Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Shoppi/Cloud Scout/Searchbulls Infestation


  • This topic is locked This topic is locked
14 replies to this topic

#1 NooBeRGoD

NooBeRGoD

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 10 July 2015 - 05:11 PM

Followed the posted guide earlier, and seemed to remove some malware, but the stated title seem to be very stubborn and aren't being removed.
http://www.bleepingcomputer.com/forums/t/582358/malware-infested-computer/

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-07-2015
Ran by Darren (administrator) on ROCKY on 10-07-2015 15:56:40
Running from C:\Users\Darren\Desktop
Loaded Profiles: Darren (Available Profiles: Darren)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corp.) C:\Program Files\Broadcom\MemoryCard\BrcmCardReader.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
(Dritek System INC.) C:\Windows\RfBtnSvc64.exe
() C:\Program Files (x86)\Whimsical Hour\Whimsical Hour.exe
(Atheros) C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\a\wincheckfe.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
() C:\a\wcheckf.exe
() C:\a\internetport3.exe
() C:\a\winonit.exe
() C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m\nuw3bzfvmm5ic2m.exe
() C:\a\getcap.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
() C:\a\rBETMhGO5yh7eVtg5rbJ.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(CyberLink) C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Qualcomm Atheros) C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
() C:\Users\Darren\AppData\Local\yuntnani\vchk.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1212048 2012-06-07] (Realtek Semiconductor)
HKLM\...\Run: [BtPreLoad] => C:\Program Files (x86)\Bluetooth Suite\BtPreLoad.exe [64640 2012-08-10] ()
HKLM\...\Run: [cutoauto] => C:\a\wincheckfe.exe [42461 2015-07-01] ()
HKLM\...\Run: [interpee] => C:\a\internetport3.exe [11264 2015-07-02] ()
HKLM\...\Run: [autoauto] => 73227707.bat
HKLM-x32\...\Run: [cutoauto] => C:\a\wincheckfe.exe [42461 2015-07-01] ()
HKLM-x32\...\Run: [interpee] => C:\a\internetport3.exe [11264 2015-07-02] ()
HKLM-x32\...\Run: [autoauto] => 73227707.bat
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\...\Run: [rutoauto] => 73227707.bat
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\...\Run: [dutoauto] => C:\a\wincheckfe.exe [42461 2015-07-01] ()
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\...\Run: [interpee] => C:\a\internetport3.exe [11264 2015-07-02] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer Backup Manager Tray.lnk [2012-09-03]
ShortcutTarget: Acer Backup Manager Tray.lnk -> C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe (NTI Corporation)
Startup: C:\Users\Darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\intr.lnk [2015-07-09]
ShortcutTarget: intr.lnk -> C:\a\69409334.bat ()
Startup: C:\Users\Darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\loons.lnk [2015-07-09]
ShortcutTarget: loons.lnk -> C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m\nuw3bzfvmm5ic2m.exe ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [HKLM-x32] => ProxyEnable is set
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyEnable: [S-1-5-21-415474014-2678031740-3160283343-1001] => Internet Explorer proxy is enabled
ProxyServer: [S-1-5-21-415474014-2678031740-3160283343-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ca/?ocid=iehp
SearchScopes: HKLM -> {C31367EB-1A3F-452A-92C5-81FDB60543AD} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-415474014-2678031740-3160283343-1001 -> {C31367EB-1A3F-452A-92C5-81FDB60543AD} URL =
SearchScopes: HKU\S-1-5-21-415474014-2678031740-3160283343-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-08-10] (Qualcomm Atheros Commnucations)
Handler-x32: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files (x86)\TurboTax 2012\ic2012pp.dll [2012-12-24] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - C:\Program Files (x86)\TurboTax 2013\ic2013pp.dll [2014-04-02] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2014 - {97BB39CB-9ABA-4513-81E7-1D6FDA0854B8} - C:\Program Files (x86)\TurboTax 2014\ic2014pp.dll [2014-11-22] (Intuit Canada, a general partnership/une société en nom collectif.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 75.153.176.9
Tcpip\..\Interfaces\{61E8F141-2156-4AA1-B310-91E528F07A6F}: [DhcpNameServer] 192.168.1.254 75.153.176.9
Tcpip\..\Interfaces\{BBD419EB-C113-4DDC-8428-F5909F38BB26}: [DhcpNameServer] 192.168.1.254 75.153.176.9

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll [2013-01-05] ()
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK

Chrome:
=======
CHR Profile: C:\Users\Darren\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Darren\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-07-09]
CHR Extension: (Google Wallet) - C:\Users\Darren\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-12]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [Äÿ] - No Path Or update_url value
CHR HKU\S-1-5-21-415474014-2678031740-3160283343-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [Äÿ] - No Path Or update_url value
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - http://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [Äÿ] - No Path Or update_url value

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [211584 2012-08-10] (Qualcomm Atheros Commnucations) [File not signed]
R2 BrcmCardReader; C:\Program Files\Broadcom\MemoryCard\BrcmCardReader.exe [176640 2012-08-20] (Broadcom Corp.) [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-11-21] (Microsoft Corporation)
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe [2435728 2012-08-23] (Acer Incorporated)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [468624 2012-08-22] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [658576 2012-08-22] (Acer Incorporated)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [259136 2012-08-23] (NTI Corporation)
R2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [93296 2012-10-12] (Dritek System INC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
R2 Whimsical Hour; C:\Program Files (x86)\Whimsical Hour\Whimsical Hour.exe [8016401 2015-07-09] () [File not signed] <==== ATTENTION
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [81536 2012-08-01] (Atheros) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-08-10] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-11-21] (Microsoft Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [43664 2015-07-09] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [113880 2015-07-10] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
R3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2012-10-12] (Dritek System Inc.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
S1 lmgljlbe; \??\C:\WINDOWS\system32\drivers\lmgljlbe.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-10 15:56 - 2015-07-10 15:57 - 00015548 _____ C:\Users\Darren\Desktop\FRST.txt
2015-07-10 15:56 - 2015-07-10 15:56 - 00000000 ____D C:\FRST
2015-07-10 15:55 - 2015-07-10 15:55 - 02112512 _____ (Farbar) C:\Users\Darren\Desktop\FRST64.exe
2015-07-10 15:45 - 2015-07-10 15:46 - 126130952 _____ (Sophos Limited) C:\Users\Darren\Desktop\Sophos Virus Removal Tool.exe
2015-07-10 15:45 - 2015-07-10 15:45 - 03033806 _____ (Malwarebytes Corporation) C:\Users\Darren\Desktop\JRT.exe
2015-07-10 15:44 - 2015-07-10 15:44 - 02248704 _____ C:\Users\Darren\Desktop\adwcleaner_4.208.exe
2015-07-10 15:41 - 2015-07-10 15:41 - 00448512 _____ (OldTimer Tools) C:\Users\Darren\Desktop\TFC.exe
2015-07-09 23:13 - 2015-07-09 23:13 - 00000000 ____D C:\Users\Darren\AppData\Local\GWX
2015-07-09 22:34 - 2015-07-09 22:35 - 00000024 _____ C:\Users\Darren\AppData\Roaming\appdataFr25.bin
2015-07-09 20:55 - 2015-07-09 21:17 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-07-09 17:16 - 2015-07-09 23:05 - 00000000 ____D C:\AdwCleaner
2015-07-09 15:14 - 2015-07-10 14:47 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-09 15:13 - 2015-07-09 20:55 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-09 15:13 - 2015-07-09 20:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-09 15:13 - 2015-07-09 20:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-09 15:13 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-07-09 15:12 - 2015-07-09 20:31 - 00001118 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-09 15:12 - 2015-07-09 15:13 - 00000000 ____D C:\Users\Darren\AppData\Roaming\Malwarebytes
2015-07-09 15:12 - 2015-07-09 15:13 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-09 15:12 - 2015-07-09 15:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-07-09 15:12 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-09 14:57 - 2015-07-09 14:57 - 00000000 ____D C:\TDSSKiller_Quarantine
2015-07-09 14:32 - 2015-07-09 14:32 - 00043664 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2015-07-09 14:03 - 2015-07-09 14:31 - 00001602 _____ C:\WINDOWS\system32\.crusader
2015-07-09 13:50 - 2015-07-09 15:09 - 00000000 ____D C:\WINDOWS\CryptoGuard
2015-07-09 13:50 - 2015-07-09 15:09 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
2015-07-09 13:50 - 2015-07-09 14:01 - 00000000 ____D C:\ProgramData\HitmanPro
2015-07-09 13:29 - 2015-07-09 13:29 - 00000000 ____D C:\Program Files (x86)\Whimsical Hour
2015-07-09 07:10 - 2015-07-10 15:57 - 00002178 _____ C:\Users\Darren\Desktop\Google Chrome.lnk
2015-07-09 07:10 - 2015-07-09 16:59 - 00000000 ____D C:\Program Files (x86)\FastInternet
2015-07-09 07:10 - 2015-07-09 07:11 - 00000000 ____D C:\Users\Darren\AppData\Local\yuntnani
2015-07-09 07:09 - 2015-07-10 15:56 - 00000000 ___HD C:\a
2015-07-09 07:07 - 2015-07-09 07:07 - 00000019 _____ C:\WINDOWS\SysWOW64\73227707.bat
2015-07-09 06:50 - 2015-07-09 15:37 - 00000000 ____D C:\Users\Darren\AppData\Local\nva3vtetmklibmn
2015-07-09 06:50 - 2015-07-09 06:50 - 00000000 ____D C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-10 15:41 - 2013-11-24 08:15 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-10 15:12 - 2015-03-01 19:06 - 01220140 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-10 15:02 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-07-10 14:59 - 2013-01-03 20:45 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-415474014-2678031740-3160283343-1001
2015-07-10 14:47 - 2015-06-01 12:41 - 00000000 ____D C:\Users\Darren\OneDrive
2015-07-10 14:47 - 2013-11-24 08:15 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-09 23:12 - 2013-08-22 08:46 - 00290643 _____ C:\WINDOWS\setupact.log
2015-07-09 23:12 - 2013-08-22 08:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-09 23:12 - 2013-08-22 07:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-07-09 23:07 - 2013-12-26 15:56 - 01474048 ___SH C:\Users\Darren\Desktop\Thumbs.db
2015-07-09 22:56 - 2015-03-07 11:01 - 00000000 ____D C:\Users\Darren\Documents\Bluetooth Folder
2015-07-09 22:55 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\tracing
2015-07-09 22:53 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-07-09 22:51 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2015-07-09 21:56 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\rescache
2015-07-09 20:11 - 2015-03-26 12:20 - 00003918 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{FCEC1802-83F2-4A96-82A9-6ED3AB5F0AEB}
2015-07-09 17:09 - 2014-11-21 02:34 - 00708628 _____ C:\WINDOWS\PFRO.log
2015-07-09 17:09 - 2013-11-24 08:15 - 00000000 ____D C:\Program Files\Google
2015-07-09 17:09 - 2013-11-24 08:15 - 00000000 ____D C:\Program Files (x86)\Google
2015-07-09 15:37 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\IME
2015-07-09 15:36 - 2015-06-01 13:19 - 00000000 ____D C:\Program Files (x86)\5fc5c521-2e6e-4ac3-b4de-fe42e4a00be8
2015-07-09 15:36 - 2015-06-01 13:07 - 00000000 ____D C:\Program Files (x86)\d27eee8e-ed87-471d-9fcc-d7b6d7f011bc
2015-07-09 15:36 - 2015-06-01 13:01 - 00000000 ____D C:\Program Files (x86)\7519c87a-8696-473a-9a02-787b9f7ea5f5
2015-07-09 15:36 - 2013-03-23 16:43 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2015-07-09 15:36 - 2012-09-03 10:17 - 00000000 ____D C:\Program Files (x86)\Acer
2015-07-09 14:14 - 2015-03-26 12:19 - 00000000 __SHD C:\Users\Darren\AppData\Local\EmieUserList
2015-07-09 14:14 - 2015-03-26 12:19 - 00000000 __SHD C:\Users\Darren\AppData\Local\EmieSiteList
2015-07-09 14:14 - 2015-03-26 12:19 - 00000000 __SHD C:\Users\Darren\AppData\Local\EmieBrowserModeList
2015-07-09 14:03 - 2012-07-25 23:26 - 00000226 _____ C:\WINDOWS\win.ini
2015-07-09 14:01 - 2015-06-01 13:02 - 00000000 ____D C:\Users\Darren\AppData\Roaming\5432FD8F-1433185320-E211-BD3E-B888E3A4F8BE
2015-07-09 14:01 - 2015-06-01 12:58 - 00000000 ____D C:\Users\Darren\AppData\Roaming\nwy3yzfxmmtibwn
2015-07-09 14:00 - 2015-06-01 13:00 - 00000004 _____ C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-07-09 13:53 - 2014-11-21 02:44 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-09 13:11 - 2013-11-24 08:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-07-09 07:01 - 2012-07-26 01:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-07-09 06:50 - 2015-03-07 10:57 - 00001616 _____ C:\Users\Darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-06 15:24 - 2014-11-21 10:03 - 00792568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-07-06 15:24 - 2014-11-21 10:03 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-05 04:08 - 2015-03-07 11:03 - 00300704 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-06-22 07:07 - 2015-06-01 13:05 - 00000112 _____ C:\ProgramData\F0tY60RA.dat
2015-06-22 06:43 - 2013-08-22 08:44 - 00337976 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-06-19 08:17 - 2013-08-22 09:36 - 00000000 ___RD C:\WINDOWS\ToastData
2015-06-19 08:17 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2015-06-19 07:35 - 2013-08-18 11:15 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-06-19 07:30 - 2014-12-06 09:30 - 00000173 _____ C:\Users\Darren\AppData\Roaming\WB.CFG
2015-06-19 07:13 - 2013-01-06 13:09 - 140135120 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2015-07-09 22:34 - 2015-07-09 22:35 - 0000024 _____ () C:\Users\Darren\AppData\Roaming\appdataFr25.bin
2014-12-06 09:30 - 2015-06-19 07:30 - 0000173 _____ () C:\Users\Darren\AppData\Roaming\WB.CFG
2014-12-13 17:36 - 2014-12-21 13:30 - 0000010 _____ () C:\Users\Darren\AppData\Local\DSI.DAT
2015-06-01 14:15 - 2015-06-01 14:15 - 0628688 _____ (CMI Limited) C:\Users\Darren\AppData\Local\nsr78FE.tmp
2013-11-24 08:15 - 2013-11-24 08:15 - 0000057 _____ () C:\ProgramData\Ament.ini
2012-10-12 17:12 - 2012-10-12 17:12 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-06-01 13:05 - 2015-06-22 07:07 - 0000112 _____ () C:\ProgramData\F0tY60RA.dat

Files to move or delete:
====================
C:\ProgramData\F0tY60RA.dat


Some files in TEMP:
====================
C:\Users\Darren\AppData\Local\Temp\Quarantine.exe
C:\Users\Darren\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-09 17:37

==================== End of log ============================Attached File  Addition.txt   36.76KB   4 downloads


Edited by NooBeRGoD, 10 July 2015 - 05:13 PM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 12 July 2015 - 06:43 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

The instructions were posted for the system of the initial topic starter. They may harm other systems, so never follow instructions that weren´t designed for your computer!

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 NooBeRGoD

NooBeRGoD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 12 July 2015 - 12:10 PM

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2015-07-12 10:40:13
-----------------------------
10:40:13.034    OS Version: Windows x64 6.2.9200
10:40:13.034    Number of processors: 4 586 0x2A07
10:40:13.034    ComputerName: ROCKY  UserName:
10:40:15.737    Initialize success
10:40:15.831    VM: initialized successfully
10:40:15.831    VM: Intel CPU supported
10:40:36.753    VM: disk I/O iaStorA.sys
10:43:19.807    AVAST engine defs: 15071200
10:43:41.723    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000002d
10:43:41.723    Disk 0 Vendor: WDC_WD7500BPVT-22HXZT3 01.01A01 Size: 715404MB BusType: 11
10:43:41.957    Disk 0 MBR read successfully
10:43:41.957    Disk 0 MBR scan
10:43:41.957    Disk 0 unknown MBR code
10:43:41.973    Disk 0 Partition 1 00     EE            GPT           2097151 MB offset 1
10:43:42.004    Disk 0 scanning C:\WINDOWS\system32\drivers
10:44:03.668    Service scanning
10:44:37.157    Modules scanning
10:44:37.157    Disk 0 trace - called modules:
10:44:37.188    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll iaStorA.sys
10:44:37.188    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe00101ce3060]
10:44:37.188    3 CLASSPNP.SYS[fffff801773a8170] -> nt!IofCallDriver -> \Device\0000002d[0xffffe0010039d060]
10:44:39.954    AVAST engine scan C:\WINDOWS
10:44:44.457    AVAST engine scan C:\WINDOWS\system32
10:48:59.420    AVAST engine scan C:\WINDOWS\system32\drivers
10:49:19.174    AVAST engine scan C:\Users\Darren
10:52:50.318    File: C:\Users\Darren\Desktop\Google Chrome.lnk  **SUSPICIOUS**
10:53:00.445    AVAST engine scan C:\ProgramData
10:56:10.239    Disk 0 statistics 3167471/0/0 @ 93.21 MB/s
10:56:10.239    Scan finished successfully
11:09:02.795    Disk 0 MBR has been saved successfully to "E:\MBR.dat"
11:09:02.811    The log file has been saved successfully to "E:\aswMBR.txt"

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 13 July 2015 - 02:55 AM

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 NooBeRGoD

NooBeRGoD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 13 July 2015 - 02:09 PM

Fix result of Farbar Recovery Scan Tool (x64) Version:13-07-2015
Ran by Darren at 2015-07-13 12:35:49 Run:1
Running from C:\Users\Darren\Desktop\FRST
Loaded Profiles: Darren (Available Profiles: Darren)
Boot Mode: Normal
==============================================

fixlist content:
*****************
() C:\a\wincheckfe.exe
() C:\a\wcheckf.exe
() C:\a\internetport3.exe
() C:\a\winonit.exe
() C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m\nuw3bzfvmm5ic2m.exe
() C:\a\getcap.exe
() C:\a\rBETMhGO5yh7eVtg5rbJ.exe
() C:\Users\Darren\AppData\Local\yuntnani\vchk.exe

FirewallRules: [{D9E7D8CE-F97F-4E31-9762-73F634F2F53A}] => (Allow) C:\a\internetport3.exe
FirewallRules: [{670864A7-68F2-4205-8A5D-8EA0E1440637}] => (Allow) C:\a\internetport3.exe
FirewallRules: [{16EE629E-40F3-43AA-A8C6-E6BB1F93C2BF}] => (Allow) C:\a\getcap.exe
FirewallRules: [{20F3A258-64FB-4038-9CFB-40AE8F8443B3}] => (Allow) C:\a\getcap.exe
FirewallRules: [{39E75D73-58B3-4FA5-9D6A-6572F3FB9D3D}] => (Allow) C:\a\wincheckfe.exe
FirewallRules: [{287FA141-FEFE-41A1-ACD1-ACE41096929B}] => (Allow) C:\a\wincheckfe.exe
FirewallRules: [{45B6BA14-008F-468F-AD0E-EF2944F0CBE2}] => (Allow) C:\a\winonit.exe
FirewallRules: [{8130D278-D5AF-4425-AC4B-4A996DF5A05A}] => (Allow) C:\a\winonit.exe
FirewallRules: [{BFE844A8-DEAA-42B8-8272-28471E42A8FD}] => (Allow) C:\a\wcheckf.exe
FirewallRules: [{62D9AA88-5A7E-4401-BD81-5E4E4EA9F7B4}] => (Allow) C:\a\wcheckf.exe
FirewallRules: [{20E3347B-0B74-4E3F-948D-FA721E05221D}] => (Allow) C:\a\vchk.exe
FirewallRules: [{E9B23080-3A7A-445F-8D2E-D97A6E2F4D76}] => (Allow) C:\a\vchk.exe
FirewallRules: [{FAAA3927-F27F-4289-92B5-56971D273D92}] => (Allow) C:\a\rBETMhGO5yh7eVtg5rbJ.exe
FirewallRules: [{EED2F32F-6798-4DC6-BBBA-A3B59AC1FA14}] => (Allow) C:\a\rBETMhGO5yh7eVtg5rbJ.exe
FirewallRules: [{C530B3CE-B785-4208-A09B-5A6CA07B487F}] => (Allow) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
Task: {CCF7144A-4A62-4E4D-97DD-141DB3BFBE51} - \One System CarePeriod No Task File <==== ATTENTION
Task: {B0FC2E72-F1D4-4F96-8E04-F1CCCEB3F0F4} - \globalUpdateUpdateTaskMachineUA No Task File <==== ATTENTION
Task: {B2A9FBD2-C6EB-4F50-9DFD-33C910F6BB90} - \APSnotifierPP1 No Task File <==== ATTENTION
Task: {6AEA8FFF-19AF-4594-BEAD-AF6B75BDF079} - \Crossbrowse No Task File <==== ATTENTION
Task: {5473487A-8D9D-4CD4-BBC9-82F54B712B40} - \One System CareStartUp No Task File <==== ATTENTION
Task: {35F7B801-596F-4304-9AEE-5AB8C2F711D4} - \APSnotifierPP2 No Task File <==== ATTENTION
Task: {4891D2A9-39CB-43C1-BB7E-D658CC9C060C} - \GlobalUpdate-nwy3yzfxmmtibwn No Task File <==== ATTENTION
Task: {2E8D3C54-56D3-4D3B-9E0E-065D26B26C5A} - \APSnotifierPP3 No Task File <==== ATTENTION
Task: {030A7F9A-12F5-420D-A02F-1871A94B562E} - \Papuir No Task File <==== ATTENTION
Task: {05DF4A25-8DCD-48BE-89E2-54560DD48759} - \One System Care Monitor No Task File <==== ATTENTION
Task: {129A55DF-5E18-4EDD-918A-757EE1DB0CAD} - \globalUpdateUpdateTaskMachineCore No Task File <==== ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [Äÿ] - No Path Or update_url value
CHR HKLM\...\Chrome\Extension: [Äÿ] - No Path Or update_url value
SearchScopes: HKU\S-1-5-21-415474014-2678031740-3160283343-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKU\S-1-5-21-415474014-2678031740-3160283343-1001 -> {C31367EB-1A3F-452A-92C5-81FDB60543AD} URL =
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [HKLM-x32] => ProxyEnable is set
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyEnable: [S-1-5-21-415474014-2678031740-3160283343-1001] => Internet Explorer proxy is enabled
ProxyServer: [S-1-5-21-415474014-2678031740-3160283343-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877
Startup: C:\Users\Darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\intr.lnk [2015-07-09]
ShortcutTarget: intr.lnk -> C:\a\69409334.bat ()
Startup: C:\Users\Darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\loons.lnk [2015-07-09]
ShortcutTarget: loons.lnk -> C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m\nuw3bzfvmm5ic2m.exe ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\...\Run: [rutoauto] => 73227707.bat
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\...\Run: [dutoauto] => C:\a\wincheckfe.exe [42461 2015-07-01] ()
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\...\Run: [interpee] => C:\a\internetport3.exe [11264 2015-07-02] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer Backup Manager Tray.lnk [2012-09-03]
HKLM\...\Run: [cutoauto] => C:\a\wincheckfe.exe [42461 2015-07-01] ()
HKLM\...\Run: [interpee] => C:\a\internetport3.exe [11264 2015-07-02] ()
HKLM\...\Run: [autoauto] => 73227707.bat
HKLM-x32\...\Run: [cutoauto] => C:\a\wincheckfe.exe [42461 2015-07-01] ()
HKLM-x32\...\Run: [interpee] => C:\a\internetport3.exe [11264 2015-07-02] ()
HKLM-x32\...\Run: [autoauto] => 73227707.bat

S1 lmgljlbe; \??\C:\WINDOWS\system32\drivers\lmgljlbe.sys [X]
R2 Whimsical Hour; C:\Program Files (x86)\Whimsical Hour\Whimsical Hour.exe [8016401 2015-07-09] () [File not signed] <==== ATTENTION

C:\Program Files (x86)\Whimsical Hour
C:\WINDOWS\system32\drivers\lmgljlbe.sys
C:\Program Files (x86)\Crossbrowse
C:\ProgramData\F0tY60RA.dat
2012-10-12 17:12 - 2012-10-12 17:12 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-07-09 14:01 - 2015-06-01 13:02 - 00000000 ____D C:\Users\Darren\AppData\Roaming\5432FD8F-1433185320-E211-BD3E-B888E3A4F8BE
2015-07-09 14:01 - 2015-06-01 12:58 - 00000000 ____D C:\Users\Darren\AppData\Roaming\nwy3yzfxmmtibwn
2015-07-09 14:00 - 2015-06-01 13:00 - 00000004 _____ C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-07-09 15:37 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\IME
2015-07-09 15:36 - 2015-06-01 13:19 - 00000000 ____D C:\Program Files (x86)\5fc5c521-2e6e-4ac3-b4de-fe42e4a00be8
2015-07-09 15:36 - 2015-06-01 13:07 - 00000000 ____D C:\Program Files (x86)\d27eee8e-ed87-471d-9fcc-d7b6d7f011bc
2015-07-09 15:36 - 2015-06-01 13:01 - 00000000 ____D C:\Program Files (x86)\7519c87a-8696-473a-9a02-787b9f7ea5f5
2015-07-09 07:10 - 2015-07-10 15:57 - 00002178 _____ C:\Users\Darren\Desktop\Google Chrome.lnk
2015-07-09 07:10 - 2015-07-09 16:59 - 00000000 ____D C:\Program Files (x86)\FastInternet
2015-07-09 07:10 - 2015-07-09 07:11 - 00000000 ____D C:\Users\Darren\AppData\Local\yuntnani
2015-07-09 07:09 - 2015-07-10 15:56 - 00000000 ___HD C:\a
2015-07-09 07:07 - 2015-07-09 07:07 - 00000019 _____ C:\WINDOWS\SysWOW64\73227707.bat
2015-07-09 06:50 - 2015-07-09 15:37 - 00000000 ____D C:\Users\Darren\AppData\Local\nva3vtetmklibmn
2015-07-09 06:50 - 2015-07-09 06:50 - 00000000 ____D C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m
2015-07-09 22:34 - 2015-07-09 22:35 - 00000024 _____ C:\Users\Darren\AppData\Roaming\appdataFr25.bin

EmptyTemp:
Reboot:

*****************

[8060] C:\a\wincheckfe.exe => process closed successfully.
[2644] C:\a\wcheckf.exe => process closed successfully.
[4032] C:\a\internetport3.exe => process closed successfully.
[3104] C:\a\winonit.exe => process closed successfully.
[7568] C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m\nuw3bzfvmm5ic2m.exe => process closed successfully.
[7576] C:\a\getcap.exe => process closed successfully.
[5956] C:\a\rBETMhGO5yh7eVtg5rbJ.exe => process closed successfully.
[10856] C:\Users\Darren\AppData\Local\yuntnani\vchk.exe => process closed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D9E7D8CE-F97F-4E31-9762-73F634F2F53A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{670864A7-68F2-4205-8A5D-8EA0E1440637} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{16EE629E-40F3-43AA-A8C6-E6BB1F93C2BF} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{20F3A258-64FB-4038-9CFB-40AE8F8443B3} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{39E75D73-58B3-4FA5-9D6A-6572F3FB9D3D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{287FA141-FEFE-41A1-ACD1-ACE41096929B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{45B6BA14-008F-468F-AD0E-EF2944F0CBE2} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8130D278-D5AF-4425-AC4B-4A996DF5A05A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BFE844A8-DEAA-42B8-8272-28471E42A8FD} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{62D9AA88-5A7E-4401-BD81-5E4E4EA9F7B4} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{20E3347B-0B74-4E3F-948D-FA721E05221D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E9B23080-3A7A-445F-8D2E-D97A6E2F4D76} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FAAA3927-F27F-4289-92B5-56971D273D92} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EED2F32F-6798-4DC6-BBBA-A3B59AC1FA14} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C530B3CE-B785-4208-A09B-5A6CA07B487F} => value removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CCF7144A-4A62-4E4D-97DD-141DB3BFBE51}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CCF7144A-4A62-4E4D-97DD-141DB3BFBE51}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CarePeriod => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B0FC2E72-F1D4-4F96-8E04-F1CCCEB3F0F4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0FC2E72-F1D4-4F96-8E04-F1CCCEB3F0F4}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\globalUpdateUpdateTaskMachineUA => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B2A9FBD2-C6EB-4F50-9DFD-33C910F6BB90}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B2A9FBD2-C6EB-4F50-9DFD-33C910F6BB90}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP1 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6AEA8FFF-19AF-4594-BEAD-AF6B75BDF079}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AEA8FFF-19AF-4594-BEAD-AF6B75BDF079}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Crossbrowse => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5473487A-8D9D-4CD4-BBC9-82F54B712B40}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5473487A-8D9D-4CD4-BBC9-82F54B712B40}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CareStartUp => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{35F7B801-596F-4304-9AEE-5AB8C2F711D4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{35F7B801-596F-4304-9AEE-5AB8C2F711D4}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP2 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4891D2A9-39CB-43C1-BB7E-D658CC9C060C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4891D2A9-39CB-43C1-BB7E-D658CC9C060C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GlobalUpdate-nwy3yzfxmmtibwn" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2E8D3C54-56D3-4D3B-9E0E-065D26B26C5A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2E8D3C54-56D3-4D3B-9E0E-065D26B26C5A}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP3 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{030A7F9A-12F5-420D-A02F-1871A94B562E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{030A7F9A-12F5-420D-A02F-1871A94B562E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Papuir" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{05DF4A25-8DCD-48BE-89E2-54560DD48759}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{05DF4A25-8DCD-48BE-89E2-54560DD48759}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Monitor => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{129A55DF-5E18-4EDD-918A-757EE1DB0CAD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{129A55DF-5E18-4EDD-918A-757EE1DB0CAD}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\globalUpdateUpdateTaskMachineCore => key not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\Äÿ" => key removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\Äÿ" => key removed successfully
"HKU\S-1-5-21-415474014-2678031740-3160283343-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => key removed successfully
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => key not found.
"HKU\S-1-5-21-415474014-2678031740-3160283343-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C31367EB-1A3F-452A-92C5-81FDB60543AD}" => key removed successfully
HKCR\CLSID\{C31367EB-1A3F-452A-92C5-81FDB60543AD} => key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-415474014-2678031740-3160283343-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
C:\Users\Darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\intr.lnk => moved successfully.
C:\a\69409334.bat => moved successfully.
C:\Users\Darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\loons.lnk => moved successfully.
C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m\nuw3bzfvmm5ic2m.exe => moved successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully.
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\Software\Microsoft\Windows\CurrentVersion\Run\\rutoauto => value removed successfully
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\Software\Microsoft\Windows\CurrentVersion\Run\\dutoauto => value removed successfully
HKU\S-1-5-21-415474014-2678031740-3160283343-1001\Software\Microsoft\Windows\CurrentVersion\Run\\interpee => value removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer Backup Manager Tray.lnk => moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\cutoauto => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\interpee => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\autoauto => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cutoauto => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\interpee => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\autoauto => value removed successfully
lmgljlbe => Service removed successfully
Whimsical Hour => Unable to stop service.
Whimsical Hour => Service removed successfully
C:\Program Files (x86)\Whimsical Hour => moved successfully.
"C:\WINDOWS\system32\drivers\lmgljlbe.sys" => File/Folder not found.
"C:\Program Files (x86)\Crossbrowse" => File/Folder not found.
C:\ProgramData\F0tY60RA.dat => moved successfully.
C:\ProgramData\DP45977C.lfl => moved successfully.
C:\Users\Darren\AppData\Roaming\5432FD8F-1433185320-E211-BD3E-B888E3A4F8BE => moved successfully.
C:\Users\Darren\AppData\Roaming\nwy3yzfxmmtibwn => moved successfully.
C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7 => moved successfully.
C:\WINDOWS\IME => moved successfully.
C:\Program Files (x86)\5fc5c521-2e6e-4ac3-b4de-fe42e4a00be8 => moved successfully.
C:\Program Files (x86)\d27eee8e-ed87-471d-9fcc-d7b6d7f011bc => moved successfully.
C:\Program Files (x86)\7519c87a-8696-473a-9a02-787b9f7ea5f5 => moved successfully.
C:\Users\Darren\Desktop\Google Chrome.lnk => moved successfully.
C:\Program Files (x86)\FastInternet => moved successfully.
C:\Users\Darren\AppData\Local\yuntnani => moved successfully.
C:\a => moved successfully.
C:\WINDOWS\SysWOW64\73227707.bat => moved successfully.
C:\Users\Darren\AppData\Local\nva3vtetmklibmn => moved successfully.
C:\Users\Darren\AppData\Local\nuw3bzfvmm5ic2m => moved successfully.
C:\Users\Darren\AppData\Roaming\appdataFr25.bin => moved successfully.
EmptyTemp: => 1.2 GB temporary data Removed.


The system needed a reboot..

==== End of Fixlog 12:36:23 ====

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2015-07-13
Scan Time: 12:42 PM
Logfile: Scan Log.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.13.04
Rootkit Database: v2015.07.10.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Darren

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347956
Time Elapsed: 23 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 14 July 2015 - 01:47 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 NooBeRGoD

NooBeRGoD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 14 July 2015 - 12:12 PM

Cannot run the scan on the infected computer. I'm either redirected, or after downloading the onlinescanner.cab, I get "An addon for this website failed to run"



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 15 July 2015 - 05:49 AM

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 NooBeRGoD

NooBeRGoD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 15 July 2015 - 11:46 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-07-2015
Ran by SYSTEM on MININT-2HOBMGO on 15-07-2015 10:43:56
Running from d:\
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1212048 2012-06-07] (Realtek Semiconductor)
HKLM\...\Run: [BtPreLoad] => C:\Program Files (x86)\Bluetooth Suite\BtPreLoad.exe [64640 2012-08-10] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [211584 2012-08-10] (Qualcomm Atheros Commnucations)
S2 BrcmCardReader; C:\Program Files\Broadcom\MemoryCard\BrcmCardReader.exe [176640 2012-08-20] (Broadcom Corp.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-11-21] (Microsoft Corporation)
S2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe [2435728 2012-08-23] (Acer Incorporated)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [468624 2012-08-22] (Acer Incorporated)
S3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [658576 2012-08-22] (Acer Incorporated)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [259136 2012-08-22] (NTI Corporation)
S2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [93296 2012-10-12] (Dritek System INC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
S2 ZAtheros Wlan Agent; C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [81536 2012-07-31] (Atheros)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-08-10] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-11-21] (Microsoft Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [43664 2015-07-09] ()
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [113880 2015-07-15] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2012-10-12] (Dritek System Inc.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-14 19:07 - 2015-06-15 21:36 - 01661576 _____ (Microsoft Corporation) C:\Windows\System32\ole32.dll
2015-07-14 19:07 - 2015-06-15 21:36 - 01212248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2015-07-14 19:07 - 2015-06-10 19:49 - 01380600 _____ (Microsoft Corporation) C:\Windows\System32\gdi32.dll
2015-07-14 19:07 - 2015-06-10 08:13 - 01097216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2015-07-14 19:07 - 2015-05-11 08:34 - 00332800 _____ (Microsoft Corporation) C:\Windows\System32\fhcpl.dll
2015-07-14 19:07 - 2015-05-07 08:47 - 00564224 _____ (Microsoft Corporation) C:\Windows\System32\apphelp.dll
2015-07-14 19:07 - 2015-04-28 05:13 - 00513480 _____ C:\Windows\SysWOW64\locale.nls
2015-07-14 19:07 - 2015-04-28 05:13 - 00513480 _____ C:\Windows\System32\locale.nls
2015-07-14 19:07 - 2015-04-23 07:47 - 03084288 _____ (Microsoft Corporation) C:\Windows\System32\msftedit.dll
2015-07-14 19:07 - 2015-04-23 07:16 - 02471424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msftedit.dll
2015-07-14 19:06 - 2015-05-12 05:19 - 00294912 _____ (Microsoft Corporation) C:\Windows\System32\SystemEventsBrokerServer.dll
2015-07-14 19:06 - 2015-05-03 07:07 - 07784448 _____ (Microsoft Corporation) C:\Windows\System32\Windows.Data.Pdf.dll
2015-07-14 19:06 - 2015-05-03 06:57 - 05264384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2015-07-14 19:06 - 2015-05-01 15:33 - 00410739 _____ C:\Windows\System32\ApnDatabase.xml
2015-07-14 08:59 - 2015-07-14 09:00 - 00001818 _____ C:\Users\Darren\Desktop\Google Chrome.lnk
2015-07-14 08:58 - 2015-07-14 08:58 - 00000024 _____ C:\Users\Darren\AppData\Roaming\appdataFr25.bin
2015-07-13 10:40 - 2015-07-13 10:40 - 00000000 ____H C:\ProgramData\DP45977C.lfl
2015-07-13 10:35 - 2015-07-13 10:36 - 00000000 ____D C:\Users\Darren\Desktop\FRST
2015-07-13 10:35 - 2015-07-13 10:35 - 00000716 _____ C:\Users\Darren\AppData\Local\rBETMhGO5yh7eVtg5rbJ.html
2015-07-12 08:38 - 2015-07-12 08:38 - 05200384 _____ (AVAST Software) C:\Users\Darren\Desktop\aswmbr.exe
2015-07-10 13:56 - 2015-07-13 10:38 - 00000000 ____D C:\FRST
2015-07-09 21:13 - 2015-07-09 21:13 - 00000000 ____D C:\Users\Darren\AppData\Local\GWX
2015-07-09 18:55 - 2015-07-09 19:17 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-07-09 15:16 - 2015-07-09 21:05 - 00000000 ____D C:\AdwCleaner
2015-07-09 13:14 - 2015-07-15 08:30 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-07-09 13:13 - 2015-07-09 18:55 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2015-07-09 13:13 - 2015-07-09 18:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-09 13:13 - 2015-06-18 06:42 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2015-07-09 13:12 - 2015-07-09 18:31 - 00001118 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-09 13:12 - 2015-07-09 13:13 - 00000000 ____D C:\Users\Darren\AppData\Roaming\Malwarebytes
2015-07-09 13:12 - 2015-07-09 13:13 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-09 13:12 - 2015-07-09 13:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-07-09 13:12 - 2015-06-18 06:41 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2015-07-09 12:57 - 2015-07-09 12:57 - 00000000 ____D C:\TDSSKiller_Quarantine
2015-07-09 12:32 - 2015-07-09 12:32 - 00043664 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2015-07-09 12:03 - 2015-07-09 12:31 - 00001602 _____ C:\Windows\System32\.crusader
2015-07-09 11:50 - 2015-07-09 13:09 - 00000000 ____D C:\Windows\CryptoGuard
2015-07-09 11:50 - 2015-07-09 13:09 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
2015-07-09 11:50 - 2015-07-09 12:01 - 00000000 ____D C:\ProgramData\HitmanPro

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-15 08:41 - 2013-08-22 05:25 - 00262144 ___SH C:\Windows\System32\config\BBI
2015-07-15 08:40 - 2015-03-01 17:06 - 01553182 _____ C:\Windows\WindowsUpdate.log
2015-07-15 08:40 - 2013-08-22 06:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-15 08:36 - 2013-08-18 09:15 - 00000000 ____D C:\Windows\System32\MRT
2015-07-15 08:35 - 2015-04-08 18:49 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-07-15 08:35 - 2015-04-08 18:49 - 00000000 ___SD C:\Windows\System32\GWX
2015-07-15 08:29 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\System32\sru
2015-07-14 20:42 - 2013-11-24 06:15 - 00000918 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-14 19:35 - 2015-03-26 10:20 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{FCEC1802-83F2-4A96-82A9-6ED3AB5F0AEB}
2015-07-14 19:03 - 2012-07-25 23:59 - 00000000 ____D C:\Windows\CbsTemp
2015-07-14 09:09 - 2013-01-03 18:45 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-415474014-2678031740-3160283343-1001
2015-07-14 01:44 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\AppReadiness
2015-07-14 01:41 - 2013-11-24 06:15 - 00000914 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-13 10:38 - 2015-06-01 10:41 - 00000000 ____D C:\Users\Darren\OneDrive
2015-07-13 10:38 - 2015-03-07 08:56 - 00000008 __RSH C:\ProgramData\ntuser.pol
2015-07-13 10:38 - 2013-12-26 13:56 - 01474048 ___SH C:\Users\Darren\Desktop\Thumbs.db
2015-07-13 10:38 - 2013-08-22 06:46 - 00290720 _____ C:\Windows\setupact.log
2015-07-13 10:35 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\System32\GroupPolicy
2015-07-09 20:56 - 2015-03-07 09:01 - 00000000 ____D C:\Users\Darren\Documents\Bluetooth Folder
2015-07-09 20:55 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\tracing
2015-07-09 20:51 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\System32\NDF
2015-07-09 19:56 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\rescache
2015-07-09 15:09 - 2014-11-21 00:34 - 00708628 _____ C:\Windows\PFRO.log
2015-07-09 15:09 - 2013-11-24 06:15 - 00000000 ____D C:\Program Files\Google
2015-07-09 15:09 - 2013-11-24 06:15 - 00000000 ____D C:\Program Files (x86)\Google
2015-07-09 13:36 - 2013-03-23 14:43 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2015-07-09 13:36 - 2012-09-03 08:17 - 00000000 ____D C:\Program Files (x86)\Acer
2015-07-09 12:14 - 2015-03-26 10:19 - 00000000 __SHD C:\Users\Darren\AppData\Local\EmieUserList
2015-07-09 12:14 - 2015-03-26 10:19 - 00000000 __SHD C:\Users\Darren\AppData\Local\EmieSiteList
2015-07-09 12:14 - 2015-03-26 10:19 - 00000000 __SHD C:\Users\Darren\AppData\Local\EmieBrowserModeList
2015-07-09 12:03 - 2012-07-25 21:26 - 00000226 _____ C:\Windows\win.ini
2015-07-09 11:53 - 2014-11-21 00:44 - 00863592 _____ C:\Windows\System32\PerfStringBackup.INI
2015-07-06 13:24 - 2014-11-21 08:03 - 00792568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-06 13:24 - 2014-11-21 08:03 - 00178168 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-05 02:08 - 2015-03-07 09:03 - 00300704 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2015-07-03 06:43 - 2013-01-06 11:09 - 130333168 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2015-06-22 04:43 - 2013-08-22 06:44 - 00337976 _____ C:\Windows\System32\FNTCACHE.DAT
2015-06-19 06:17 - 2013-08-22 07:36 - 00000000 ___RD C:\Windows\ToastData
2015-06-19 06:17 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-06-19 05:30 - 2014-12-06 07:30 - 00000173 _____ C:\Users\Darren\AppData\Roaming\WB.CFG

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437

C:\Windows\System32\wininit.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380

C:\Windows\explorer.exe
[2015-04-08 13:57] - [2015-01-27 15:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88

C:\Windows\SysWOW64\explorer.exe
[2015-04-08 13:57] - [2015-01-27 15:41] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225

C:\Windows\System32\svchost.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47

C:\Windows\SysWOW64\svchost.exe
[2014-11-21 01:16] - [2014-11-21 01:16] - 0033088 ____A (Microsoft Corporation) D0ABC231C0B3E88C6B612B28ABBF734D

C:\Windows\System32\services.exe
[2015-05-13 11:04] - [2015-04-08 14:55] - 0410128 ____A (Microsoft Corporation) E0C7813A97CA7947FF5C18A8F3B61A45

C:\Windows\System32\User32.dll
[2014-11-21 01:16] - [2014-11-21 01:16] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

C:\Windows\SysWOW64\User32.dll
[2014-11-21 01:15] - [2014-11-21 01:15] - 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE

C:\Windows\System32\userinit.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F

C:\Windows\SysWOW64\userinit.exe
[2014-11-21 01:16] - [2014-11-21 01:16] - 0022528 ____A (Microsoft Corporation) D10643FC0095434C819316CA6CD748C0

C:\Windows\System32\rpcss.dll
[2014-11-21 01:15] - [2014-11-21 01:15] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2015-06-19 05:02:22
Restore point made on: 2015-07-09 04:59:45
Restore point made on: 2015-07-12 09:15:46
Restore point made on: 2015-07-15 08:30:40

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 5957.28 MB
Available physical RAM: 5134.62 MB
Total Virtual: 5957.28 MB
Available Virtual: 5153.92 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:681.41 GB) (Free:639.1 GB) NTFS
Drive d: (HITMANPRO) (Removable) (Total:3.77 GB) (Free:3.77 GB) FAT32
Drive f: () (Fixed) (Total:0.44 GB) (Free:0.08 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 96A62CAA)

Partition: GPT Partition Type.

========================================================
Disk: 1 (Size: 3.8 GB) (Disk ID: FD3356B0)
Partition 1: (Active) - (Size=3.8 GB) - (Type=0B)


LastRegBack: 2015-07-13 10:54

==================== End of log ============================



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 16 July 2015 - 01:41 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    
    
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

When done, boot into windows and try to run ESET online scanner on another browser


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 NooBeRGoD

NooBeRGoD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 16 July 2015 - 05:00 PM

The box appears empty to me. Single or double clicking inside the box, and using keyboard shortcuts for select all, copy and paste do not work for me either.


Edited by NooBeRGoD, 16 July 2015 - 07:13 PM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 17 July 2015 - 04:12 AM

I apologize - here it is:

2015-07-13 10:35 - 2015-07-13 10:35 - 00000716 _____ C:\Users\Darren\AppData\Local\rBETMhGO5yh7eVtg5rbJ.html
2015-07-14 08:59 - 2015-07-14 09:00 - 00001818 _____ C:\Users\Darren\Desktop\Google Chrome.lnk
2015-07-14 08:58 - 2015-07-14 08:58 - 00000024 _____ C:\Users\Darren\AppData\Roaming\appdataFr25.bin
2015-07-13 10:40 - 2015-07-13 10:40 - 00000000 ____H C:\ProgramData\DP45977C.lfl

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 NooBeRGoD

NooBeRGoD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 17 July 2015 - 08:31 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:13-07-2015
Ran by SYSTEM at 2015-07-17 06:35:03 Run:2
Running from d:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
2015-07-13 10:35 - 2015-07-13 10:35 - 00000716 _____ C:\Users\Darren\AppData\Local\rBETMhGO5yh7eVtg5rbJ.html
2015-07-14 08:59 - 2015-07-14 09:00 - 00001818 _____ C:\Users\Darren\Desktop\Google Chrome.lnk
2015-07-14 08:58 - 2015-07-14 08:58 - 00000024 _____ C:\Users\Darren\AppData\Roaming\appdataFr25.bin
2015-07-13 10:40 - 2015-07-13 10:40 - 00000000 ____H C:\ProgramData\DP45977C.lfl
*****************

C:\Users\Darren\AppData\Local\rBETMhGO5yh7eVtg5rbJ.html => moved successfully.
C:\Users\Darren\Desktop\Google Chrome.lnk => moved successfully.
C:\Users\Darren\AppData\Roaming\appdataFr25.bin => moved successfully.
C:\ProgramData\DP45977C.lfl => moved successfully.

==== End of Fixlog 06:35:04 ====



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 17 July 2015 - 09:09 AM

When done, boot into windows and try to run ESET online scanner on another browser


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 04 August 2015 - 02:03 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users