-01-11] (VIA Technologies, Inc.)
U3 .neautotsiq; No ImagePath
S3 GGSAFERDriver; \??\D:\Games\Garena Plus\Room\safedrv.sys [X]
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-14 23:58 - 2015-06-14 23:58 - 00000000 ____D C:\FRST
2015-06-14 23:57 - 2015-06-14 23:58 - 00000000 ____D C:\Documents and Settings\Mr_Minh\My Documents\Trang tải xuống
2015-06-14 23:57 - 2015-06-14 23:58 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Desktop\Fix
2015-06-14 23:35 - 2015-06-14 23:35 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Desktop\Dữ liệu cũ của Firefox
2015-06-01 11:26 - 2015-06-01 11:27 - 00000000 ____D C:\Log

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-14 23:59 - 2009-04-02 00:31 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Local Settings\Temp
2015-06-14 23:58 - 2013-04-24 22:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-14 23:55 - 2009-04-02 07:18 - 00906442 _____ C:\WINDOWS\setupapi.log
2015-06-14 23:43 - 2015-04-24 19:11 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-06-14 23:41 - 2013-04-24 22:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-14 23:36 - 2009-04-02 00:27 - 00419600 _____ C:\WINDOWS\WindowsUpdate.log
2015-06-14 23:30 - 2013-11-09 21:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\TorchCrashHandler
2015-06-14 23:30 - 2012-10-01 21:29 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-06-14 23:30 - 2009-04-02 07:21 - 00000049 ____C C:\WINDOWS\wiaservc.log
2015-06-14 23:29 - 2015-04-06 19:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Datamngr
2015-06-14 23:29 - 2013-07-11 21:35 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Deployment
2015-06-14 23:29 - 2009-06-12 11:33 - 00131142 _____ C:\WINDOWS\system32\nvapps.xml
2015-06-14 23:29 - 2009-04-02 07:21 - 00000159 ____C C:\WINDOWS\wiadebug.log
2015-06-14 23:29 - 2009-04-02 00:30 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-06-14 23:29 - 2004-08-04 08:07 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-05-31 10:58 - 2013-11-09 21:24 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Torch
2015-05-31 10:54 - 2013-11-09 21:25 - 00001103 _____ C:\Documents and Settings\Mr_Minh\Start Menu\Programs\Torch.lnk

==================== Files in the root of some directories =======

2012-09-30 21:05 - 2013-04-28 10:51 - 0045194 _____ () C:\Documents and Settings\Mr_Minh\Application Data\room_v3.dat
2012-10-25 21:06 - 2015-05-06 22:34 - 0014336 _____ () C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Files to move or delete:
====================
C:\Documents and Settings\Downloads\child control 6.8.4 keygen_10924_i5967284_il345.exe
C:\Documents and Settings\Downloads\Child Control 6.8.4 Keygen_10924_i5968444_il345.exe
C:\Documents and Settings\Downloads\QuickTimeInstaller.exe
C:\Documents and Settings\Downloads\vlc-2.2.0-win32.exe


Some files in TEMP:
====================
C:\Documents and Settings\Mr_Minh\Local Settings\Temp\{91F67FEF-6D72-43C4-8AF0-01D91F0E0CCF}-42.0.2311.135_42.0.2311.90_chrome_updater.exe
C:\Documents and Settings\Mr_Minh\Local Settings\Temp\{EF4107EA-57FD-4B59-94CE-AF7B333E7372}-42.0.2311.135_42.0.2311.90_chrome_updater.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:15 PM

Posted 16 June 2015 - 12:20 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

STEP 1

 

 

Please create a new restore point first. See here how.

 

Now please download GeekUninstaller and save it to desktop.

Extract the archive and run the file geek.exe IxXO5oO.jpg
From the list find and uninstall the programs below:

 

bestadblocker
Music Toolbar for Firefox
Podio Notifications
PriceMinus

Right click on the bestadblocker for example and click on the Uninstall button. (here is an example pic for Mozilla Firefox)
 
XhV2QLa.png
 
Once the uninstallation is complete, the following window will appear to let you remove all leftovers including unnecessary files, useless folders, registry entries related to the uninstalled program.

 

Here is an example for Mozilla Firefox brower:

geekuninstaller-3.png

 

Click on the “Finish” button to remove all detected traces.

Finally, click on the “Close” button to complete and go back to the main interface of Geek Uninstaller.

Next uninstall the rest of the programs. If a program won't uninstall then don't worry and continue with the next step. We will remove it manually.

 

A note for Torch.

 

Torch has been found to be bundled with 3rd party software. If you have not purposefully installed this, you should be safe uninstalling it.

 

 

 

 

STEP 2

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

STEP 3

 

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

 

STEP 4

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop. Don't kill any malicious processes at your own.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that Addition.txt is checked before you press the Scan button.
  • Press Scan button.
  • It will make 2 logs (FRST.txt and Addition.txt) in the same directory the tool is run. Please copy and paste them to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 12:51 AM

I have done the first step and I'm going to do next steps but I want to tell you this in case I forget.

 

1) I don't know what my friend installed on this computer, so if you see any programs that are not healthy, please tell me.

2) I uninstalled Torch and the process was normal.

3) For "bestadblocker", "Podio Notifications" and "PriceMinus", I had to force uninstall them using geek because of fail uninstallation. So I guess they are unhealthy right?



#4 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 12:59 AM

Here is the log from AdwCleaner: AdwCleaner[S0].txt

 

# AdwCleaner v4.206 - Logfile created 16/06/2015 at 12:54:24
# Updated 01/06/2015 by Xplode
# Database : 2015-05-31.5 [Local]
# Operating system : Microsoft Windows XP Service Pack 2 (x86)
# Username : Mr_Minh - MINH
# Running from : C:\Documents and Settings\Mr_Minh\Desktop\Fix\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : DatamngrCoordinator
[#] Service Deleted : IHProtect Service
[#] Service Deleted : F06DEFF2-5B9C-490D-910F-35D3A91196222

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\wincert
Folder Deleted : C:\Documents and Settings\All Users\Application Data\IHProtectUpDate
Folder Deleted : C:\Program Files\Gophoto.it
Folder Deleted : C:\Program Files\Music Toolbar
Folder Deleted : C:\Program Files\SweetIM
Folder Deleted : C:\Program Files\XTab
Folder Deleted : C:\Program Files\PrIceaMiinuS
Folder Deleted : C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\jZip
Folder Deleted : C:\Documents and Settings\Mr_Minh\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Mr_Minh\Application Data\EZDownloader
Folder Deleted : C:\Documents and Settings\Mr_Minh\Application Data\FirefoxToolbar
Folder Deleted : C:\Documents and Settings\Mr_Minh\Application Data\RHEng
[!] Folder Deleted : C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
[!] Folder Deleted : C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk
[!] Folder Deleted : C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\efaafmmmpabgogfimjhfakfcemahdbaf
Folder Deleted : C:\Documents and Settings\All Users\Application Data\mkeahaenkcgpghcgdpcocigiilnefcma
File Deleted : C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pfmopbbadnfoelckkcmjjeaaegjpjjbk_0.localstorage
File Deleted : C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pfmopbbadnfoelckkcmjjeaaegjpjjbk_0.localstorage-journal
File Deleted : C:\END
File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\Ask.xml
File Deleted : C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\Profiles\um2prnk7.default-1434299730627\user.js
File Deleted : C:\Program Files\Mozilla Firefox\user.js
File Deleted : C:\Program Files\Mozilla Firefox\defaults\pref\itms.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [fftoolbar2014@etech.com]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [searchengine@gmail.com]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dkinklhnkmkhkhofcnapakaoehijaoih
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pmlghpafmmnmmkjdhacccolfgnkiboco
Key Deleted : HKLM\SOFTWARE\Classes\1ClicktorrentFile
Key Deleted : HKLM\SOFTWARE\Classes\1ClicktorrentFile1
Key Deleted : HKLM\SOFTWARE\Classes\oneclick
Key Deleted : HKLM\SOFTWARE\Classes\oneclickmg
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
Value Deleted : HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls [x64]
Value Deleted : HKLM\SYSTEM\ControlSet002\Control\Session Manager\AppCertDlls [x64]
Key Deleted : HKCU\Software\Mozilla\Extends
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{ADA38E4E-F20A-4399-BE91-E260AC341C69}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3614D305-2DBB-4991-9297-750DD60FFC73}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{251EF57C-0612-478C-978E-C86D3879CAA4}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe]
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\APN DTX
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\HomeTab
Key Deleted : HKCU\Software\jZip
Key Deleted : HKCU\Software\simplytech
Key Deleted : HKCU\Software\SweetIM
Key Deleted : HKCU\Software\TNT2
Key Deleted : HKCU\Software\Smart PC Solutions
Key Deleted : HKCU\Software\WajIntEnhance
Key Deleted : HKCU\Software\SearchProtectWS
Key Deleted : HKCU\Software\Linkey
Key Deleted : HKLM\SOFTWARE\AskPartnerNetwork
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\DataMngr
Key Deleted : HKLM\SOFTWARE\Iminent
Key Deleted : HKLM\SOFTWARE\SearchProtect
Key Deleted : HKLM\SOFTWARE\SupDp
Key Deleted : HKLM\SOFTWARE\SupTab
Key Deleted : HKLM\SOFTWARE\SweetIM
Key Deleted : HKLM\SOFTWARE\mystartsearchSoftware
Key Deleted : HKLM\SOFTWARE\IHProtect
Key Deleted : HKLM\SOFTWARE\WajIntEnhance
Key Deleted : HKLM\SOFTWARE\SpeedBit
Key Deleted : HKLM\SOFTWARE\AIM Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\IminentToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WajIntEnhance
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Vosteran.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F603A45-D956-496B-81B5-50D782424976}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B85C4CB2-B352-4BD8-818C-BCE353599107}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IminentToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WajIntEnhance
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vosteran.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IM
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - hxxp=localhost:8081
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyEnable] - 1
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - vapu.com.vn;vtec.com.vn;download-test.vapu.com.vn;download.vapu.com.vn;*.vapu.com.vn;*.vtec.com.vn;localhost;vtec.no-ip.info;vtec.ddns.net
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - hxxp=;hxxps=

***** [ Web browsers ] *****

-\\ Internet Explorer v6.0.2900.2180

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Search Bar]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [SearchAssistant]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [SearchAssistant]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [CustomizeSearch]

-\\ Mozilla Firefox v38.0.5 (x86 vi)


-\\ Google Chrome v43.0.2357.124

[C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10011&barid={BD492F0E-229C-11E2-B458-001966C7C6D4}
[C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://dts.search.ask.com/sr?src=crb&gct=ds&appid=0&systemid=102&v=a13350-161&apn_uid=1657809544254545&apn_dtid=BND102&o=APN10646&apn_ptnrs=AG7&q={searchTerms}
[C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}
[C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.mystartsearch.com/web/?type=dspp&ts=1431016949&from=wpc&uid=MDTXMD1600JS-00SGB0_MDT-MCAP011756665666&q={searchTerms}

*************************

AdwCleaner[R0].txt - [16082 bytes] - [16/06/2015 12:52:37]
AdwCleaner[S0].txt - [14557 bytes] - [16/06/2015 12:54:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [14617  bytes] ##########
 



#5 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 01:24 AM

Hi Georgi, I'm stuck at step 3. When JRT proceeds to the "Checking Startup" step, my computer restarts. This happens everytime I run JRT.



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:15 PM

Posted 16 June 2015 - 01:41 AM

Hi,

 

Please click Start Menu > type in Event Viewer => Navigate to Windows Logs => right click on Application and select Save all events as => type in Application as a name and save the file at your desktop. On the dialog box select "No display information" and click OK.

 

Next please right click on System and select Save all events as => type in System as a name and save the file at your desktop. On the dialog box select "No display information" and click OK.

 

 

Zip the files and upload the archive at http://zippyshare.com/

Next please post the download link in your next reply.

 

 

Also please go ahead and zip the files from directory C:\Windows\Minidump. (if such files exist there). 

Next please post the download link in your next reply.

 

 

Skip JRT for now and continue with the next step.

 

Thanks!

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 16 June 2015 - 01:42 AM.

cXfZ4wS.png


#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 AM

Posted 16 June 2015 - 01:41 AM

Hi Georgi, I'm stuck at step 3. When JRT proceeds to the "Checking Startup" step, my computer restarts. This happens everytime I run JRT.

 

Hi. 

 

Does the following file exist? C:\Windows\system32\tasklist.exe ?

It's been a while since I've seen a computer with Windows XP Pro SP2

JRT doesn't work if that file doesn't exist though.

It shouldn't be restarting your computer though...


Edited by thisisu, 16 June 2015 - 01:42 AM.


#8 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 02:14 AM

@Georgi:

 

This pc is currently using Windows XP so the Event Viewer is quite different. I've got the logs file but I can not select "No display information" so I used the filter. I'm not sure if it works though :P

 

Here are the logs: http://www51.zippyshare.com/v/nLKras87/file.html

Here is the Minidump folder: http://www51.zippyshare.com/v/c8SUJswA/file.html

 

I will continue with step 4

 

@thisisu:

 

Yes that file does exist.



#9 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 02:22 AM

Ok so here is the logs from FRST

 

------------------------------------------ FRST.txt -----------------------------------------------------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-06-2015
Ran by Mr_Minh (administrator) on MINH on 16-06-2015 14:20:19
Running from C:\Documents and Settings\Mr_Minh\Desktop\Fix
Loaded Profiles: Mr_Minh (Available Profiles: Mr_Minh)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 6 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(VIA Technologies, Inc.) C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
() C:\Program Files\HCC\ccon.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\avastui.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Dell) C:\Documents and Settings\Mr_Minh\Local Settings\Apps\2.0\T6TG1MOY.JRT\V1B6ON30.MPT\dell..tion_0f612f649c4a10af_0005.0004_3ddfe37344028d2c\DellSystemDetect.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [33587200 2009-01-21] (VIA Technologies, Inc.)
HKLM\...\Run: [ccons] => C:\Program Files\HCC\ccon.exe [3422720 2012-02-01] ()
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-06] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-06] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-05-11] (Avast Software s.r.o.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [4351216 2009-05-26] (Yahoo! Inc.)
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [DellSystemDetect] => C:\Documents and Settings\Mr_Minh\Start Menu\Programs\Dell\Dell System Detect.appref-ms
HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\Run: [GarenaPlus] => "D:\Games\Garena Plus\GarenaMessenger.exe" -autolaunch
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2013-11-09]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-05-06] (Avast Software s.r.o.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled
ProxyServer: [.DEFAULT] => http=localhost:8081
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
URLSearchHook: HKU\S-1-5-21-73586283-1972579041-839522115-1003 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
DPF: {7D6142C3-203A-4186-B2A7-F33998BF0BCF} http://khanhviet2010.dyndns.tv/DvrWeb.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\Profiles\um2prnk7.default-1434299730627
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-03-25] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-06] ()
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2009-05-26] (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @t.garena.com/garenatalk -> D:\Games\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-30] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-30] (Google Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\5giay.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\baambootratuav.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\creativecommons.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\muare.xml [2015-05-09]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\zing-mp3.xml [2015-05-09]
FF Extension: OneClickDownloader - C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\profiles\extensions\OneClickDownload@OneClickDownload.com [2012-09-24]
FF Extension: GoPhotoIt - C:\Documents and Settings\Mr_Minh\Application Data\Mozilla\Firefox\profiles\extensions\gophoto@gophoto.it.xpi [2012-07-31]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-10-01]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-12-09]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-24]
CHR Extension: (Bookmark Manager DEV) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-06-01]
CHR Extension: (Avast Online Security) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-10-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-29]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-07]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-05-06]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2013-11-09] () [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-05-06] (Avast Software s.r.o.)
S2 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24144 2015-05-06] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [74976 2015-05-06] (Avast Software s.r.o.)
R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-05-06] (Avast Software s.r.o.)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49904 2015-05-06] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787760 2015-05-06] (Avast Software s.r.o.)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [427992 2015-05-06] (Avast Software s.r.o.)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57888 2015-05-06] (Avast Software s.r.o.)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [209048 2015-05-06] ()
R3 monfilt; C:\WINDOWS\System32\drivers\monfilt.sys [1389056 2008-02-14] (Creative Technology Ltd.)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
R3 VIAHdAudAddService; C:\WINDOWS\System32\drivers\viahduaa.sys [1050112 2009-01-11] (VIA Technologies, Inc.)
U3 .neautotsiq; No ImagePath
S3 GGSAFERDriver; \??\D:\Games\Garena Plus\Room\safedrv.sys [X]
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-16 14:10 - 2015-06-16 14:10 - 00133497 _____ C:\Documents and Settings\Mr_Minh\Desktop\Minidump.zip
2015-06-16 14:02 - 2015-06-16 14:02 - 00151244 _____ C:\Documents and Settings\Mr_Minh\Desktop\Logs File.zip
2015-06-16 14:01 - 2015-06-16 14:01 - 00524196 _____ C:\Documents and Settings\Mr_Minh\Desktop\Application (No Information).evt
2015-06-16 14:01 - 2015-06-16 14:01 - 00524140 _____ C:\Documents and Settings\Mr_Minh\Desktop\System (No Information).evt
2015-06-16 13:59 - 2015-06-16 13:59 - 00524140 _____ C:\Documents and Settings\Mr_Minh\Desktop\System.evt
2015-06-16 13:58 - 2015-06-16 13:58 - 00524196 _____ C:\Documents and Settings\Mr_Minh\Desktop\Application.evt
2015-06-16 13:20 - 2015-06-16 13:20 - 00000000 ____D C:\WINDOWS\pss
2015-06-16 13:03 - 2015-06-16 13:03 - 00000000 ____D C:\RegBackup
2015-06-16 12:52 - 2015-06-16 12:54 - 00000000 ____D C:\AdwCleaner
2015-06-15 00:05 - 2015-06-16 12:54 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-06-14 23:58 - 2015-06-16 14:20 - 00000000 ____D C:\FRST
2015-06-14 23:57 - 2015-06-16 14:17 - 00000000 ____D C:\Documents and Settings\Mr_Minh\My Documents\Trang tải xuống
2015-06-14 23:57 - 2015-06-16 14:17 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Desktop\Fix
2015-06-14 23:35 - 2015-06-14 23:35 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Desktop\Dữ liệu cũ của Firefox
2015-06-01 11:26 - 2015-06-01 11:27 - 00000000 ____D C:\Log

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-16 14:20 - 2009-04-02 00:31 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Local Settings\Temp
2015-06-16 14:18 - 2012-09-24 20:24 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-06-16 13:58 - 2013-04-24 22:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-16 13:31 - 2009-04-02 00:27 - 00431091 _____ C:\WINDOWS\WindowsUpdate.log
2015-06-16 13:26 - 2012-10-01 21:29 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-06-16 13:26 - 2009-04-02 07:21 - 00000159 ____C C:\WINDOWS\wiadebug.log
2015-06-16 13:26 - 2009-04-02 07:21 - 00000049 ____C C:\WINDOWS\wiaservc.log
2015-06-16 13:25 - 2013-07-11 21:35 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Deployment
2015-06-16 13:25 - 2013-04-24 22:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-16 13:25 - 2009-06-12 11:33 - 00131142 _____ C:\WINDOWS\system32\nvapps.xml
2015-06-16 13:25 - 2009-04-02 00:30 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-06-16 13:20 - 2009-04-02 07:17 - 00000211 ___SH C:\boot.ini
2015-06-16 13:20 - 2004-08-04 08:07 - 00000573 _____ C:\WINDOWS\win.ini
2015-06-16 13:20 - 2004-08-04 08:07 - 00000227 _____ C:\WINDOWS\system.ini
2015-06-16 12:55 - 2009-04-02 00:30 - 00032484 _____ C:\WINDOWS\SchedLgU.Txt
2015-06-16 12:42 - 2014-06-18 18:19 - 00000000 ____D C:\Documents and Settings\Mr_Minh\Desktop\Unused Desktop Shortcuts
2015-06-16 12:24 - 2015-04-06 19:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Datamngr
2015-06-16 12:24 - 2004-08-04 08:07 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-06-15 16:18 - 2013-03-13 22:07 - 00000284 _____ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2015-06-14 23:55 - 2009-04-02 07:18 - 00906442 _____ C:\WINDOWS\setupapi.log

==================== Files in the root of some directories =======

2012-09-30 21:05 - 2013-04-28 10:51 - 0045194 _____ () C:\Documents and Settings\Mr_Minh\Application Data\room_v3.dat
2012-10-25 21:06 - 2015-05-06 22:34 - 0014336 _____ () C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Files to move or delete:
====================
C:\Documents and Settings\Downloads\child control 6.8.4 keygen_10924_i5967284_il345.exe
C:\Documents and Settings\Downloads\Child Control 6.8.4 Keygen_10924_i5968444_il345.exe
C:\Documents and Settings\Downloads\QuickTimeInstaller.exe
C:\Documents and Settings\Downloads\vlc-2.2.0-win32.exe


Some files in TEMP:
====================
C:\Documents and Settings\Mr_Minh\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Mr_Minh\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Mr_Minh\Local Settings\Temp\{91F67FEF-6D72-43C4-8AF0-01D91F0E0CCF}-42.0.2311.135_42.0.2311.90_chrome_updater.exe
C:\Documents and Settings\Mr_Minh\Local Settings\Temp\{EF4107EA-57FD-4B59-94CE-AF7B333E7372}-42.0.2311.135_42.0.2311.90_chrome_updater.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

 

 

--------------------------------------------------------- Addition.txt ---------------------------------------------------

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by Mr_Minh at 2015-06-16 14:20:52
Running from C:\Documents and Settings\Mr_Minh\Desktop\Fix
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-73586283-1972579041-839522115-500 - Administrator - Enabled)
ASPNET (S-1-5-21-73586283-1972579041-839522115-1004 - Limited - Enabled)
Guest (S-1-5-21-73586283-1972579041-839522115-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-73586283-1972579041-839522115-1000 - Limited - Disabled)
Mr_Minh (S-1-5-21-73586283-1972579041-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Mr_Minh
SUPPORT_388945a0 (S-1-5-21-73586283-1972579041-839522115-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 15.0.0.293 - Adobe Systems Incorporated)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.296 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Photoshop CS (HKLM\...\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}) (Version: CS - Adobe Systems, Inc.)
Apple Application Support (HKLM\...\{21FC2093-6E43-460B-B9B0-5F5AA35BBB0F}) (Version: 3.0 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{10E3A6DD-84D8-4D8A-BB11-5E5314BCA7FD}) (Version: 7.1.0.32 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avast Free Antivirus (HKLM\...\avast) (Version: 10.2.2218 - AVAST Software)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
calibre (HKLM\...\{D7E16C53-8B27-46FE-9499-E826CBC2E9CE}) (Version: 0.9.11 - Kovid Goyal)
ComicRack v0.9.156 (HKLM\...\ComicRack) (Version: v0.9.156 - cYo Soft)
Dell System Detect (HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\9204f5692a8faf3b) (Version: 5.4.0.4 - Dell)
Dell System Detect Bootstrapper (HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\8e3135b376bd523e) (Version: 1.1.0.15 - Dell)
FastStone Photo Resizer 3.1 (HKLM\...\FastStone Photo Resizer) (Version: 3.1 - FastStone Soft.)
Google Chrome (HKLM\...\Google Chrome) (Version: 43.0.2357.124 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
iTunes (HKLM\...\{C4780F70-8F21-4F0C-95FE-32FF3E2F9247}) (Version: 11.1.4.62 - Apple Inc.)
K-Lite Codec Pack 3.9.0 Full (HKLM\...\KLiteCodecPack_is1) (Version: 3.9.0 - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Mozilla Firefox 38.0.5 (x86 vi) (HKLM\...\Mozilla Firefox 38.0.5 (x86 vi)) (Version: 38.0.5 - Mozilla)
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
Multimedia Tool for Developing Language Skills (HKLM\...\Multimedia Tool for Developing Language Skills) (Version:  - )
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - NVIDIA Corporation)
NVIDIA PhysX v8.10.13 (HKLM\...\{AC54E544-3E42-443C-A91D-A00A6974C592}) (Version: 8.10.13 - NVIDIA Corporation)
PhotoScape (HKLM\...\PhotoScape) (Version:  - )
PixBox v1.5.4 (HKLM\...\PixBox_is1) (Version: 1.5.4 - PixBox)
Platform (Version: 1.27 - VIA Technologies, Inc.) Hidden
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (HKLM\...\{C9BED750-1211-4480-B1A5-718A3BE15525}) (Version: 1.23.0000 - Realtek)
Skype™ 5.10 (HKLM\...\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}) (Version: 5.10.116 - Skype Technologies S.A.)
TotalCSVConverter (HKLM\...\Total CSV Converter_is1) (Version:  - Softplicity, Inc.)
UniKey 4.0 RC2 (build 1101) (HKLM\...\{F1CDC990-C599-4F9A-9586-8457F60021DA}_is1) (Version:  - Pham Kim Long)
VIA Platform Device Manager (HKLM\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.27 - VIA Technologies, Inc.)
WatermarkLib (HKLM\...\{1FDAADE7-3AEB-4C52-8F8F-AAEE534656DA}) (Version: 1.0.0 - LC Soft)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Installer 3.1 (KB893803) (HKLM\...\KB893803v2) (Version: 3.1 - Microsoft Corporation)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden
Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version:  - Yahoo! Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-73586283-1972579041-839522115-1003_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\localserver32 -> C:\Documents and Settings\Mr_Minh\Local Settings\Temp\5048\temp\hidetools child control 6.8.4 keygen.exe ()
CustomCLSID: HKU\S-1-5-21-73586283-1972579041-839522115-1003_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dl (the data entry has 9 more characters).

==================== Restore Points =========================

14-05-2015 21:10:01 System Checkpoint
17-05-2015 17:15:10 System Checkpoint
19-05-2015 09:55:57 System Checkpoint
21-05-2015 10:50:15 System Checkpoint
22-05-2015 11:39:37 System Checkpoint
23-05-2015 16:55:58 System Checkpoint
26-05-2015 11:43:04 System Checkpoint
27-05-2015 15:42:40 System Checkpoint
30-05-2015 09:26:34 System Checkpoint
31-05-2015 21:35:17 System Checkpoint
02-04-2009 00:27:37 System Checkpoint
15-06-2015 12:04:04 System Checkpoint
16-06-2015 12:35:56 Before fixing

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 08:07 - 2009-04-02 15:51 - 00000732 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-05-06 22:28 - 2015-05-06 22:28 - 00104400 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2015-05-06 22:28 - 2015-05-06 22:28 - 00081728 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2015-06-16 12:26 - 2015-06-16 12:26 - 02952704 _____ () C:\Program Files\AVAST Software\Avast\defs\15061501\algo.dll
2008-12-25 23:08 - 2008-12-25 23:08 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2009-06-12 12:28 - 2008-09-16 20:18 - 00132608 _____ () C:\Program Files\WinRAR\rarext.dll
2012-02-01 18:04 - 2012-02-01 18:04 - 03422720 _____ () C:\Program Files\HCC\ccon.exe
2014-02-06 00:52 - 2014-02-06 00:52 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-06 00:52 - 2014-02-06 00:52 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-05-05 19:27 - 2015-05-06 22:28 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2009-06-12 12:13 - 2009-05-26 21:06 - 00913408 _____ () C:\Program Files\Yahoo!\Messenger\yui.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-73586283-1972579041-839522115-1003\...\dell.com -> dell.com


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-73586283-1972579041-839522115-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 192.168.1.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^mtdEVAShelf 300.lnk => C:\WINDOWS\pss\mtdEVAShelf 300.lnkCommon Startup

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Enabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Skype\Phone\Skype.exe] => Enabled:Skype
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\msiexec.exe] => Enabled:UpdateManagerSetup
StandardProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour Service
StandardProfile\AuthorizedApplications: [D:\Games\Garena Plus\Room\garena_room.exe] => Enabled:garena_room
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\rundll32.exe] => Enabled:rundll32
StandardProfile\AuthorizedApplications: [D:\Games\LMHT\LienMinhHuyenThoai.0913\LienMinhHuyenThoai\GameData\Apps\lolVN\Air\LolClient.exe] => Enabled:League of Legends Lobby
StandardProfile\AuthorizedApplications: [D:\Games\LMHT\LienMinhHuyenThoai.0913\LienMinhHuyenThoai\GameData\Apps\lolVN\Game\League of Legends.exe] => Enabled:League of Legends Game Client
StandardProfile\AuthorizedApplications: [D:\Games\Garena Plus\ggdllhost.exe] => Enabled:ggdllhost
StandardProfile\AuthorizedApplications: [C:\Program Files\iTunes\iTunes.exe] => Enabled:iTunes
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\GloballyOpenPorts: [8370:TCP] => Enabled:League of Legends Launcher
StandardProfile\GloballyOpenPorts: [8370:UDP] => Enabled:League of Legends Launcher

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/16/2015 02:18:20 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (06/16/2015 02:18:19 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (06/16/2015 00:39:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application uninstall.exe, version 1.7.2.0, faulting module reportinghelper.dll, version 0.0.0.0, fault address 0x000093ca.
Processing media-specific event for [uninstall.exe!ws!]

Error: (06/15/2015 10:18:04 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (06/15/2015 10:18:03 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (05/31/2015 00:18:22 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (05/31/2015 00:18:21 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (05/30/2015 08:20:50 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (05/30/2015 08:20:49 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (05/29/2015 09:18:20 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


System errors:
=============
Error: (06/16/2015 01:26:05 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee SiteAdvisor Service service failed to start due to the following error:
%%3

Error: (06/16/2015 01:18:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee SiteAdvisor Service service failed to start due to the following error:
%%3

Error: (06/16/2015 01:04:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee SiteAdvisor Service service failed to start due to the following error:
%%3

Error: (06/16/2015 00:55:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee SiteAdvisor Service service failed to start due to the following error:
%%3

Error: (06/16/2015 00:54:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/16/2015 00:54:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The iPod Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/16/2015 00:54:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/16/2015 00:54:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The IHProtect Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/16/2015 00:54:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Bonjour Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/16/2015 00:54:24 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.


Microsoft Office:
=========================
Error: (06/16/2015 02:18:20 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (06/16/2015 02:18:19 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (06/16/2015 00:39:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: uninstall.exe1.7.2.0reportinghelper.dll0.0.0.0000093ca

Error: (06/15/2015 10:18:04 AM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (06/15/2015 10:18:03 AM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (05/31/2015 00:18:22 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (05/31/2015 00:18:21 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (05/30/2015 08:20:50 AM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (05/30/2015 08:20:49 AM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (05/29/2015 09:18:20 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.


==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU E7400 @ 2.80GHz
Percentage of memory in use: 36%
Total physical RAM: 2047.23 MB
Available physical RAM: 1290.23 MB
Total Pagefile: 3943.61 MB
Available Pagefile: 3324.28 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.46 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:40.04 GB) (Free:19.81 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (Document) (Fixed) (Total:49.81 GB) (Free:6.2 GB) NTFS
Drive e: (Setup) (Fixed) (Total:59.19 GB) (Free:23.44 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: 01DE01DE)
Partition 1: (Active) - (Size=40 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=109 GB) - (Type=OF Extended)

==================== End of log ============================



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:15 PM

Posted 16 June 2015 - 02:35 AM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Let me know how are things after the fix above.
 
 
Regards,
Georgi


cXfZ4wS.png


#11 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 03:06 AM

I haven't seen any viruses for now and it seems like the computer is working normally. Here is the log:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by Mr_Minh at 2015-06-16 15:00:18 Run:1
Running from C:\Documents and Settings\Mr_Minh\Desktop\Fix
Loaded Profiles: Mr_Minh (Available Profiles: Mr_Minh)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
File: C:\Program Files\HCC\ccon.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled
ProxyServer: [.DEFAULT] => http=localhost:8081
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
S2 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [X]
U3 .neautotsiq; No ImagePath
2015-06-16 12:24 - 2015-04-06 19:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Datamngr
C:\Documents and Settings\Downloads\child control 6.8.4 keygen_10924_i5967284_il345.exe
C:\Documents and Settings\Downloads\Child Control 6.8.4 Keygen_10924_i5968444_il345.exe
CustomCLSID: HKU\S-1-5-21-73586283-1972579041-839522115-1003_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\localserver32 -> C:\Documents and Settings\Mr_Minh\Local Settings\Temp\5048\temp\hidetools child control 6.8.4 keygen.exe ()
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
end
*****************

Restore point was successfully created.
Processes closed successfully.

========================= File: C:\Program Files\HCC\ccon.exe ========================

MD5: 1c13234175d344ad60ea4ec10c8f9de2     
Creation and modification date: 2012-02-01 18:04 - 2012-02-01 18:04
Size: 3422720
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright$creamod:

====== End of File: ======

"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\jumpflip" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\volaro" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\vonteera" => key removed successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
McAfee SiteAdvisor Service => Service removed successfully.
.neautotsiq => Service removed successfully.
C:\Documents and Settings\All Users\Application Data\Datamngr => moved successfully.
C:\Documents and Settings\Downloads\child control 6.8.4 keygen_10924_i5967284_il345.exe => moved successfully.
C:\Documents and Settings\Downloads\Child Control 6.8.4 Keygen_10924_i5968444_il345.exe => moved successfully.
"HKU\S-1-5-21-73586283-1972579041-839522115-1003_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" => key removed successfully.

=========  netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.


========= End of CMD: =========


=========  ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-73586283-1972579041-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-73586283-1972579041-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.


========= End of RemoveProxy: =========

EmptyTemp: => 737.1 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 15:01:35 ====



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:15 PM

Posted 16 June 2015 - 04:32 AM

Hi,

 

Let's check for malware leftovers:

 

 

STEP 1

 

 

Please download Malwarebytes Anti-Malware 2.1.6.1022 Final to your desktop.
 

  • Double-click mbam-setup-2.1.6.1022.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 2

 

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

 

6-scanfin-choose.jpg
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

Note: Programdata is hidden by default. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

 

 

 

STEP 3

 

 

emsisoft_emergency_kit.pnglogo.png

  • Download EmsisoftEmergencyKit, run the exe and extract the content in a folder of your choice like (C:\EEK) by clicking the Extract button.
  • Double-click the desktop-shortcut called Start Emsisoft Emergency Kit to start the tool.
  • Click on the "Yes" button when asked to obtain the latest malware definitions.
  • Once the update is complete click "Scan".
  • Click on the "Yes" button when asked to enable the scan for Potentially Unwanted Applications.
  • Next click on the Full Scan. When the scan complete, click on the View Report button (don't delete or quarantine anything).
  • Please copy and paste the content of the report in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#13 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 07:57 AM

Here is the log from MBAM:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/16/2015
Scan Time: 7:13:17 PM
Logfile:
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.16.03
Rootkit Database: v2015.06.15.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: Mr_Minh

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 331089
Time Elapsed: 16 min, 37 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\Datamngr, Quarantined, [0a597645d0ba70c66502d453aa5a36ca],

Registry Values: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-73586283-1972579041-839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Documents and Settings\Mr_Minh\Start Menu\Programs\Dell\Dell System Detect.appref-ms, Quarantined, [8dd67f3c9af064d271ab589cd33045bb]

Registry Data: 3
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[6bf8e0db35553afc547b3c028f77a759]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[bea5dedd8307dc5addf3221c8c7afb05]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[3f2448737a1063d32ea3c47a2bdbfe02]

Folders: 1
PUP.Optional.DataMangr.A, C:\Program Files\Music App\Datamngr, Quarantined, [a4bf4a71e2a81521151c1fb554afc53b],

Files: 17
PUP.Optional.Opencandy, C:\Documents and Settings\Mr_Minh\Application Data\rmi\offer_downloader.exe, Quarantined, [392a5b60cfbb0432c66870d355aec937],
PUP.Optional.OpenCandy, C:\Documents and Settings\Mr_Minh\Application Data\rmi\photoscape-3.6.5.exe, Quarantined, [174c85361971092d55a5244607ff7c84],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsa5.tmp\Helper.dll, Quarantined, [0e55d5e629618bab38f1611f60a6659b],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsa5.tmp\Starter.exe, Quarantined, [f0730bb0791143f3ec3dbdc351b5a25e],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsb5.tmp\Helper.dll, Quarantined, [253e615a4248c76f10198ef2bb4b7b85],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsb5.tmp\Starter.exe, Quarantined, [4f145863098145f1c26789f7986ef40c],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsf9.tmp\MusicAppHelper.dll, Quarantined, [7de6bb00beccf04656d399e7b452d42c],
PUP.Optional.Bandoo.A, c:\documents and settings\mr_minh\local settings\application data\temp\nsp4.tmp\helper.dll, Quarantined, [d58e68530882d066f039e19f44c2e21e],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsp4.tmp\Starter.exe, Quarantined, [2d36506ba2e8a39351d82f51ee184eb2],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsq1C.tmp\Helper.dll, Quarantined, [ed765368d3b71f173beef58b10f636ca],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nsq1C.tmp\Starter.exe, Quarantined, [1053e7d403873df9c2677c040105cb35],
PUP.Optional.Bandoo.A, C:\Documents and Settings\Mr_Minh\Local Settings\Application Data\Temp\nss5.tmp\Starter.exe, Quarantined, [5310a5165337171f2efb1868ef1753ad],
PUP.Optional.DataMangr.A, C:\Program Files\Music App\Datamngr\DatamngrCoordinator.exe, Quarantined, [a4bf4a71e2a81521151c1fb554afc53b],
PUP.Optional.DataMangr.A, C:\Program Files\Music App\Datamngr\favicon.ico, Quarantined, [a4bf4a71e2a81521151c1fb554afc53b],
PUP.Optional.DataMangr.A, C:\Program Files\Music App\Datamngr\MusicAppHelper.dll, Quarantined, [a4bf4a71e2a81521151c1fb554afc53b],
PUP.Optional.DataMangr.A, C:\Program Files\Music App\Datamngr\setmgrc3.cfg, Quarantined, [a4bf4a71e2a81521151c1fb554afc53b],
PUP.Optional.DataMangr.A, C:\Program Files\Music App\Datamngr\Uninstall.exe, Quarantined, [a4bf4a71e2a81521151c1fb554afc53b],

Physical Sectors: 0
(No malicious items detected)


(end)



#14 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 09:08 AM

I can not post the reply if I include the content inside the log here. It said the code is too long. I decide to attach it instead.

Attached Files



#15 The_Killer

The_Killer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 16 June 2015 - 12:15 PM

This is the last log from EEK. I have to attach it as well. Sorry my Internet is very bad and this pc is pretty old so it did take a lot of time to finish those steps :(

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users