Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coinminer J Trojan svchost repeater


  • This topic is locked This topic is locked
17 replies to this topic

#1 MJPRCE

MJPRCE

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 18 July 2015 - 09:27 PM

I have Windows 8.1 fully updated (afaik - automatic updates were applied to my system) and I am using ESET NOD32 as a free trial.

It's picked up svchost.exe in a temp directory as being problematic - with the trojan "coinminer J" being the problem with it.

Windows Defender (this is not working now as it was disabled/removed before ESET was installed) also picked up the svchost in a temp directory as being a problem, yet it seems to be recurring. 

I am waiting to see if ESET will do anything different other than just stash another temp dir svchost.exe file in quarantine awaiting removal or what but I'm pretty certain it won't change a dang thing. It's really messing with my gpu to the extent I'm regularly exceeding 90 degrees on my graphics card and playing GTA V on the steam platform only pushes the card further so I'm not going to play that for the foreseeable until this issue gets fixed.

I have no idea what else to do - any help would be gratefully received.

I'm also getting adware pretty much constantly on Chrome and more recently with Firefox and that's also driving me crazy.



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:52 AM

Posted 19 July 2015 - 05:22 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 MJPRCE

MJPRCE
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 19 July 2015 - 09:17 PM

Hi,

 

I did as you requested and got as far as running the scan. Well, it doesn't work. I can't get it to work at all. I downloaded the 64 bit version of it, tried running it but I got nothing. Doesn't even show up in task manager as running.

 

Not sure if you've got any other ideas here?

 

Thanks for the reply.

 

Marcus.



#4 MJPRCE

MJPRCE
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 20 July 2015 - 04:08 AM

No. Again and just to be sure, I've tried both 64 bit and 32 bit versions of FRST (despite having 64 bit Win) after a hard reset, nothing happens. 



#5 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:52 AM

Posted 20 July 2015 - 05:34 AM

Please try the scan in safe mode.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#6 MJPRCE

MJPRCE
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 20 July 2015 - 09:27 AM

I've tried that and still nothing. It's not even thinking about loading it, it's just..not doing anything whatsoever when I click to run it or when I select it and hit enter to run it, or run it through Win+r, or anything like that, it just isn't doing whatever it's supposed to be doing.



#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:52 AM

Posted 20 July 2015 - 10:10 AM

Step 1

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

zoek.jpg

Please download 51a612a8b27e2-Zoek.pngZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    process;
    services-list;
    systemspecs;
    startupall;
    filesrcm;
    
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#8 MJPRCE

MJPRCE
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 20 July 2015 - 04:24 PM

Success! However I won't be able to post this until tomorrow evening as I'm due to spend about nine hours on a coach to get back home - I'm just typing this out packing it up and then putting my daughter to bed ready for the long day tomorrow.

That said, I'm familiar (at a basic level) with the sort of information such reports give out. Should the report use sensitive information such as my computer's name and my workgroup name, is it okay if I do not include these names in the logfile response?

Thanks for the replies so far - it seems we might be getting somewhere before too long hopefully.


Edited by MJPRCE, 20 July 2015 - 04:24 PM.


#9 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:52 AM

Posted 21 July 2015 - 10:46 AM

is it okay if I do not include these names in the logfile response?


Yes, it is.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#10 MJPRCE

MJPRCE
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 24 July 2015 - 09:59 AM

Sorry for the delay, here is the logfile as requested - minor redactions indicated by "-----" though nothing of significance has otherwise been removed.

 

 
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by ------- on 20/07/2015 at 17:05:07.08.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\--------\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
20/07/2015 17:13:21 Zoek.exe System Restore Point Created Successfully.
 
==== Running Processes ======================
 
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe
C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe
C:\Users\------\Downloads\zoek.exe
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\SysWOW64\cmd.exe
 
==== Services(whitelist) ======================
Powered by E Dev
 
R2 - [_wfcs] - Windows Firewall Control - c:\program files\windows firewall control\wfcs.exe
R2 - [Apple Mobile Device] - Apple Mobile Device - c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
R2 - [Bluetooth Device Monitor] - Bluetooth Device Monitor - c:\program files (x86)\intel\bluetooth\devmonsrv.exe
R2 - [Bluetooth OBEX Service] - Bluetooth OBEX Service - c:\program files (x86)\intel\bluetooth\obexsrv.exe
R2 - [Bonjour Service] - Bonjour Service - c:\program files\bonjour\mdnsresponder.exe
R2 - [CAMService] - CAM Service - c:\program files\intel\cam\bin\camservice.exe
R2 - [EvtEng] - Intel® PROSet/Wireless Event Log - c:\program files\intel\wifi\bin\evteng.exe
R2 - [Intel® Capability Licensing Service Interface] - Intel® Capability Licensing Service Interface - c:\program files\intel\icls client\heciserver.exe
R2 - [nvsvc] - NVIDIA Display Driver Service - c:\windows\system32\nvvsvc.exe
R2 - [RegSrvc] - Intel® PROSet/Wireless Registry Service - c:\program files\common files\intel\wirelesscommon\regsrvc.exe
R2 - [RtkAudioService] - Realtek Audio Service - c:\program files\realtek\audio\hda\rtkaudioservice64.exe
R2 - [TeamViewer] - TeamViewer 10 - c:\program files (x86)\teamviewer\teamviewer_service.exe
R2 - [Thpsrv] - TOSHIBA HDD Protection - c:\windows\system32\thpsrv.exe
R2 - [TODDSrv] - TOSHIBA Optical Disc Drive Service - c:\windows\system32\toddsrv.exe
R2 - [TOSHIBA eco Utility Service] - TOSHIBA eco Utility Service - c:\program files\toshiba\teco\tecoservice.exe
R2 - [XTU3SERVICE] - Intel® Extreme Tuning Utility Service - c:\program files (x86)\intel\extreme tuning utility\xtuservice.exe
R2 - [ZeroConfigService] - Intel® PROSet/Wireless Zero Configuration Service - c:\program files\intel\wifi\bin\zeroconfigservice.exe
R3 - [ICCS] - Intel® Integrated Clock Controller Service - Intel® ICCS - c:\program files (x86)\intel\intel® integrated clock controller service\iccproxy.exe
R3 - [TemproMonitoringService] - TEMPRO Service - c:\program files (x86)\toshiba tempro\temprosvc.exe
R3 - [VSS] - Volume Shadow Copy - c:\windows\system32\vssvc.exe
S2 - [6cecf580] - TroubleFix - (x86)\troublefix\troublefix.dll [x]
S2 - [gupdate] - Google Update Service (gupdate) - c:\program files (x86)\google\update\googleupdate.exe
S2 - [iBtSiva] - Intel Bluetooth Service - c:\program files (x86)\intel\bluetooth\ibtsiva.exe
S2 - [SkypeUpdate] - Skype Updater - c:\program files (x86)\skype\updater\updater.exe
S2 - [sppsvc] - Software Protection - c:\windows\system32\sppsvc.exe
S3 - [AdobeFlashPlayerUpdateSvc] - Adobe Flash Player Update Service - c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
S3 - [ALG] - Application Layer Gateway Service - c:\windows\system32\alg.exe
S3 - [COMSysApp] - COM+ System Application - c:\windows\system32\dllhost.exe
S3 - [cphs] - Intel® Content Protection HECI Service - c:\windows\syswow64\intelcphecisvc.exe
S3 - [disconnect-openvpn] - disconnect-openvpn - c:\program files (x86)\disconnect\disconnect desktop\nssm.exe [x]
S3 - [Fax] - Fax - c:\windows\system32\fxssvc.exe
S3 - [FontCache3.0.0.0] - Windows Presentation Foundation Font Cache 3.0.0.0 - c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe
S3 - [gupdatem] - Google Update Service (gupdatem) - c:\program files (x86)\google\update\googleupdate.exe
S3 - [IEEtwCollectorService] - Internet Explorer ETW Collector Service - c:\windows\system32\ieetwcollector.exe
S3 - [iPod Service] - iPod Service - c:\program files\ipod\bin\ipodservice.exe
S3 - [MozillaMaintenance] - Mozilla Maintenance Service - c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
S3 - [MSDTC] - Distributed Transaction Coordinator - c:\windows\system32\msdtc.exe
S3 - [msiserver] - Windows Installer - c:\windows\system32\msiexec.exe
S3 - [MyWiFiDHCPDNS] - Wireless PAN DHCP Server - c:\program files\intel\wifi\bin\pandhcpdns.exe
S3 - [ose64] - Office 64 Source Engine - c:\program files\common files\microsoft shared\source engine\ose.exe
S3 - [PerfHost] - Performance Counter DLL Host - c:\windows\syswow64\perfhost.exe
S3 - [RpcLocator] - Remote Procedure Call (RPC) Locator - c:\windows\system32\locator.exe
S3 - [SNMPTRAP] - SNMP Trap - c:\windows\system32\snmptrap.exe
S3 - [Steam Client Service] - Steam Client Service - c:\program files (x86)\common files\steam\steamservice.exe
S3 - [SwitchBoard] - SwitchBoard - c:\program files (x86)\common files\adobe\switchboard\switchboard.exe
S3 - [TMachInfo] - TMachInfo - c:\program files\toshiba\toshiba service station\tmachinfo.exe
S3 - [TPCHSrv] - TPCH Service - c:\program files\toshiba\tphm\tpchsrv.exe
S3 - [TrustedInstaller] - Windows Modules Installer - c:\windows\servicing\trustedinstaller.exe
S3 - [vds] - Virtual Disk - c:\windows\system32\vds.exe
S3 - [wbengine] - Block Level Backup Engine Service - c:\windows\system32\wbengine.exe
S3 - [WdNisSvc] - Windows Defender Network Inspection Service - c:\program files\windows defender\nissrv.exe
S3 - [WinDefend] - Windows Defender Service - c:\program files\windows defender\msmpeng.exe
S3 - [wmiApSrv] - WMI Performance Adapter - c:\windows\system32\wbem\wmiapsrv.exe
S3 - [WMPNetworkSvc] - Windows Media Player Network Sharing Service - c:\program files\windows media player\wmpnetwk.exe
S4 - [WSearch] - Windows Search - c:\windows\system32\searchindexer.exe
 
==== System Specs ======================
 
Operating System: Microsoft Windows 8.1 6.3.9600  64-bit
Manufacturer: TOSHIBA - Model: SATELLITE P875
Install Date: 25/01/2015 00:11:34
Last Boot: 20/07/2015 15:16:31
Processor: Intel® Core™ i5-3230M CPU @ 2.60GHz
Number of Processors: 4
Work Station
Bootmode: Normal boot
Total RAM: 8076 MB (free 6093 MB - 75)
Computername: ------
Domain: ------
User: ------- (Administrator account)
Local Disk:        C:\ - NTFS - 686 GB (free 139 GB)
CD \ DVD Drive:    D:\ 
CD \ DVD Drive:    G:\ 
Bootdevice: \Device\HarddiskVolume2
Windows update: 
Country:  
Language:  
 
==== System Specs (Software) ======================
 
Anti-Virus: ESET NOD32 Antivirus 8.0 On-access scanning disabled (Outdated)
Anti-Virus: Windows Defender On-access scanning disabled (Outdated)
Anti-Spyware: Windows Defender disabled (Outdated)
Anti-Spyware: ESET NOD32 Antivirus 8.0 disabled (Outdated)
Default Browser: Firefox 39.0
Internet Explorer Version: 11.0.9600.17905 
Sun Java version: 1.8.0_45 (32-bit) 
Sun Java version: 1.8.0_45 (64-bit) 
Shockwave Player version: 8.5.1r102
 
==== Files Recently Created / Modified ======================
 
====== C:\WINDOWS ====
====== C:\Users\------\AppData\Local\Temp ====
2015-07-20 06:48:21 0EC46A0C9E8BC678CC90C7B6122F71B5 69255 ----a-w- C:\Users\----\AppData\Local\Temp\Uninstall.exe
2015-07-19 01:37:16 7D19B84C00EE089930247281B79DD656 372936 ----a-w- C:\Users\-----\AppData\Local\Temp\InstHelper.exe
2015-07-17 21:38:04 E0DC8C6BBC787B972A9A468648DBFD85 1008128 ----a-w- C:\Users\----\AppData\Local\Temp\jrt\libiconv2.dll
2015-07-17 21:38:04 D34DE397C882E8E71FB0966D28F07CB1 71992 ----a-w- C:\Users\------\AppData\Local\Temp\jrt\CreateRestorePoint.exe
2015-07-17 21:38:04 D202BAA425176287017FFE1FB5D1B77C 103424 ----a-w- C:\Users\-----\AppData\Local\Temp\jrt\libintl3.dll
2015-07-17 21:38:04 57CAC848FA14AE38F14F9441F8933282 140288 ----a-w- C:\Users\-----\AppData\Local\Temp\jrt\pcre3.dll
2015-07-17 21:38:04 547C43567AB8C08EB30F6C6BACB479A3 79360 ----a-w- C:\Users\----\AppData\Local\Temp\jrt\regex2.dll
2015-07-17 21:38:04 2F9C7FDA92C346CB5AA32091536AE0CB 43520 ----a-w- C:\Users\-----\AppData\Local\Temp\jrt\nfo\nircmdc.exe
====== Java Cache =====
2015-07-14 01:42:43 B57CB9B24412B8E34FF2692D8103246A 14732 ----a-w- C:\Users\------\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\2dc64e0c-37ef3c04
2015-06-28 04:04:42 E28F59B5FCE5A1E270F5F5CE122016D2 100 ----a-w- C:\Users\------\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\371a6814-f4d1a4b073aab66857bccfc89d6e6264b8494375cc9999c8abb6c1b945f5a7b9-6.0.lap
2015-07-14 01:42:51 98A6864A1F158187F0B227D0A2ADA3A0 94 ----a-w- C:\Users\-----\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\22cd3517-91932a991f15b7ad1213899d3e43885957cfcc2729a13af9493bd71aa58fdf9b-6.0.lap
2015-07-14 01:42:42 24FB542F7AA941256792FE4A9A2E15C2 37 ----a-w- C:\Users\----\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\3ea53004-e53b707a1de247ed096aae0f1959ca541704b477d955e62f920aaa1c311e16c7-6.0.lap
2015-07-14 02:02:25 757A4022316070F4F25AA9DEFC1B8EFA 78642080 ----a-w- C:\Users\----\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\2880acf1-22c4daf0
2015-06-28 04:04:45 5113AA1EF760673DD56C54ABF1E1B541 100 ----a-w- C:\Users\-----\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\5b2ff37b-a148d7afeb82aa00105491ce6c810145b0aabe6d3f6f229319f2eb1bc658746d-6.0.lap
2015-06-28 04:04:32 C5A27746F84BFEE257F1A1D9EE3E018C 104 ----a-w- C:\Users\------\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\2666ee86-9741a20189fb94b70bc887793603abe92ed27ae9c22405809d79870e5f9049dd-6.0.lap
2015-07-14 02:15:36 2CD1F8AF1F95CE6E8F65EADF6DDBBB4B 44166003 ----a-w- C:\Users\-----\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\64303c7d-428a86d6
====== C:\WINDOWS\SysWOW64 =====
2015-07-17 10:20:42 00AFDE50445AE39F2B6DE0FAC937D7DF 721920 ----a-w- C:\WINDOWS\SysWOW64\wuapi.dll
2015-07-17 10:20:41 DE3A47073AE1D0554C6BC8209EAA61D6 81920 ----a-w- C:\WINDOWS\SysWOW64\wudriver.dll
2015-07-17 10:20:41 9F8E5FF86AD54E60537158E30230A4FD 29696 ----a-w- C:\WINDOWS\SysWOW64\wuapp.exe
2015-07-17 10:20:41 73C97B94FDCA957A2BEF94EEF66B9D82 124928 ----a-w- C:\WINDOWS\SysWOW64\wuwebv.dll
2015-07-17 10:20:41 6125B69B76160B3B7D07653EE8034272 27136 ----a-w- C:\WINDOWS\SysWOW64\wups.dll
2015-07-17 10:19:57 780F3D4149BB3F98F1B5C97C74CCA527 332120 ----a-w- C:\WINDOWS\SysWOW64\msv1_0.dll
2015-07-17 10:19:57 51A403F76D38BBA81E52AACB4CF858A1 802816 ----a-w- C:\WINDOWS\SysWOW64\kerberos.dll
2015-07-17 10:19:57 20E1183B113478AD3223DE56EF27B017 324096 ----a-w- C:\WINDOWS\SysWOW64\certcli.dll
2015-07-17 10:19:57 16170A51A9C84F364E5CBF0F6C7A25A8 747520 ----a-w- C:\WINDOWS\SysWOW64\rpcrt4.dll
2015-07-17 10:19:55 FFFFA05A3C67F715D91978351F84D254 2460160 ----a-w- C:\WINDOWS\SysWOW64\authui.dll
2015-07-17 10:19:55 EB7494B829EB4252538AFFA534BBEC73 301056 ----a-w- C:\WINDOWS\SysWOW64\atmfd.dll
2015-07-17 10:19:55 C68E1EC5B40FA3BAEF5088F15A687BA3 3607552 ----a-w- C:\WINDOWS\SysWOW64\msi.dll
2015-07-17 10:19:55 052FBC5525FA2975FC08EBD130BC0209 59904 ----a-w- C:\WINDOWS\SysWOW64\msiexec.exe
2015-07-17 10:19:54 B2B0FAC1B6684C1B066095DA63FDD821 35840 ----a-w- C:\WINDOWS\SysWOW64\atmlib.dll
2015-07-17 10:19:23 BE2E7F60FE2D64346530A31E60F41505 4520448 ----a-w- C:\WINDOWS\SysWOW64\jscript9.dll
2015-07-17 10:19:19 116F506573B59B85CD0DC18527E9951A 19877376 ----a-w- C:\WINDOWS\SysWOW64\mshtml.dll
2015-07-17 10:19:03 AFAEB9E4269846C64DC9721B1BFA5CEC 12855296 ----a-w- C:\WINDOWS\SysWOW64\ieframe.dll
2015-07-17 10:19:02 8EDF7B6D3A563DAA06DD87053C734168 2279424 ----a-w- C:\WINDOWS\SysWOW64\iertutil.dll
2015-07-17 10:19:01 05CA106A1B68770BDABB9AA7AEAE516A 1310720 ----a-w- C:\WINDOWS\SysWOW64\urlmon.dll
2015-07-17 10:18:25 E2B8238F0A0D1ADBA3AE4A6D6F0EC756 1951232 ----a-w- C:\WINDOWS\SysWOW64\wininet.dll
2015-07-17 10:18:23 A4CDF35747C0023EAA346A602398B21A 504320 ----a-w- C:\WINDOWS\SysWOW64\vbscript.dll
2015-07-17 10:18:23 100C1CE9CD6B071C257CF01BC8862FC2 1048576 ----a-w- C:\WINDOWS\SysWOW64\actxprxy.dll
2015-07-17 10:18:22 FBAB9BC4D37919C1FF3ABC8EF7B6519A 73216 ----a-w- C:\WINDOWS\SysWOW64\tdc.ocx
2015-07-17 10:18:22 D8BF6D6A53F01F994FD1E418214A6A3F 689152 ----a-w- C:\WINDOWS\SysWOW64\msfeeds.dll
2015-07-17 10:18:22 77A44634B72E71572EDBBA68CF3396EF 710144 ----a-w- C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-07-17 10:18:22 6163462E9F2F2252C1923F00B0156324 64000 ----a-w- C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-07-17 10:18:22 56F69242999ADD150DDBE8F20B27873D 168960 ----a-w- C:\WINDOWS\SysWOW64\msrating.dll
2015-07-17 10:18:22 23EFF186B887412CC057F49091D6AFCC 478208 ----a-w- C:\WINDOWS\SysWOW64\ieui.dll
2015-07-17 10:18:21 7D28B19A2238BBC853A10134C1D6F8EB 2052608 ----a-w- C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-07-17 10:18:21 3BFAB08093416CB6B9215183BA7D4197 285696 ----a-w- C:\WINDOWS\SysWOW64\dxtrans.dll
2015-07-17 10:18:20 BC8215B25C42E741A80BC4B264427070 880128 ----a-w- C:\WINDOWS\SysWOW64\inetcomm.dll
2015-07-17 10:18:19 E521E979CD0E965A98B62DD97179455B 327168 ----a-w- C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-07-17 10:18:19 6D7282F5A10E4A99F990FC19C6DF8010 230400 ----a-w- C:\WINDOWS\SysWOW64\webcheck.dll
2015-07-17 10:18:19 1E89000637EC1481143FAED744BB3BA1 76288 ----a-w- C:\WINDOWS\SysWOW64\mshtmled.dll
2015-07-17 10:18:18 C9C47A696BFB186CE23E7AD9421520F6 664064 ----a-w- C:\WINDOWS\SysWOW64\jscript.dll
2015-07-17 10:18:18 52C0648A543920034213337C2BC3E7F7 128000 ----a-w- C:\WINDOWS\SysWOW64\iepeers.dll
2015-07-17 10:18:01 A7AF3885B327D574682693E4E71CDD68 1097216 ----a-w- C:\WINDOWS\SysWOW64\gdi32.dll
2015-07-17 10:18:01 7F99D7C779056615EA4F110AB11D0BE5 1212248 ----a-w- C:\WINDOWS\SysWOW64\ole32.dll
====== C:\WINDOWS\SysWOW64\drivers =====
====== C:\WINDOWS\Sysnative =====
2015-07-17 10:20:45 DD3D37B54CFB348BA23D174CF1EF1F47 4177920 ----a-w- C:\WINDOWS\Sysnative\win32k.sys
2015-07-17 10:20:42 DE5203BE4C45434F1EE6FB3FB451F9F8 891904 ----a-w- C:\WINDOWS\Sysnative\wuapi.dll
2015-07-17 10:20:42 B50599B542623B6C3A731F15A8C0D5AB 66048 ----a-w- C:\WINDOWS\Sysnative\wups.dll
2015-07-17 10:20:42 89DCA2C3E77CDAC198A395DB73617CCF 409088 ----a-w- C:\WINDOWS\Sysnative\WUSettingsProvider.dll
2015-07-17 10:20:42 6AFBB018517367B69076CC84ABF9CA80 136904 ----a-w- C:\WINDOWS\Sysnative\wuauclt.exe
2015-07-17 10:20:42 50CEC061C6D6FD2B9C89BECD08991CCB 3701760 ----a-w- C:\WINDOWS\Sysnative\wuaueng.dll
2015-07-17 10:20:42 27BF17D45CEBD10D0096038C5B38D288 2229248 ----a-w- C:\WINDOWS\Sysnative\wucltux.dll
2015-07-17 10:20:41 F8B153D04E96D5E24C4F482133B99753 140288 ----a-w- C:\WINDOWS\Sysnative\wuwebv.dll
2015-07-17 10:20:41 B137687B02C877047CCD4873D2925814 359936 ----a-w- C:\WINDOWS\Sysnative\WinSetupUI.dll
2015-07-17 10:20:41 AEE0035F389ED7EFE23E01253BFA382E 35840 ----a-w- C:\WINDOWS\Sysnative\wuapp.exe
2015-07-17 10:20:41 97A706C00A1ADCF8C5875BC29BB9DBA3 95744 ----a-w- C:\WINDOWS\Sysnative\wudriver.dll
2015-07-17 10:20:41 2DF64AE63F4A95252E9AA626C5C65740 52224 ----a-w- C:\WINDOWS\Sysnative\wups2.dll
2015-07-17 10:19:58 B01F3377CB949F72366D0B014FF060B9 442712 ----a-w- C:\WINDOWS\Sysnative\msv1_0.dll
2015-07-17 10:19:58 63040C9A508532F90F6D0BF57E556B82 989184 ----a-w- C:\WINDOWS\Sysnative\kerberos.dll
2015-07-17 10:19:58 2F802C0E8B7714268C788D0625E6FBE2 1311960 ----a-w- C:\WINDOWS\Sysnative\rpcrt4.dll
2015-07-17 10:19:57 415862B5FF298A751D775AC49730D04C 1441792 ----a-w- C:\WINDOWS\Sysnative\lsasrv.dll
2015-07-17 10:19:57 14AADFF241A96629D64DD7F015976E82 445440 ----a-w- C:\WINDOWS\Sysnative\certcli.dll
2015-07-17 10:19:56 C6264DEDF8FE95FAB9AFC47C3F95A6A8 37888 ----a-w- C:\WINDOWS\Sysnative\werdiagcontroller.dll
2015-07-17 10:19:56 431FE56F5A2F5937994CB2DA330B47DB 230400 ----a-w- C:\WINDOWS\Sysnative\AudioEndpointBuilder.dll
2015-07-17 10:19:56 4043D5D64F57F86DE757ACD07FB500DB 2774528 ----a-w- C:\WINDOWS\Sysnative\authui.dll
2015-07-17 10:19:56 0F03CC00645D7F841879A048787D6AC7 911360 ----a-w- C:\WINDOWS\Sysnative\audiosrv.dll
2015-07-17 10:19:55 A7E6931FBB62F18C5DAE52E9AC379C05 3320320 ----a-w- C:\WINDOWS\Sysnative\msi.dll
2015-07-17 10:19:55 2403EA62E45389F353E507A4EDA94F5D 65024 ----a-w- C:\WINDOWS\Sysnative\msiexec.exe
2015-07-17 10:19:54 3914465775345215CCD1C5D073DC5897 44032 ----a-w- C:\WINDOWS\Sysnative\atmlib.dll
2015-07-17 10:19:54 2C98F0971126E7530A6FA1EF572F2129 358912 ----a-w- C:\WINDOWS\Sysnative\atmfd.dll
2015-07-17 10:19:26 F91793E2D348FB3D1C8EAD70ECBB3F49 764928 ----a-w- C:\WINDOWS\Sysnative\invagent.dll
2015-07-17 10:19:26 C20BFFEA714E9F71FC7BCDCFB2502396 433152 ----a-w- C:\WINDOWS\Sysnative\devinv.dll
2015-07-17 10:19:26 B96E8ECF192F2549A30F6A6E5548191D 67584 ----a-w- C:\WINDOWS\Sysnative\acmigration.dll
2015-07-17 10:19:26 7C20B163DE8138A311537C65B9E58EC0 26288 ----a-w- C:\WINDOWS\Sysnative\CompatTelRunner.exe
2015-07-17 10:19:26 6D8BE0E262EE5D45DE47B772F9D6C3F3 1145856 ----a-w- C:\WINDOWS\Sysnative\aeinv.dll
2015-07-17 10:19:26 4310B66A618A71B48BA092C4A514B8A5 1084928 ----a-w- C:\WINDOWS\Sysnative\appraiser.dll
2015-07-17 10:19:26 195770B066EBA124F9363A8A3E5E51C6 726528 ----a-w- C:\WINDOWS\Sysnative\generaltel.dll
2015-07-17 10:19:25 F368216A5F98B92AD02E7F61229B1B5B 227328 ----a-w- C:\WINDOWS\Sysnative\aepdu.dll
2015-07-17 10:19:24 EEACF91E8C44AEA612030418DDAA7EC9 5923840 ----a-w- C:\WINDOWS\Sysnative\jscript9.dll
2015-07-17 10:19:20 D74E2BE157B8A2A9CF29BEBB052B8A42 25193984 ----a-w- C:\WINDOWS\Sysnative\mshtml.dll
2015-07-17 10:19:05 6A70888EEC05B45C8990E8977C480019 14453248 ----a-w- C:\WINDOWS\Sysnative\ieframe.dll
2015-07-17 10:19:02 78E4D3781E5632BA88E5153510BEB625 1545728 ----a-w- C:\WINDOWS\Sysnative\urlmon.dll
2015-07-17 10:19:02 41D59904967A4033FB4497DCED7320AD 2885632 ----a-w- C:\WINDOWS\Sysnative\iertutil.dll
2015-07-17 10:18:29 1259148E2B17FA7717E4550F58568BC8 2880000 ----a-w- C:\WINDOWS\Sysnative\actxprxy.dll
2015-07-17 10:18:28 98C6A46E9E2822BF83196C2EAE43DBD4 2427392 ----a-w- C:\WINDOWS\Sysnative\wininet.dll
2015-07-17 10:18:22 CF84C52C84418075D1663C376DB04C18 88064 ----a-w- C:\WINDOWS\Sysnative\MshtmlDac.dll
2015-07-17 10:18:22 A21CB1630BD6D07CB9B83195F6269E63 633856 ----a-w- C:\WINDOWS\Sysnative\ieui.dll
2015-07-17 10:18:22 9EB977926D63823082883F35C9774C94 2125824 ----a-w- C:\WINDOWS\Sysnative\inetcpl.cpl
2015-07-17 10:18:22 9889590CA1A0F95F310A9616FA87B6FD 800768 ----a-w- C:\WINDOWS\Sysnative\ieapfltr.dll
2015-07-17 10:18:22 0E1D68E6691BBC62AF4CDF7F7A12C598 584192 ----a-w- C:\WINDOWS\Sysnative\vbscript.dll
2015-07-17 10:18:21 9C989DC61ABFB3479607DABF16BBF300 801280 ----a-w- C:\WINDOWS\Sysnative\msfeeds.dll
2015-07-17 10:18:19 ECFE64A113A2DFEF26442EA91AC7E9BF 87552 ----a-w- C:\WINDOWS\Sysnative\tdc.ocx
2015-07-17 10:18:19 C0CB840274D41027E51A81F9DE2CC4C1 199680 ----a-w- C:\WINDOWS\Sysnative\msrating.dll
2015-07-17 10:18:19 A82A658C7120E513A44EC477D7AE7A52 145408 ----a-w- C:\WINDOWS\Sysnative\iepeers.dll
2015-07-17 10:18:19 90E6E79D624D86CC4F4AF7C57EB91396 262144 ----a-w- C:\WINDOWS\Sysnative\webcheck.dll
2015-07-17 10:18:19 6B56CD995655081863FFB663EA519DBA 1032704 ----a-w- C:\WINDOWS\Sysnative\inetcomm.dll
2015-07-17 10:18:19 66D75C8BDA2467A21793F2FCED29B723 92160 ----a-w- C:\WINDOWS\Sysnative\mshtmled.dll
2015-07-17 10:18:19 404A75D7815A7202753453FF9391D2D8 316928 ----a-w- C:\WINDOWS\Sysnative\dxtrans.dll
2015-07-17 10:18:18 C1DC2E63FBBC734BB9B11FF7FDAF30D6 816640 ----a-w- C:\WINDOWS\Sysnative\jscript.dll
2015-07-17 10:18:01 171705D0C4E4442241C6098D4FF1C059 1661576 ----a-w- C:\WINDOWS\Sysnative\ole32.dll
2015-07-17 10:18:01 04659158548DB53FFFC51ADC5CBE3858 1380600 ----a-w- C:\WINDOWS\Sysnative\gdi32.dll
====== C:\WINDOWS\Sysnative\drivers =====
2015-07-17 10:19:58 6FBDF2B1B025A8E6E069234362FFFFB7 401408 ----a-w- C:\WINDOWS\Sysnative\drivers\mrxsmb.sys
2015-07-17 10:19:57 BCBD64220AD85C26823453FF1DC3EFBD 284672 ----a-w- C:\WINDOWS\Sysnative\drivers\mrxsmb10.sys
2015-07-17 10:19:57 57C2473D501331211D6885FD59F3E44B 202240 ----a-w- C:\WINDOWS\Sysnative\drivers\mrxsmb20.sys
2015-07-17 10:19:57 46711F40D0F9E63F786ED23F9BD5215E 178008 ----a-w- C:\WINDOWS\Sysnative\drivers\ksecpkg.sys
2015-06-30 07:08:04 B8F36CBC72FC5C8B8A30AD850165EA8E 72192 ----a-w- C:\WINDOWS\Sysnative\drivers\ndproxy.sys
2015-06-30 07:08:04 23006D660C0E54BF1CE8253E15F5E995 80896 ----a-w- C:\WINDOWS\Sysnative\drivers\wanarp.sys
2015-06-30 07:03:30 0CC00ADC1B84C93FB46E1A0974E956E1 1201664 -c--a-w- C:\WINDOWS\Sysnative\drivers\bthport.sys
2015-06-30 07:02:13 312BB35275EB15145F4B6D1FFCE56C50 20992 ----a-w- C:\WINDOWS\Sysnative\drivers\usb8023.sys
2015-06-28 04:13:14 BF769EC1CC472FAD4C6EAEEB96ED857E 11011216 ----a-w- C:\WINDOWS\Sysnative\drivers\nvlddmkm.sys
2015-06-28 04:13:14 3BC9A2A516D1215330FFE012B38F850C 31376 ----a-w- C:\WINDOWS\Sysnative\drivers\nvpciflt.sys
====== C:\WINDOWS\Tasks ======
2015-07-18 00:35:12 7860E1CA4833830CB6E0DDD0CC7A0DE7 3324 ----a-w- C:\WINDOWS\Sysnative\Tasks\GoogleUpdate
2015-07-18 00:35:11 A1DB9D948ED25F12CC51767F8B2DF7AF 3320 ----a-w- C:\WINDOWS\Sysnative\Tasks\GoogleUpdateClient
====== C:\WINDOWS\Temp ======
======= C:\Program Files =====
2015-07-19 01:33:49 -------- d-----w- C:\Program Files\ESET
2015-07-18 02:09:46 -------- d-----w- C:\Program Files\Artensoft Photo Collage Maker
2015-06-22 07:32:35 -------- d-----w- C:\Program Files\Reflector 2
======= C:\PROGRA~2 =====
2015-07-14 02:40:43 -------- d-----w- C:\PROGRA~2\ProcessMonitor
2015-07-13 16:15:24 -------- d-----w- C:\PROGRA~2\Vector Thrust
2015-07-13 02:04:24 -------- d-----w- C:\PROGRA~2\Rovio
2015-07-02 03:12:57 -------- d-----w- C:\PROGRA~2\Electronic Arts
2015-07-02 02:41:32 -------- d-----w- C:\PROGRA~2\Maxis
2015-06-20 18:11:02 -------- d-----w- C:\PROGRA~2\LEGO Jurassic World
======= C: =====
====== C:\Users\----\AppData\Roaming ======
2015-07-19 01:47:07 -------- d-----w- C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\ESET
2015-07-19 01:43:36 -------- d-----w- C:\Users\-----\AppData\Local\ESET
2015-07-18 01:42:45 672A7F0E9D67B8D316314EB8472D3792 24 ----a-w- C:\Users\-----AppData\Roaming\appdataFr25.bin
2015-07-18 01:41:38 E817B1704F2FC3DF526C0C697722D511 42259 ----a-w- C:\Users\-----\AppData\Local\Perfmon.PerfmonCfg
2015-07-13 02:31:20 -------- d-----w- C:\Users\-----\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Angry Birds Star Wars II 1.51
2015-07-13 02:12:18 -------- d-----w- C:\Users\------\AppData\Roaming\Rovio
2015-07-02 03:22:28 -------- d--h--r- C:\Users\-----\AppData\Roaming\SecuROM
2015-06-22 07:33:03 -------- d-----w- C:\Users\------\AppData\Local\Reflector 2
2015-06-20 18:38:22 -------- d-----w- C:\Users\----\AppData\Roaming\Warner Bros. Interactive Entertainment
====== C:\Users\--------======
2015-07-20 09:07:01 A4F999817509A66F45E04FE11B2CBB0B 1637888 ----a-w- C:\Users\--------\Downloads\FRST.exe
2015-07-20 01:28:30 0197CBDA9B311C0FD41E3E298A30D3B0 2134528 ----a-w- C:\Users\--------\Desktop\FRST64.exe
2015-07-19 01:33:50 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2015-07-19 01:33:49 -------- d-----w- C:\ProgramData\ESET
2015-07-18 19:38:41 9D8A4379868618F46677DBF2B94C800A 2508432 ----a-w- C:\Users\--------\Desktop\procexp.exe
2015-07-17 21:36:30 09B6F6FCCC35DBAFCB38CB3751FA7C2F 2248704 ----a-w- C:\Users\-------\Downloads\AdwCleaner.exe
2015-07-17 21:36:18 0BFBB2FF015E6FB9F793D9FB4BF0F1A9 1798288 ----a-w- C:\Users\-------\Downloads\JRT(1).exe
2015-07-13 02:26:45 AF22316D8C4B1AC0C38785CC4B6A06CF 104698663 ----a-w- C:\Users\-----\Downloads\Angry Birds Star Wars II.exe
2015-07-13 02:16:14 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rovio Entertainment Ltd
2015-07-13 02:04:24 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rovio
2015-07-02 03:23:53 -------- d-----w- C:\ProgramData\SimCity Societies
2015-07-02 03:18:33 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts
2015-07-02 02:51:41 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maxis
2015-06-30 08:10:01 -------- d-----w- C:\ProgramData\ALM
2015-06-28 04:13:22 -------- d-----w- C:\ProgramData\boost_interprocess
2015-06-22 07:33:04 -------- d-----w- C:\ProgramData\Reflector 2
2015-06-22 07:32:36 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reflector 2
 
====== C: exe-files ==
2015-07-19 01:36:03 65565B7EC5B08F91B608949A06D27920 589512 ----a-w- C:\Program Files\ESET\ESET NOD32 Antivirus\speclean.exe
2015-07-18 02:09:54 6102828BE08E342A5872BB429B499D3F 7725520 ----a-w- C:\Program Files\Artensoft Photo Collage Maker\Artensoft Photo Collage Maker.exe
2015-07-18 02:09:46 BF4EED619E778F0B543C21DF6968E1E0 1160144 ----a-w- C:\Program Files\Artensoft Photo Collage Maker\unins000.exe
2015-07-17 10:19:01 3698C298719803F6502612D651A852B2 491008 ----a-w- C:\Program Files\Internet Explorer\ieinstal.exe
2015-07-17 10:19:01 26492D0AE6279B60A3801EDBE3CB794C 473600 ----a-w- C:\Program Files (x86)\Internet Explorer\ieinstal.exe
2015-07-16 21:00:56 D7E523E6F4C911EDFF6A8325ACAEE56C 88392 ----atw- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleUpdateOnDemand.exe
2015-07-16 21:00:56 93EE27EEA252951660682E891B72D7F5 88392 ----atw- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleUpdateWebPlugin.exe
2015-07-16 21:00:56 81A1D591D429FF81D443A993B9B91301 88392 ----atw- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleUpdateBroker.exe
2015-07-16 21:00:50 C42B77A66A4B794A56DFCD2FBEA5AD01 931408 ----a-w- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleUpdateSetup.exe
2015-07-16 21:00:41 FC8EE235C4F75C96907C25EF1349CB81 130888 ----atw- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleUpdateComRegisterShell64.exe
2015-07-16 21:00:41 92D840650F95EB60659952AEECAFCE85 305992 ----atw- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleCrashHandler64.exe
2015-07-16 21:00:40 C6FF00DA1605982E616C03BE809FFE2D 144200 ----atw- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleUpdate.exe
2015-07-16 21:00:40 54FB3B0B29F76E839C648D2F5983A22C 245576 ----atw- C:\Program Files (x86)\Google\Update\1.3.28.1\GoogleCrashHandler.exe
2015-07-16 21:00:33 C42B77A66A4B794A56DFCD2FBEA5AD01 931408 ----a-w- C:\Program Files (x86)\Google\Update\Install\{CE41923A-E9AD-4254-8D2F-23FCB5478B77}\GoogleUpdateSetup.exe
2015-07-16 21:00:32 C42B77A66A4B794A56DFCD2FBEA5AD01 931408 ----a-w- C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.28.1\GoogleUpdateSetup.exe
2015-07-14 23:00:37 E06EB83F9B05760B54FAEA13063C5833 1080912 ----a-w- C:\Program Files (x86)\Google\Update\Install\{E7B2B9A0-87A2-4500-AFD8-605E0E50652B}\43.0.2357.134_43.0.2357.132_chrome_updater.exe
2015-07-14 23:00:37 E06EB83F9B05760B54FAEA13063C5833 1080912 ----a-w- C:\Program Files (x86)\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\43.0.2357.134\43.0.2357.134_43.0.2357.132_chrome_updater.exe
=== C: other files ==
2015-07-20 14:23:24 F67ADFC51A3640109ADFA26C46BF45FD 2276 ----a-w- C:\Users\--------\Downloads\Photoshop-Actions-Rivers-20-off.zip
2015-07-20 14:23:07 B26725769C4971C36C5768EFE490F0CA 1844508 ----a-w- C:\Users\--------\Downloads\Me-Responsive-Personal-Portfolio.zip
2015-07-20 14:22:54 D413F8F8E7BE78939837636367BB1AE4 583337 ----a-w- C:\Users\--------\Downloads\Web-Wireframes-User-Flow.zip
2015-07-20 14:22:42 410F0132950AFC6145F70899A23F6A32 1078821 ----a-w- C:\Users\-------\Downloads\30-Flat-Badges-labels-and-banners.zip
2015-07-18 19:42:06 38A8674B9BB64A27EC999FCC9E3DF662 622 ----a-w- C:\Users\------\Downloads\TakeOwnership.zip
2015-07-18 19:38:19 E16CEB1197549AA19630AD0982D04E89 1186640 ----a-w- C:\Users\-------\Downloads\ProcessExplorer.zip
2015-07-18 02:06:54 713072510DF7F8095BEC026803D5C8CC 17472399 ----a-w- C:\Users\-------\Downloads\ArtensoftPhotoCollageMaker14-dje2nqk0.zip
2015-07-17 23:13:55 272979D1B0732A8EFDD3B6960B8DDB0A 81156 ----a-w- C:\Users\------\AppData\Roaming\Mozilla\Firefox\Profiles\tfe8dxn2.default\extensions\{6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi
2015-07-17 21:38:03 FCEB5D2ECAB2DCD63628CC2B95248A0A 31220 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\iexplore.bat
2015-07-17 21:38:03 F836546B0C268B8930447AD51C19B683 1568 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\delfolders.bat
2015-07-17 21:38:03 E0A0B0442A4ED95A003A1C0F0AE63E2B 4910 ----a-w- C:\Users\--------\AppData\Local\Temp\jrt\chrome_pref.bat
2015-07-17 21:38:03 D03318CDF4C5F7C2C7A793C2AEC159D0 7901 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\runvalues.bat
2015-07-17 21:38:03 CA495C330AF9FB8D8608A536D6377909 7910 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\chrome.bat
2015-07-17 21:38:03 C80D16762A60152379C2A7ADBB8248AA 9239 ----a-w- C:\Users\----\AppData\Local\Temp\jrt\searchlnk.bat
2015-07-17 21:38:03 C74DACC98CBDA29BA34D82665E6C43FF 2245 ----a-w- C:\Users\------\AppData\Local\Temp\jrt\medfos.bat
2015-07-17 21:38:03 B80B4855691192AE466736027A332B11 17571 ----a-w- C:\Users\------\AppData\Local\Temp\jrt\get.bat
2015-07-17 21:38:03 B3E4F4259E131A833B332C9B05CA8774 149490 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\misc.bat
2015-07-17 21:38:03 B23B16209341AEAE62A7D32117A36F55 1192 ----a-w- C:\Users\--------\AppData\Local\Temp\jrt\TDL4.bat
2015-07-17 21:38:03 A8F5541C419593F3ECAC0E0A3FB0F2BA 1162 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\surfvox.bat
2015-07-17 21:38:03 93A6196509429319C854A941F14F1E7C 252 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\ev_clear.bat
2015-07-17 21:38:03 9246BABAAAE2978EABF6F0D784B0683D 34543 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\prelim.bat
2015-07-17 21:38:03 81F82F01664FD84D77EF8521A2C39463 23026 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\ask.bat
2015-07-17 21:38:03 7C2536139B5D838D88D3E0082F9A77FC 167302 ----a-w- C:\Users\------\AppData\Local\Temp\jrt\firefox.bat
2015-07-17 21:38:03 3FF35FA6DEAAE10308284F654477F10D 17100 ----a-w- C:\Users\-------\AppData\Local\Temp\jrt\mws.bat
2015-07-17 17:28:48 C95CCAEE5BB9E2FB7C766D77CFBEA88E 7723417 ----a-w- C:\Users\------\Downloads\Retro-hand-draw-patterns-(ai-ps).zip
2015-07-17 17:25:49 E9633FB136B226F0DFA9C15BE4C34C31 24397879 ----a-w- C:\Users\------\Downloads\Cute-School-set.zip
2015-07-17 17:25:46 1FF7A3FB33E733FBB11449D0F3861BAD 6676929 ----a-w- C:\Users\-------\Downloads\Vintage-Sunburst-Creator.zip
2015-07-17 17:25:36 918E2C06A9188AF34E218222BA4D3F86 26622978 ----a-w- C:\Users\------\Downloads\168-Cool-avatars.zip
2015-07-17 17:25:34 AAC967941CABC106765F7DD66E57CFE0 49184 ----a-w- C:\Users\-------\Downloads\Whiteboard-Font.zip
2015-07-17 17:25:28 16897E23DD36E28FDFD170AA3D6DCFA4 44415961 ----a-w- C:\Users\-------\Downloads\44-EDUCATION-FLAT-infographics.zip
2015-07-13 16:25:14 67BFAA50C30C778CD4E93380F72E9E2E 122655 ----a-w- C:\Program Files (x86)\Vector Thrust\media\packs\skybox.zip
2015-07-13 16:25:14 5D944781E781C4ADA29EEEB52DBA5BBB 95346 ----a-w- C:\Program Files (x86)\Vector Thrust\media\packs\OgreCore.zip
2015-07-13 16:25:14 25B87BC7F523F8A09ABC74FCD2A01EF3 428953 ----a-w- C:\Program Files (x86)\Vector Thrust\media\packs\cubemapsJS.zip
2015-07-13 16:25:14 1807EBEB09F557C6DA0CB0FAA74F1D76 274274 ----a-w- C:\Program Files (x86)\Vector Thrust\media\packs\cubemap.zip
 
==== Startup Registry Enabled x64 ======================
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe"
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe"
"Persistence"="C:\WINDOWS\system32\igfxpers.exe"
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s"
"SRS Premium Sound 3D"="C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe  /f=C:\Program Files\SRS Labs\SRS Control Panel\SRS_Premium_Sound_PS3D.zip /h"
"TecoResident"="C:\Program Files\TOSHIBA\Teco\TecoResident.exe"
"TSleepSrv"="C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe"
"TODDMain"="C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe"
"TRCMan"="C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe"
"BTMTrayAgent"="rundll32.exe C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll,TrayApp"
"AdobeAAMUpdater-1.0"="C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
"NvBackend"="C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
"Integrated Camera_Monitor"="C:\Program Files (x86)\SunplusIT Integrated Camera\Monitor.exe"
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe /hide /waitservice"
"TCrdMain"="%ProgramFiles%\TOSHIBA\Hotkey\TCrdMain_Win8.exe "
"TosWaitSrv"="%ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe "
"SynTPEnh"="%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe "
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" ,C:\\WINDOWS\\system32\\nvinitx.dll"
 
==== Startup Folders ======================
 
2015-01-25 01:50:57 1065 ----a-w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Firewall Control.lnk
 
==== Task Scheduler Jobs ======================
 
C:\WINDOWS\tasks\Adobe Flash Player Updater.job --a-------- C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [15/07/2015 01:38]
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job --a-------- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [24/01/2015 15:40]
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job --a-------- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [24/01/2015 15:40]
C:\WINDOWS\tasks\Synaptics TouchPad Enhancements.job --a-------- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [23/11/2012 03:13]
 
==== Other Scheduled Tasks ======================
 
"C:\WINDOWS\SysNative\tasks\Adobe Flash Player Updater" [C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe]
"C:\WINDOWS\SysNative\tasks\GoogleUpdate" [C:\Users\-------\AppData\Roaming\Google\downloader.exe]
"C:\WINDOWS\SysNative\tasks\GoogleUpdateClient" [C:\Users\-----\AppData\Roaming\Google\downloader.exe]
"C:\WINDOWS\SysNative\tasks\GoogleUpdateTaskMachineCore" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\WINDOWS\SysNative\tasks\GoogleUpdateTaskMachineUA" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\WINDOWS\SysNative\tasks\MRINFO" [C:\Users\-------\AppData\Roaming\Microsoft\Windows\IEUpdate\MRINFO.EXE]
"C:\WINDOWS\SysNative\tasks\One-Click Optimizer WO11" [C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer 11\WO11.exe]
"C:\WINDOWS\SysNative\tasks\Origin" [C:\Users\--------\AppData\Roaming\Origin\update.vbe]
"C:\WINDOWS\SysNative\tasks\Synaptics TouchPad Enhancements" [\Program Files\Synaptics\SynTP\SynTPEnh.exe]
"C:\WINDOWS\SysNative\tasks\Intel\Intel Telemetry 2 (x86)" [C:\Program Files (x86)\Intel\Telemetry 2.0\lrio.exe]
"C:\WINDOWS\SysNative\tasks\Toshiba\CommonNotifier" [C:\Program Files (x86)\Toshiba TEMPRO\Toshiba.Tempro.UI.CommonNotifier.exe]
"C:\WINDOWS\SysNative\tasks\Toshiba\Service Station" ["C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe"]
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=0 folders=0 0 bytes)
 
==== EOF on 20/07/2015 at 17:19:36.86 ======================

Edited by MJPRCE, 24 July 2015 - 10:10 AM.


#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:52 AM

Posted 25 July 2015 - 05:53 AM

Step 1

51a612a8b27e2-Zoek.pngFix with ZOEK

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    createsrpoint;
    del /q /s C:\update.vbe >>"%temp%\log.txt";b
    emptyclsid;
    autoclean;
    
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.

Step 2

v21logo.PNG

Please download and install Malwarebytes Anti-Malware.
  • Please open Malwarebytes Anti-Malware and update the database.
  • Click "Settings" [1] and go to "Detection and Protection" [2]
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard [3], then click on Scan Now [4] to start the scan.
    :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt:
    m21p.png
  • Click on "Remove Selected" [5].
  • Then click "Save Results" [6] and select
    m21p4.png
  • Return to our forum. Paste your log into your next reply and then click Finish [7].
mbamv21.gif
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#12 MJPRCE

MJPRCE
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 26 July 2015 - 12:45 AM

Zoek logfile:

 

 
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by -----------on 25/07/2015 at 23:56:47.93.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\----------\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
C:\zoek-results2015-07-20-161936.log 35847 bytes
 
==== System Restore Info ======================
 
25/07/2015 23:59:32 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\BitTorrent Sync deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\ProcessMonitor deleted successfully
C:\PROGRA~3\ALM deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\Users\----------\AppData\Roaming\IObit deleted successfully
C:\Users\----------\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\----------\AppData\Local\EmieSiteList deleted successfully
C:\Users\----------\AppData\Local\EmieUserList deleted successfully
C:\Users\----------\AppData\Local\WOP deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6cecf580 deleted successfully
 
==== FireFox Fix ======================
 
ProfilePath: C:\Users\----------\AppData\Roaming\Mozilla\Firefox\Profiles\tfe8dxn2.default
 
user.js not found
---- Lines extensions.4X5hDml6CoLp4e1h removed from prefs.js ----
user_pref("extensions.4X5hDml6CoLp4e1h.epoch", "1437077862");
---- Lines extensions.KSg93AoXvRL56fIt removed from prefs.js ----
user_pref("extensions.KSg93AoXvRL56fIt.epoch", "1434445343");
---- FireFox user.js and prefs.js backups ---- 
 
prefs_072015_0007_.backup
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\BitTorrent Sync not found
C:\PROGRA~2\ProcessMonitor not found
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\PROGRA~2\SynciOS Data Transfer deleted
C:\Users\----------\.android deleted
C:\PROGRA~3\gifter deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\----------\AppData\Local\BIT9A.tmp deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\----------\AppData\Roaming\Mozilla\Firefox\Profiles\tfe8dxn2.default\jetpack deleted
C:\Users\----------\AppData\Roaming\Mozilla\Firefox\Profiles\tfe8dxn2.default\extensions\youtubeunblocker@unblocker.yt deleted
"C:\windows\Installer\1c5ec.msi" deleted
"C:\Users\----------\AppData\Local\LumaEmu" deleted
"C:\Users\----------\AppData\Local\{1FE05B74-E0F0-4FA7-B493-041ADC3C2D13}" deleted
 
==== Firefox Proxy Settings ======================
 
ProfilePath: C:\Users\----------\AppData\Roaming\Mozilla\Firefox\Profiles\tfe8dxn2.default
user_pref("network.proxy.autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7B%20var%20lhost%2C%20localIpAddresses%2C%20localDomains%2C%20ipNotation%2C%20i%3B%20function%20isPlainHostNameEx()%20%7B%20return%20!(!!~lhost.indexOf('.')%20%7C%7C%20!!~lhost.indexOf('%3A'))%3B%20%7D%20lhost%20%3D%20host.toLowerCase()%3B%20ipNotation%20%3D%20%2F%5E%5Cd%2B%5C.%5Cd%2B%5C.%5Cd%2B%5C.%5Cd%2B%24%2Fg%3B%20localIpAddresses%20%3D%20%5B'127.0.0.1'%2C'10.*.*.*'%2C'172.1%5B6-9%5D.*.*'%2C'172.2%5B1-9%5D.*.*'%2C'172.3%5B0-1%5D.*.*'%2C'192.168.*.*'%5D%3B%20localDomains%20%3D%20%5B'zeus.pm'%2C'zenguard.biz'%2C'local'%2C'dev'%2C'ip'%2C'box'%2C'lvh.me'%2C'ripe'%2C'invalid'%2C'intra'%2C'intranet'%2C'onion'%2C'vcap.me'%2C'127.0.0.1.xip.io'%2C'smackaho.st'%2C'localtest.me'%2C'site'%5D%3B%20if%20(isPlainHostNameEx())%20%7B%20return%20'DIRECT'%3B%20%7D%20if%20(ipNotation.test(lhost))%20%7B%20for%20(i%20%3D%200%3B%20i%20%3C%20localIpAddresses.length%3B%20i%2B%2B)%20%7B%20if%20(shExpMatch(lhost%2C%20localIpAddresses%5Bi%5D))%20%7B%20return%20'DIRECT'%3B%20%7D%20%7D%20%7D%20for%20(i%20%3D%200%3B%20i%20%3C%20localDomains.length%3B%20i%2B%2B)%20%7B%20if%20(dnsDomainIs(lhost%2C%20localDomains%5Bi%5D))%20%7B%20return%20'DIRECT'%3B%20%7D%20%7D%20return%20'PROXY%20127.0.0.1%3A49913'%3B%20%7D%20%2F*ZenMate*%2F");
user_pref("network.proxy.type", 2);
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\----------\AppData\Roaming\Mozilla\Firefox\Profiles\tfe8dxn2.default
- LavaFox V2 - %ProfilePath%\extensions\info@djzig.com
- ZenMate Security amp; Privacy VPN - %ProfilePath%\extensions\firefox@zenmate.com.xpi
- Night Mode Page Dim - %ProfilePath%\extensions\ilaita.night-mode-page-dim@jetpack.xpi
- Location Guard - %ProfilePath%\extensions\jid1-HdwPLukcGQeOSh@jetpack.xpi
- Bluhell Firewall - %ProfilePath%\extensions\{6BB5760D-F97E-421B-AF5B-8457A90C3CED}.xpi
- Google Analytics - %ProfilePath%\extensions\{6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\----------\AppData\Roaming\Mozilla\Firefox\Profiles\tfe8dxn2.default
CE3D390F8BC1FECF847ABAA6E887931E - C:\ProgramData\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll - Zylom Plugin
FD82108FD60B63010325D9AF6F00AF99 - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll - Shockwave Flash
FBF151BDF3156D1FEFD5E992D89D65CC - C:\Users\----------\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player
 
 
==== Chromium Look ======================
 
Cards Against Originality - ----------\AppData\Local\Google\Chrome\User Data\Default\Extensions\akccmajgihkbpjdmkceiamgkkplachhk
Free Rider HD - ----------\AppData\Local\Google\Chrome\User Data\Default\Extensions\emikpifndnjfkgofoglceekhkbaicbde
AdBlock - ----------\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Flow Game - ----------\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhkenkiidlghkpkihaiojpjnngfocahn
Night Time In New York City - ----------\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnimonidkipnhnpgkhgliocfnnpgkhek
Chrome Hotword Shared Module - ----------\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Play Books - ----------\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmimngoggfoobjdlefbcabngfnmieonb
 
==== Chromium Fix ======================
 
C:\Users\----------\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_uk.ask.com_0.localstorage deleted successfully
C:\Users\----------\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_uk.ask.com_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
 
New Values:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E40670FF068C9E042A033EF74AF101A3 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_4.203.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AnVir.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoLogger.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRST.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRST64.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegWorks.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSIT.exe deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSITx64.exe deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{cf05acd1} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9490A9E7-B0E9-D9EA-365C-3EE2B532055E} deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FF07604E-C860-40E9-A230-E37FA41F103A} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E40670FF068C9E042A033EF74AF101A3 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{6cecf580} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{7f0567dd} deleted successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\----------\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\----------\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\----------\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\----------\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
C:\Users\----------\AppData\Local\Mozilla\Firefox\Profiles\tfe8dxn2.default\cache2 emptied successfully
 
==== Empty Chrome Cache ======================
 
C:\Users\----------\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=200 folders=108 211076697 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\ADMINI~1\AppData\Local\Temp emptied successfully
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\----------\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\----------\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on 26/07/2015 at  6:37:54.05 ======================
 
 
Malwarebytes logfile to follow.


#13 MJPRCE

MJPRCE
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 26 July 2015 - 02:00 AM

Not sure if I did this bit right, all I got was an xml file, which I'd opened up in IE - I've just copied and pasted it.
 
2015/07/26 07:18:13 +0100</date>
 
<logfile>mbam-log-2015-07-26 (07-18-11).xml</logfile>
 
<isadmin>yes</isadmin>
 
</header>
 
 
-<engine>
 
<version>2.1.8.1057</version>
 
<malware-database>v2015.07.26.01</malware-database>
 
<rootkit-database>v2015.07.22.01</rootkit-database>
 
<license>trial</license>
 
<file-protection>enabled</file-protection>
 
<web-protection>enabled</web-protection>
 
<self-protection>disabled</self-protection>
 
</engine>
 
 
-<system>
 
<osversion>Windows 8.1</osversion>
 
<arch>x64</arch>
 
<username>Marcus</username>
 
<filesys>NTFS</filesys>
 
</system>
 
 
-<summary>
 
<type>threat</type>
 
<result>completed</result>
 
<objects>391854</objects>
 
<time>1838</time>
 
<processes>0</processes>
 
<modules>0</modules>
 
<keys>2</keys>
 
<values>2</values>
 
<datas>0</datas>
 
<folders>0</folders>
 
<files>1</files>
 
<sectors>0</sectors>
 
</summary>
 
 
-<options>
 
<memory>enabled</memory>
 
<startup>enabled</startup>
 
<filesystem>enabled</filesystem>
 
<archives>enabled</archives>
 
<rootkits>enabled</rootkits>
 
<deeprootkit>disabled</deeprootkit>
 
<heuristics>enabled</heuristics>
 
<pup>enabled</pup>
 
<pum>enabled</pum>
 
</options>
 
 
-<items>
 
 
-<key>
 
<path>HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE</path>
 
<vendor>PUM.Security.Hijack.DisableChromeUpdates</vendor>
 
<action>success</action>
 
<hash>72e733b34b3fef4746d73861cf35936d</hash>
 
</key>
 
 
-<key>
 
<path>HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE</path>
 
<vendor>PUM.Security.Hijack.DisableChromeUpdates</vendor>
 
<action>success</action>
 
<hash>84d5806619711e1829f41188e420d030</hash>
 
</key>
 
 
-<value>
 
<path>HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE</path>
 
<valuename>DisableAutoUpdateChecksCheckboxValue</valuename>
 
<vendor>PUM.Security.Hijack.DisableChromeUpdates</vendor>
 
<action>success</action>
 
<valuedata>1</valuedata>
 
<hash>72e733b34b3fef4746d73861cf35936d</hash>
 
</value>
 
 
-<value>
 
<path>HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE</path>
 
<valuename>DisableAutoUpdateChecksCheckboxValue</valuename>
 
<vendor>PUM.Security.Hijack.DisableChromeUpdates</vendor>
 
<action>success</action>
 
<valuedata>1</valuedata>
 
<hash>84d5806619711e1829f41188e420d030</hash>
 
</value>
 
 
-<file>
 
<path>C:\Users\Marcus\AppData\Roaming\Google\downloader.exe</path>
 
<vendor>Trojan.FakeAlert</vendor>
 
<action>success</action>
 
<hash>d5848f573a503df90fef433f7192f10f</hash>
 
</file>
 
</items>
 
</mbam-log>


#14 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:52 AM

Posted 26 July 2015 - 04:10 AM

scanlog1.png
scanlog2.png


Please try FRST-Scan again now.

Step 1

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

Edited by deeprybka, 26 July 2015 - 04:13 AM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#15 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:52 AM

Posted 29 July 2015 - 11:48 AM

Hi,

3 Day Inactivity

this is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users