Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwanted programmes but avast wont let frst work


  • This topic is locked This topic is locked
10 replies to this topic

#1 TBone3

TBone3

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 13 July 2015 - 03:26 PM

found unwanted programs on malwarebytes I try and download FRST but avast tells me its a suspicious item and removes it so cant start the removal process



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 PM

Posted 15 July 2015 - 09:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If you download the Farbar tool from this site it's safe.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Avast is probably placing the file in the Chest folder.

You should be able to restore the file.
https://blog.avast.com/2013/11/03/how-do-i-access-the-avast-virus-chest/

Run it and post both logs for my review.

#3 TBone3

TBone3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 15 July 2015 - 05:25 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-07-2015
Ran by Chris (administrator) on DELL-530 on 15-07-2015 23:23:37
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Andrea Electronics Corporation) C:\Windows\System32\AERTSrv.exe
() C:\Program Files\HDD Health\HDDHealthService.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Secunia) C:\Program Files\Secunia\PSI\psia.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\avastui.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(PANTERASoft) C:\Program Files\HDD Health\hddhealth.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Secunia) C:\Program Files\Secunia\PSI\psi_tray.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4907008 2008-01-17] (Realtek Semiconductor)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2618680 2015-04-08] (Malwarebytes Corporation)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-05-14] (Avast Software s.r.o.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\Real\RealPlayer\update\realsched.exe [295512 2013-09-08] (RealNetworks, Inc.)
HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-29] (Piriform Ltd)
HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HDDHealth.lnk [2014-03-25]
ShortcutTarget: HDDHealth.lnk -> C:\Program Files\HDD Health\hddhealth.exe (PANTERASoft)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2014-11-30]
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-05-01] (Avast Software s.r.o.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-05-01] (Avast Software s.r.o.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 0.0.0.0
Tcpip\..\Interfaces\{24808C3F-DF8E-4DBB-B40F-D7DB39A51B71}: [DhcpNameServer] 192.168.0.203
Tcpip\..\Interfaces\{C010AF49-0C76-4353-BB35-19AE24C74C4F}: [DhcpNameServer] 192.168.1.1 0.0.0.0

FireFox:
========
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428
FF SearchEngineOrder.1:
FF SelectedSearchEngine:
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-15] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1214154.dll [2014-11-07] (Adobe Systems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll [2013-09-08] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2012-08-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2012-08-16] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll [2013-09-08] (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-11] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-11] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2013-09-08] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll [2013-09-08] (RealPlayer)
FF Extension: NoScript - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-03-26]
FF Extension: Adblock Plus - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-03-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-02-04]
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012-08-16]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-08]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-08-02]

Chrome:
=======
CHR Profile: C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-20]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AERTFilters; C:\Windows\system32\AERTSrv.exe [77824 2007-12-05] (Andrea Electronics Corporation)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-05-01] (Avast Software s.r.o.)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [107448 2015-05-01] (Avast Software s.r.o.)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [3207800 2015-05-01] (Avast Software)
R2 HDDHealth; C:\Program Files\HDD Health\HDDHealthService.exe [17760 2013-03-08] () [File not signed]
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [656184 2015-04-08] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
R2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1229528 2013-12-06] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [662232 2013-12-06] (Secunia)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24144 2015-05-01] ()
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [26096 2015-05-01] (Avast Software s.r.o.)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [74976 2015-05-01] (Avast Software s.r.o.)
R0 aswNdis; C:\Windows\System32\DRIVERS\aswNdis.sys [12112 2014-08-02] (ALWIL Software)
R0 aswNdis2; C:\Windows\system32\Drivers\aswNdis2.sys [253600 2015-05-01] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55200 2015-05-01] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49904 2015-05-01] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [787760 2015-05-01] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [428120 2015-06-27] (Avast Software s.r.o.)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57888 2015-05-01] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [209048 2015-05-01] ()
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2015-04-08] ()
R3 gttap1; C:\Windows\System32\DRIVERS\gttap1.sys [32552 2013-09-12] (The OpenVPN Project)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [98520 2015-07-15] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
S3 MOSUMAC; C:\Windows\System32\DRIVERS\MOSUMAC.SYS [43520 2009-12-10] (--)
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf_x86.sys [16024 2013-12-06] (Secunia)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [220752 2015-05-01] (Avast Software)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-21] (Microsoft Corporation)
S3 eapihdrv; \??\C:\Users\Chris\AppData\Local\Temp\ehdrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-15 23:21 - 2015-07-15 23:21 - 01636864 ____N (Farbar) C:\Users\Chris\Desktop\FRST.exe
2015-07-15 03:15 - 2015-07-03 17:04 - 01316864 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2015-07-15 03:15 - 2015-06-25 03:57 - 02066432 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-07-15 03:14 - 2015-06-17 17:50 - 02264576 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-07-15 03:14 - 2015-06-17 16:09 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe
2015-07-15 03:14 - 2015-06-12 17:01 - 00298496 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-07-15 03:07 - 2015-07-07 16:58 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-07-15 03:07 - 2015-07-07 15:22 - 00296960 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-07-15 03:05 - 2015-05-31 09:11 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\cewmdm.dll
2015-07-15 03:03 - 2015-06-27 17:03 - 00783872 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-07-15 03:03 - 2015-06-27 17:02 - 00501248 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-07-15 03:03 - 2015-06-27 17:02 - 00218112 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-07-15 03:03 - 2015-06-27 17:01 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-07-15 03:03 - 2015-06-27 15:21 - 00217088 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-07-15 03:03 - 2015-06-27 15:21 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-07-15 03:03 - 2015-06-12 14:13 - 00440768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-07-15 03:03 - 2015-01-09 01:17 - 00107008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-07-15 00:15 - 2015-07-03 06:31 - 12386304 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-07-15 00:15 - 2015-07-03 06:18 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-07-15 00:11 - 2015-06-17 02:14 - 01810432 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-07-15 00:11 - 2015-06-17 02:12 - 09750528 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-07-15 00:11 - 2015-06-17 02:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-07-15 00:11 - 2015-06-17 02:10 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-07-15 00:11 - 2015-06-17 02:09 - 01804288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-07-15 00:11 - 2015-06-17 02:09 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-07-15 00:11 - 2015-06-17 02:09 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-07-15 00:11 - 2015-06-17 02:09 - 00421888 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-07-15 00:11 - 2015-06-17 02:08 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-07-15 00:11 - 2015-06-17 02:08 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-07-15 00:11 - 2015-06-17 02:08 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-07-14 16:25 - 2015-07-14 16:25 - 00000244 _____ C:\Users\Chris\Downloads\defogger_enable.log
2015-07-13 21:25 - 2015-07-13 21:25 - 00000000 ____D C:\Users\Chris\Desktop\FRST-OlderVersion
2015-07-13 21:20 - 2015-07-13 21:20 - 00050477 _____ C:\Users\Chris\Downloads\Defogger.exe
2015-07-13 21:20 - 2015-07-13 21:20 - 00000472 _____ C:\Users\Chris\Downloads\defogger_disable.log
2015-07-13 17:17 - 2015-07-13 17:18 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\Chris\Downloads\mbam-setup-2.1.8.1057.exe
2015-07-12 21:32 - 2015-07-13 11:46 - 00000000 ____D C:\Users\Chris\Downloads\mets
2015-07-07 20:20 - 2015-07-13 17:41 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-06-27 23:52 - 2015-07-15 03:34 - 00002240 _____ C:\Windows\PFRO.log
2015-06-27 18:18 - 2015-06-27 18:18 - 02870984 _____ (ESET) C:\Users\Chris\Downloads\esetsmartinstaller_enu(2).exe
2015-06-24 22:04 - 2015-07-14 16:30 - 00030704 _____ C:\Users\Chris\Desktop\Addition.txt
2015-06-24 22:02 - 2015-07-15 23:23 - 00013979 _____ C:\Users\Chris\Desktop\FRST.txt
2015-06-18 17:18 - 2015-06-18 17:34 - 00000000 ____D C:\Users\Chris\Downloads\MSUCI2
2015-06-18 17:12 - 2015-07-13 21:15 - 00000000 ____D C:\Program Files\PeerBlock

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-15 23:23 - 2015-02-14 09:57 - 00000000 ____D C:\FRST
2015-07-15 22:54 - 2014-06-02 22:04 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-15 22:52 - 2012-06-09 17:42 - 02040753 _____ C:\Windows\WindowsUpdate.log
2015-07-15 22:47 - 2012-12-13 20:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-15 21:36 - 2006-11-02 13:47 - 00005184 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-15 21:36 - 2006-11-02 13:47 - 00005184 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-15 20:13 - 2014-06-02 22:10 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2015-07-15 12:55 - 2014-06-02 22:04 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-15 03:44 - 2006-11-02 11:33 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-15 03:37 - 2013-01-13 18:03 - 03612480 _____ C:\Windows\system32\FNTCACHE.DAT
2015-07-15 03:36 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-15 03:33 - 2006-11-02 14:01 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-15 03:14 - 2013-08-14 03:08 - 00000000 ____D C:\Windows\system32\MRT
2015-07-15 01:47 - 2012-12-13 20:48 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-07-15 01:47 - 2012-12-13 20:48 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-07-14 16:59 - 2014-06-02 22:05 - 00001931 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-07-14 16:25 - 2011-02-04 13:24 - 00000000 ____D C:\Users\Chris
2015-07-13 17:41 - 2013-10-31 01:26 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-07-13 17:21 - 2013-07-23 22:29 - 00000000 ____D C:\Users\Chris\AppData\Roaming\vlc
2015-07-13 17:19 - 2014-06-02 22:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-13 17:19 - 2014-06-02 22:10 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-07-13 17:19 - 2013-08-23 17:11 - 00000859 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-13 11:53 - 2015-03-30 21:39 - 00001041 _____ C:\Users\Chris\AppData\Roaming\vso_ts_preview.xml
2015-07-13 11:53 - 2015-03-30 21:39 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Vso
2015-07-13 11:52 - 2012-06-03 09:55 - 00050176 _____ C:\Users\Chris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-07-13 11:49 - 2011-12-31 14:09 - 00000000 ____D C:\Users\Chris\AppData\Local\CrashDumps
2015-07-13 10:12 - 2014-07-29 23:31 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2015-07-12 21:54 - 2011-12-28 15:53 - 00000000 ____D C:\Users\Chris\Documents\ConvertXToDVD
2015-07-04 16:13 - 2015-05-17 18:45 - 00001035 _____ C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
2015-07-03 08:49 - 2006-11-02 11:24 - 127070192 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-06-27 01:01 - 2014-08-02 22:53 - 00428120 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswsp.sys
2015-06-23 15:15 - 2014-08-27 21:55 - 00000000 ____D C:\Users\Chris\AppData\Local\Adobe
2015-06-23 13:27 - 2011-02-04 14:29 - 00246952 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-06-23 01:34 - 2015-04-01 16:43 - 00000000 ____D C:\AdwCleaner
2015-06-18 08:41 - 2014-06-02 22:10 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-18 08:41 - 2013-10-21 09:52 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-18 08:41 - 2013-08-23 17:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

==================== Files in the root of some directories =======

2011-12-28 15:52 - 2011-12-28 15:52 - 0007887 _____ () C:\Users\Chris\AppData\Roaming\pcouffin.cat
2011-12-28 15:52 - 2011-12-28 15:52 - 0001144 _____ () C:\Users\Chris\AppData\Roaming\pcouffin.inf
2011-12-28 15:53 - 2011-12-28 15:53 - 0000034 _____ () C:\Users\Chris\AppData\Roaming\pcouffin.log
2011-12-28 15:52 - 2011-12-28 15:52 - 0047360 _____ (VSO Software) C:\Users\Chris\AppData\Roaming\pcouffin.sys
2013-06-10 19:39 - 2013-06-10 19:39 - 0029239 _____ () C:\Users\Chris\AppData\Roaming\UserTile.png
2015-03-30 21:39 - 2015-07-13 11:53 - 0001041 _____ () C:\Users\Chris\AppData\Roaming\vso_ts_preview.xml
2012-01-13 09:09 - 2013-04-28 22:18 - 0163945 _____ () C:\Users\Chris\AppData\Local\ars.cache
2012-01-13 09:10 - 2013-04-28 22:18 - 0910996 _____ () C:\Users\Chris\AppData\Local\census.cache
2013-05-06 12:27 - 2015-05-14 02:47 - 0000680 _____ () C:\Users\Chris\AppData\Local\d3d9caps.dat
2012-06-03 09:55 - 2015-07-13 11:52 - 0050176 _____ () C:\Users\Chris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-13 08:12 - 2012-01-13 08:12 - 0000036 _____ () C:\Users\Chris\AppData\Local\housecall.guid.cache
2014-11-06 22:03 - 2014-11-06 22:03 - 0000000 _____ () C:\Users\Chris\AppData\Local\{58A3253E-0601-4F77-827A-75E8523B55B2}

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-15 15:42

==================== End of log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 12-07-2015
Ran by Chris at 2015-07-15 23:23:58
Running from C:\Users\Chris\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3299710142-3868310564-1978959094-500 - Administrator - Disabled)
Chris (S-1-5-21-3299710142-3868310564-1978959094-1001 - Administrator - Enabled) => C:\Users\Chris
Guest (S-1-5-21-3299710142-3868310564-1978959094-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 17.0.0.172 - Adobe Systems Incorporated)
Adobe Community Help (HKLM\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)
Adobe Download Assistant (HKLM\...\com.adobe.downloadassistant.AdobeDownloadAssistant) (Version: 1.0.6 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.4.154 - Adobe Systems, Inc.)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Auslogics DiskDefrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: 5.3.0.0 - Auslogics Labs Pty Ltd)
Avast Internet Security (HKLM\...\Avast) (Version: 10.2.2218 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
ConvertXtoDVD 4.0.9.322 (HKLM\...\{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1) (Version: 4.0.9.322 - )
EasyBCD 1.7 (HKLM\...\EasyBCD) (Version: 1.7 - NeoSmart Technologies)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
ffdshow [rev 2180] [2008-10-04] (HKLM\...\ffdshow_is1) (Version: 1.0 - )
Google Chrome (HKLM\...\Google Chrome) (Version: 43.0.2357.134 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.1 - Google Inc.) Hidden
HDD Health v4.2 (HKLM\...\HDD Health_is1) (Version:  - )
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - Intel Corporation)
K-Lite Codec Pack 7.0.0 (Standard) (HKLM\...\KLiteCodecPack_is1) (Version: 7.0.0 - )
Ladbrokes Casino (HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\Ladbrokes) (Version:  - )
Leawo Video Converter version  5.1.0.0 (HKLM\...\{331ED3CF-3A1B-467C-9A62-899E2D3B20C4}_is1) (Version:  - )
Malwarebytes Anti-Exploit version 1.06.1.1019 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.06.1.1019 - Malwarebytes)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Excel Viewer 2003 (HKLM\...\{90840409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Motorola Mobile Drivers Installation 6.3.0 (HKLM\...\{A55747C1-4651-433D-B082-478874FF7516}) (Version: 6.3.0 - Motorola Mobility LLC)
Mozilla Firefox 39.0 (x86 en-US) (HKLM\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
MPC-HC 1.7.0 (HKLM\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version: 1.7.0.7858 - MPC-HC Team)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
Nero 7 Lite 7.10.1.2 (HKLM\...\Nero7Lite_is1) (Version: 7.10.1.2 - UpdatePack.nl)
Panda Cloud Cleaner (HKLM\...\{92B2B132-C7F0-43DC-921A-4493C04F78A4}_is1) (Version: 1.0.107 - Panda Security)
RealDownloader (Version: 1.3.3 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM\...\RealPlayer 16.0) (Version: 16.0.3 - RealNetworks)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - )
RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden
Samsung Story Album Viewer (HKLM\...\InstallShield_{698BBAD8-B116-495D-B879-0F07A533E57F}) (Version: 1.0.0.13054_1 - Samsung Electronics Co., Ltd.)
Samsung Story Album Viewer (Version: 1.0.0.13054_1 - Samsung Electronics Co., Ltd.) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.27.0 - SAMSUNG Electronics Co., Ltd.)
Secunia PSI (3.0.0.9016) (HKLM\...\Secunia PSI) (Version: 3.0.0.9016 - Secunia)
Skitch (HKLM\...\Skitch 1.0.2.0) (Version: 2.2.0.4 - Evernote Corp.)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.0 - VideoLAN)
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
WinRAR 5.21 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
YouTube Downloader App 3.00 (HKLM\...\YouTube Downloader App) (Version: 3.00 - Regensoft)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

23-06-2015 00:00:16 Scheduled Checkpoint
23-06-2015 17:13:03 Windows Update
24-06-2015 23:01:12 Scheduled Checkpoint
26-06-2015 00:00:02 Scheduled Checkpoint
26-06-2015 21:49:22 Windows Update
28-06-2015 01:11:40 Scheduled Checkpoint
29-06-2015 00:00:01 Scheduled Checkpoint
30-06-2015 00:00:05 Scheduled Checkpoint
30-06-2015 22:49:52 Windows Update
01-07-2015 13:42:03 Scheduled Checkpoint
03-07-2015 00:00:04 Scheduled Checkpoint
04-07-2015 00:13:51 Scheduled Checkpoint
04-07-2015 03:37:23 Windows Update
05-07-2015 00:00:07 Scheduled Checkpoint
06-07-2015 00:00:03 Scheduled Checkpoint
07-07-2015 00:00:03 Scheduled Checkpoint
07-07-2015 14:29:00 Windows Update
09-07-2015 00:00:06 Scheduled Checkpoint
10-07-2015 00:00:05 Scheduled Checkpoint
10-07-2015 18:49:07 Windows Update
12-07-2015 00:00:02 Scheduled Checkpoint
13-07-2015 00:00:08 Scheduled Checkpoint
13-07-2015 19:07:30 Scheduled Checkpoint
15-07-2015 00:00:07 Scheduled Checkpoint
15-07-2015 00:09:29 Windows Update
15-07-2015 03:00:29 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-01-28 16:22 - 2015-02-12 19:22 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0945E1CB-16D0-411C-8521-E36129FC4CAD} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-3299710142-3868310564-1978959094-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {5184F028-AA66-498B-8389-8BE4497A3485} - System32\Tasks\avastBCLRestartS-1-5-21-3299710142-3868310564-1978959094-1001 => Firefox.exe
Task: {55BCF811-A564-4112-86D0-CE9A15394CF0} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3299710142-3868310564-1978959094-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {6092D648-6209-4D6F-9B67-908F6DA777DD} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {677CD573-8156-4B83-8781-B7646D6B0415} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-15] (Adobe Systems Incorporated)
Task: {6AB10674-89F8-4900-9832-2CF880C72577} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3299710142-3868310564-1978959094-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {774B777F-3837-4F59-BD37-29C2BD397E76} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-06-12] (Adobe Systems Incorporated)
Task: {8214B684-CA5F-4C69-89AA-C1D18ACA5CB0} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-3299710142-3868310564-1978959094-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {85281012-34B8-4BAA-9EF3-93B5EA5F07FC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-06-02] (Google Inc.)
Task: {8A6403D3-82D2-4E66-8DBE-0E6A1517755E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-06-02] (Google Inc.)
Task: {ADA914F7-A3CA-4F5E-8F05-BE49799BBAAC} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-06-18] (Avast Software s.r.o.)
Task: {DC0B49E4-3258-40BE-81A6-B40E45F2E425} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-29] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-03-20 18:32 - 2015-05-01 12:59 - 00104400 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2015-03-20 18:32 - 2015-05-01 12:59 - 00081728 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2015-07-14 20:58 - 2015-07-14 20:58 - 02956288 _____ () C:\Program Files\AVAST Software\Avast\defs\15071401\algo.dll
2015-07-15 20:13 - 2015-07-15 20:13 - 02956800 _____ () C:\Program Files\AVAST Software\Avast\defs\15071501\algo.dll
2014-03-25 06:27 - 2013-03-08 10:54 - 00017760 _____ () C:\Program Files\HDD Health\HDDHealthService.exe
2013-08-14 15:19 - 2013-08-14 15:19 - 00039056 _____ () C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
2015-03-14 03:20 - 2015-03-20 18:33 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\1001movie.com -> 1001movie.com
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\1001night.biz -> 1001night.biz
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\100gal.net -> 100gal.net
IE restricted site: HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\...\100sexlinks.com -> 100sexlinks.com

There are 5317 more restricted sites.

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3299710142-3868310564-1978959094-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Chris\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
DNS Servers: 192.168.1.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SLSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [SLSVC-In-TCP] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [{95C5F95E-62D7-4526-9C15-BCE6ABA4F874}] => (Allow) C:\Program Files\Opera\opera.exe
FirewallRules: [{E666F7E6-14C7-46A7-AEBB-325E67946372}] => (Allow) C:\Program Files\Opera\opera.exe
FirewallRules: [{666EC536-9390-41DD-87C5-3F303A0CFA0E}] => (Allow) C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [{F4CFD83A-D58B-4331-9FC7-226F9784CDC4}] => (Allow) C:\Windows\System32\muzapp.exe
FirewallRules: [{12BEC677-E9D6-44B9-BABE-F2063712476A}] => (Allow) C:\Windows\System32\muzapp.exe
FirewallRules: [{63B46E60-3403-4499-A84A-2E131052042D}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{302B31C3-170B-4314-B46B-37875751AF0A}] => (Allow) C:\Program Files\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{548FDE5A-8AC2-4C5E-B687-603C092943FA}] => (Allow) C:\Program Files\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{CB3C9927-8511-4003-A2F9-0F8653F9F993}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{89F6D647-8024-4E1F-8497-2A7AE8708831}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{D219BA1B-DD57-4273-87E5-4AACE5A32963}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
FirewallRules: [{F96D426C-C4D3-4FD3-90BF-97AA8B3F9D16}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
FirewallRules: [{E1840D16-9CCF-4302-B33B-9D2D60E8935B}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/15/2015 12:55:25 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/15/2015 12:55:25 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/15/2015 03:13:59 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4

Error: (07/15/2015 03:13:58 AM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (07/13/2015 09:14:28 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/13/2015 05:39:18 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier2\security.cpp78800706e5

Error: (07/13/2015 11:49:17 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application vlc.exe, version 2.2.0.0, time stamp 0x00000004, faulting module libqt4_plugin.dll, version 2.2.0.0, time stamp 0x00020002, exception code 0x40000015, fault offset 0x007c915a,
process id 0x17c, application start time 0xvlc.exe0.

Error: (06/27/2015 11:55:14 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\CHRIS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\Y0T440SI.DEFAULT-1422297887428\SAFEBROWSING> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (06/27/2015 11:55:14 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\CHRIS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\Y0T440SI.DEFAULT-1422297887428\SAFEBROWSING> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (06/27/2015 11:43:32 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\CHRIS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\Y0T440SI.DEFAULT-1422297887428\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)


System errors:
=============
Error: (06/27/2015 11:43:09 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: 1Restart the serviceWindows Search%%1056

Error: (06/27/2015 11:43:08 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (06/27/2015 11:43:08 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: 1Restart the serviceWindows Media Player Network Sharing Service%%1056

Error: (06/27/2015 11:42:39 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Search1300001Restart the service

Error: (06/27/2015 11:42:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: HDDHealth1

Error: (06/27/2015 11:42:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Malwarebytes Anti-Exploit Service1

Error: (06/27/2015 11:42:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Secunia PSI Agent1

Error: (06/27/2015 11:42:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Secunia Update Agent1

Error: (06/27/2015 11:42:39 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Media Player Network Sharing Service1300001Restart the service

Error: (06/27/2015 11:42:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Adobe Acrobat Update Service1


Microsoft Office:
=========================
Error: (07/15/2015 12:55:25 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (07/15/2015 12:55:25 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (07/15/2015 03:13:59 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4

Error: (07/15/2015 03:13:58 AM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (07/13/2015 09:14:28 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (07/13/2015 05:39:18 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier2\security.cpp78800706e5

Error: (07/13/2015 11:49:17 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: vlc.exe2.2.0.000000004libqt4_plugin.dll2.2.0.00002000240000015007c915a17c01d0bd597aadb5c0

Error: (06/27/2015 11:55:14 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\CHRIS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\Y0T440SI.DEFAULT-1422297887428\SAFEBROWSING

Error: (06/27/2015 11:55:14 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\CHRIS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\Y0T440SI.DEFAULT-1422297887428\SAFEBROWSING

Error: (06/27/2015 11:43:32 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)
C:\USERS\CHRIS\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\Y0T440SI.DEFAULT-1422297887428\SAFEBROWSING-BACKUP


CodeIntegrity Errors:
===================================
  Date: 2015-07-15 23:23:54.390
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:54.172
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:53.953
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:53.750
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:53.454
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:53.236
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:53.033
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:52.830
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:42.125
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-15 23:23:41.922
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU E6750 @ 2.66GHz
Percentage of memory in use: 53%
Total physical RAM: 3060.45 MB
Available physical RAM: 1429.25 MB
Total Virtual: 6345.91 MB
Available Virtual: 4374.45 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:288.32 GB) (Free:156.55 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Recovery) (Fixed) (Total:9.77 GB) (Free:3.88 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: 5ED7C68A)
Partition 1: (Active) - (Size=288.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=9.8 GB) - (Type=07 NTFS)

==================== End of log ============================



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 PM

Posted 16 July 2015 - 07:12 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

EmptyTemp:
CloseProcesses:

S3 eapihdrv; \??\C:\Users\Chris\AppData\Local\Temp\ehdrv.sys

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Get the latest version of AdwCleaner run the tool and post the log.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Please let me know what problem persists.

#5 TBone3

TBone3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 16 July 2015 - 01:59 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 12-07-2015
Ran by Chris at 2015-07-16 19:56:39 Run:4
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Boot Mode: Normal

==============================================

fixlist content:
*****************

*****************


==== End of Fixlog 19:56:39 ====

 

# AdwCleaner v4.208 - Logfile created 16/07/2015 at 19:58:31
# Updated 09/07/2015 by Xplode
# Database : 2015-07-15.1 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (x86)
# Username : Chris - DELL-530
# Running from : C:\Users\Chris\Desktop\adwcleaner_4.208.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v9.0.8112.16669


-\\ Mozilla Firefox v39.0 (x86 en-US)


-\\ Google Chrome v43.0.2357.134


-\\ Comodo Dragon v


*************************

AdwCleaner[R0].txt - [894 bytes] - [01/04/2015 16:43:59]
AdwCleaner[R1].txt - [946 bytes] - [01/04/2015 20:40:02]
AdwCleaner[R2].txt - [1063 bytes] - [01/04/2015 20:56:00]
AdwCleaner[R3].txt - [1272 bytes] - [23/06/2015 01:32:39]
AdwCleaner[R4].txt - [926 bytes] - [16/07/2015 19:58:31]
AdwCleaner[S0].txt - [959 bytes] - [01/04/2015 16:53:19]
AdwCleaner[S1].txt - [1009 bytes] - [01/04/2015 20:46:38]
AdwCleaner[S2].txt - [1342 bytes] - [23/06/2015 01:34:08]

########## EOF - C:\AdwCleaner\AdwCleaner[R4].txt - [1160 bytes] ##########
 



#6 TBone3

TBone3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 16 July 2015 - 05:53 PM

after that I ran my AV and it picked up a trojan in my appdata/mozilla/firefox/profiles

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 PM

Posted 17 July 2015 - 06:54 AM

Did you fix that infection with you AV?

If still an issue please run this tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#8 TBone3

TBone3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 17 July 2015 - 05:43 PM

it seems okay now. did you find anything? Zoek.exe v5.0.0.0 Updated 04-May-2015 Tool run by Chris on 17/07/2015 at 13:56:15.08. Microsoft® Windows Vista Home Premium 6.0.6002 Service Pack 2 x86 Running in: Normal Mode Internet Access Detected Launched: C:\Users\Chris\Desktop\zoek.exe [Scan all users] [Script inserted] ==== System Restore Info ====================== 17/07/2015 13:57:43 Zoek.exe System Restore Point Created Successfully. ==== Empty Folders Check ====================== C:\Program Files\Belarc deleted successfully C:\Program Files\MarkAny deleted successfully C:\Program Files\OpenOffice.org 2.4 deleted successfully C:\Program Files\VS Revo Group deleted successfully C:\PROGRA~2\abelhadigital.com deleted successfully C:\PROGRA~2\BlueStacksSetup deleted successfully C:\PROGRA~2\Dumps deleted successfully C:\PROGRA~2\Malwarebytes' Anti-Malware (portable) deleted successfully C:\PROGRA~2\NVIDIA deleted successfully C:\PROGRA~2\Oracle deleted successfully C:\Users\Chris\AppData\Roaming\HDDHealth deleted successfully C:\Users\Chris\AppData\Roaming\QuickScan deleted successfully C:\Users\Chris\AppData\Local\LogMeIn Rescue Applet deleted successfully C:\Users\Chris\AppData\Local\Secunia PSI deleted successfully ==== Deleting CLSID Registry Keys ====================== ==== Deleting CLSID Registry Values ====================== ==== Deleting Services ====================== ==== FireFox Fix ====================== ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428 user.js not found ---- FireFox user.js and prefs.js backups ---- prefs_072015_1410_.backup ==== Batch Command(s) Run By Tool====================== ==== Deleting Files \ Folders ====================== C:\Program Files\Belarc not found C:\Program Files\MarkAny not found C:\Program Files\OpenOffice.org 2.4 not found C:\Program Files\VS Revo Group not found C:\PROGRA~2\Malwarebytes' Anti-Malware (portable) not found C:\Users\Chris\AppData\Roaming\pcouffin.log deleted C:\Windows\system32\config\systemprofile\AppData\Roaming\hddhealth_s.log deleted C:\PROGRA~2\Package Cache deleted C:\Users\Chris\AppData\Local\cache deleted C:\Windows\System32\Tasks\avastBCLRestartS-1-5-21-3299710142-3868310564-1978959094-1001 deleted C:\Windows\system32\config\systemprofile\AppData\LocalLow\AVG SafeGuard toolbar deleted C:\Windows\system32\GroupPolicy\Machine deleted C:\Windows\system32\GroupPolicy\User deleted C:\Windows\system32\GroupPolicy\gpt.ini deleted "C:\Users\Chris\AppData\Local\{58A3253E-0601-4F77-827A-75E8523B55B2}" deleted ==== Firefox Start and Search pages ====================== ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428 user_pref("browser.search.defaultengine", ""); user_pref("browser.search.selectedEngine", ""); ==== Firefox Extensions Registry ====================== [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [01/05/2015 12:59] ==== Firefox Extensions ====================== ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428 - NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi - Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi AppDir: C:\Program Files\Mozilla Firefox - Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ==== Firefox Plugins ====================== Profilepath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428 0806948270D853B709CCBBF38AF167E4 - C:\Program Files\Adobe\Reader 11.0\Reader\browser\nppdf32.dll - Adobe Acrobat 9DF0C4F0CEF60158614EDD1B3AB441EE - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll - Adobe Acrobat C2D756C95D5AE3D030E7D394B9C771B9 - C:\Program Files\VideoLAN\VLC\npvlc.dll - VLC Web Plugin 1F352B5944AF5C2204D9EFF7F845C5AF - C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll - Google Update F8CB60A5ACA5D73807ECBD9942A8BCB7 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll - RealDownloader Plugin E32771B0AE3F18CEFFC12D682025238A - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll - RealPlayer™ HTML5VideoShim Plug-In (32-bit) 555E65306A5D3A5978BE74E1DD62CDD9 - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll - RealNetworks™ Chrome Background Extension Plug-In (32-bit) 96B3689320E9B16EDF38B7A5001C35F0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll - RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit) EAC427FEF96A13058C1ACD17C38966CF - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll - RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit) BE126CB7049E89ED6F3038016668B502 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll - RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit) 0FCEAA7D12B7B0BA825E5C770B1DCA48 - c:\program files\real\realplayer\Netscape6\nprpplugin.dll - RealPlayer Download Plugin 3A9E1940B4459CC97FDCBB24FCB69004 - c:\program files\real\realplayer\Netscape6\nppl3260.dll - RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) AB87EEFFD18F2BAAFC274E7075EA6C67 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll - Windows Presentation Foundation / Windows Presentation Foundation 073A22FDCDAFD513DAD0D972BD2DF76E - c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll - Silverlight Plug-In 12B7772C549B1A9A7AC2C0062F1582FF - C:\Windows\system32\Adobe\Director\np32dsw_1214154.dll - Shockwave for Director / Shockwave for Director FD82108FD60B63010325D9AF6F00AF99 - C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll - Shockwave Flash 6D23BB87BCF88731959BF79082D442E6 - c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrlui.dll - Microsoft® Silverlight ==== Chromium Look ====================== Google Chrome Version: 43.0.2357.134 HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[20/03/2015 18:31] idhngdhcfkoamngbedgpaokgjbnpdiji - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx[14/08/2013 15:24] SiteAdvisor - Chris\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho RealPlayer HTML5Video Downloader Extension - Chris\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk ==== Set IE to Default ====================== Old Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main] "Search Bar"="https://uk.yahoo.com?fr=hp-avast&type=avastbcl" New Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main] "Search Bar"="http://go.microsoft.com/fwlink/?LinkId=54896" ==== All HKCU SearchScopes ====================== HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" {012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}" {0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" ==== Empty IE Cache ====================== C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully C:\Users\Chris\AppData\Local\temp\acro_rd_dir\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409 will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409 will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ will be deleted at reboot C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot ==== Empty FireFox Cache ====================== C:\Users\Chris\AppData\Local\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428\cache2 emptied successfully ==== Empty Chrome Cache ====================== C:\Users\Chris\AppData\Local\Comodo\Dragon\User Data\Default\Cache emptied successfully C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully ==== Empty All Flash Cache ====================== Flash Cache Emptied Successfully ==== Empty All Java Cache ====================== Java Cache cleared successfully ==== C:\zoek_backup content ====================== C:\zoek_backup (files=43 folders=32 8637687 bytes) ==== Empty Temp Folders ====================== C:\Users\Chris\AppData\Local\temp will be emptied at reboot C:\Users\Default\AppData\Local\temp emptied successfully C:\Users\Default User\AppData\Local\temp emptied successfully C:\Users\Public\AppData\Local\temp emptied successfully C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully C:\Windows\Temp will be emptied at reboot ==== After Reboot ====================== ==== Empty Temp Folders ====================== C:\Windows\Temp successfully emptied C:\Users\Chris\AppData\Local\Temp successfully emptied ==== Empty Recycle Bin ====================== C:\$RECYCLE.BIN successfully emptied ==== Deleting Files / Folders ====================== "C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR" not found "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U" not found "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409" not found "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ" not found "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR" not found "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U" not found "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409" not found "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ" not found ==== EOF on 17/07/2015 at 23:37:32.70 ======================

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Chris on 17/07/2015 at 13:56:15.08.
Microsoft® Windows Vista™ Home Premium  6.0.6002 Service Pack 2 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Chris\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

17/07/2015 13:57:43 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\Belarc deleted successfully
C:\Program Files\MarkAny deleted successfully
C:\Program Files\OpenOffice.org 2.4 deleted successfully
C:\Program Files\VS Revo Group deleted successfully
C:\PROGRA~2\abelhadigital.com deleted successfully
C:\PROGRA~2\BlueStacksSetup deleted successfully
C:\PROGRA~2\Dumps deleted successfully
C:\PROGRA~2\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~2\NVIDIA deleted successfully
C:\PROGRA~2\Oracle deleted successfully
C:\Users\Chris\AppData\Roaming\HDDHealth deleted successfully
C:\Users\Chris\AppData\Roaming\QuickScan deleted successfully
C:\Users\Chris\AppData\Local\LogMeIn Rescue Applet deleted successfully
C:\Users\Chris\AppData\Local\Secunia PSI deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_072015_1410_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Program Files\Belarc not found
C:\Program Files\MarkAny not found
C:\Program Files\OpenOffice.org 2.4 not found
C:\Program Files\VS Revo Group not found
C:\PROGRA~2\Malwarebytes' Anti-Malware (portable) not found
C:\Users\Chris\AppData\Roaming\pcouffin.log deleted
C:\Windows\system32\config\systemprofile\AppData\Roaming\hddhealth_s.log deleted
C:\PROGRA~2\Package Cache deleted
C:\Users\Chris\AppData\Local\cache deleted
C:\Windows\System32\Tasks\avastBCLRestartS-1-5-21-3299710142-3868310564-1978959094-1001 deleted
C:\Windows\system32\config\systemprofile\AppData\LocalLow\AVG SafeGuard toolbar deleted
C:\Windows\system32\GroupPolicy\Machine deleted
C:\Windows\system32\GroupPolicy\User deleted
C:\Windows\system32\GroupPolicy\gpt.ini deleted
"C:\Users\Chris\AppData\Local\{58A3253E-0601-4F77-827A-75E8523B55B2}" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428
user_pref("browser.search.defaultengine", "");
user_pref("browser.search.selectedEngine", "");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [01/05/2015 12:59]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428
0806948270D853B709CCBBF38AF167E4    - C:\Program Files\Adobe\Reader 11.0\Reader\browser\nppdf32.dll -    Adobe Acrobat
9DF0C4F0CEF60158614EDD1B3AB441EE    - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll -    Adobe Acrobat
C2D756C95D5AE3D030E7D394B9C771B9    - C:\Program Files\VideoLAN\VLC\npvlc.dll -    VLC Web Plugin
1F352B5944AF5C2204D9EFF7F845C5AF    - C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll -    Google Update
F8CB60A5ACA5D73807ECBD9942A8BCB7    - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll -    RealDownloader Plugin
E32771B0AE3F18CEFFC12D682025238A    - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll -    RealPlayer™ HTML5VideoShim Plug-In (32-bit)
555E65306A5D3A5978BE74E1DD62CDD9    - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll -    RealNetworks™ Chrome Background Extension Plug-In (32-bit)
96B3689320E9B16EDF38B7A5001C35F0    - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll -    RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit)
EAC427FEF96A13058C1ACD17C38966CF    - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll -    RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit)
BE126CB7049E89ED6F3038016668B502    - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll -    RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit)
0FCEAA7D12B7B0BA825E5C770B1DCA48    - c:\program files\real\realplayer\Netscape6\nprpplugin.dll -    RealPlayer Download Plugin
3A9E1940B4459CC97FDCBB24FCB69004    - c:\program files\real\realplayer\Netscape6\nppl3260.dll -    RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit)
AB87EEFFD18F2BAAFC274E7075EA6C67    - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll -    Windows Presentation Foundation / Windows Presentation Foundation
073A22FDCDAFD513DAD0D972BD2DF76E    - c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll -    Silverlight Plug-In
12B7772C549B1A9A7AC2C0062F1582FF    - C:\Windows\system32\Adobe\Director\np32dsw_1214154.dll -    Shockwave for Director / Shockwave for Director
FD82108FD60B63010325D9AF6F00AF99    - C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll -    Shockwave Flash
6D23BB87BCF88731959BF79082D442E6    - c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrlui.dll -    Microsoft® Silverlight


==== Chromium Look ======================

Google Chrome Version: 43.0.2357.134

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[20/03/2015 18:31]
idhngdhcfkoamngbedgpaokgjbnpdiji - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx[14/08/2013 15:24]

SiteAdvisor - Chris\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho
RealPlayer HTML5Video Downloader Extension - Chris\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="https://uk.yahoo.com?fr=hp-avast&type=avastbcl"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://go.microsoft.com/fwlink/?LinkId=54896"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Empty IE Cache ======================

C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Chris\AppData\Local\temp\acro_rd_dir\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409 will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409 will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ will be deleted at reboot
C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Chris\AppData\Local\Mozilla\Firefox\Profiles\y0t440si.default-1422297887428\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Chris\AppData\Local\Comodo\Dragon\User Data\Default\Cache emptied successfully
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=43 folders=32 8637687 bytes)

==== Empty Temp Folders ======================

C:\Users\Chris\AppData\Local\temp will be emptied at reboot
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Chris\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR" not found
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U" not found
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409" not found
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ" not found
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0K9UI0HR" not found
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12BWL27U" not found
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOHOI409" not found
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSS1W7JJ" not found

==== EOF on 17/07/2015 at 23:37:32.70 ======================
 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 PM

Posted 18 July 2015 - 07:18 AM


The Zoek tool did a good cleanup.
They might just have been some remnant items in the Temporary file folders.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#10 TBone3

TBone3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 18 July 2015 - 03:38 PM

thanks very much for you help



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:25 PM

Posted 19 July 2015 - 07:28 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users