Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus keeps coming back in Temp


  • This topic is locked This topic is locked
20 replies to this topic

#1 Jeenine

Jeenine

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 02 August 2015 - 06:14 PM

Hi, I got a virus that keeps coming back in my Temp folder, "WindowsUpdateKB12695__7428_il31477.exe" , "tmp4191.tmp.exe" , "tmp9E32.tmp.exe"
 
it appears once a day and I can remove it by running malawarebytes, but it keeps coming back after a few hours. It tries to install a program as soon as it appears in my Temp folder

I have a feeling I might be infected with a Rootkit... I tried running Malawarebytes anti-malaware, malawarebytes anti-rootkit, tdsskiller and combofix with no luck, it still comes back every few hours or everyday.

I think this virus appeared when I got some new drivers for my AMD graphics card, but I am not certain... I cannot do a system restore because I didnt have any restore points before I downloaded the drivers... ... .

I would like to know if one of you more experienced user could help me with my issue. Thx in advance!

Edit: Moved topic from Windows 7 to the more appropriate forum, due to member having already run ComboFix. ~ Animal

BC AdBot (Login to Remove)

 


#2 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 04 August 2015 - 01:12 AM

I found an "$RECYCLE.BIN" in my second harddrive, I think Im infected with Zero Access, but its on another internal harddrive which is not the one my operating system is on, I feel like all the scanners are only scanning my main harddrive where my operating system is located, so they cant find the virus!
​ How do you delete a Zero acces rootkit in a second internal hard drive?



#3 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 04 August 2015 - 03:02 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
 
 Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#4 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 04 August 2015 - 11:51 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:02-08-2015 01
Ran by Jeenine (administrator) on JARVIS (05-08-2015 00:49:18)
Running from C:\Users\Jeenine\Desktop
Loaded Profiles: Jeenine (Available Profiles: Jeenine)
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Sandboxie Holdings, LLC) C:\Users\Jeenine\Desktop\Desk\Sandboxie\SbieSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(MSI) C:\Program Files (x86)\MSI\Super-Charger\ChargeService.exe
(MICRO-STAR INTERNATIONAL CO., LTD.) C:\Program Files (x86)\MSI\MSITrigger\MSI_Trigger_Service.exe
(Sandboxie Holdings, LLC) C:\Users\Jeenine\Desktop\Desk\Sandboxie\SbieCtrl.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(MSI) C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7543000 2014-05-19] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
HKLM\...\Run: [TabletDriver] => C:\Program Files\PenDisplay\PenDisplay.exe -hide
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [134616 2013-09-16] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-25] (Intel Corporation)
HKLM-x32\...\Run: [Super-Charger] => C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe [1047536 2013-11-12] (MSI)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-06-22] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-2325793436-3083908946-974748653-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-04-09] (Google Inc.)
HKU\S-1-5-21-2325793436-3083908946-974748653-1000\...\Run: [SandboxieControl] => C:\Users\Jeenine\Desktop\Desk\Sandboxie\SbieCtrl.exe [787592 2015-06-23] (Sandboxie Holdings, LLC)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ISCTSystray.lnk [2014-04-09]
ShortcutTarget: ISCTSystray.lnk -> C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe (Intel Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2325793436-3083908946-974748653-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2325793436-3083908946-974748653-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-07-14] (Google Inc.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-14] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-07-14] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-14] (Google Inc.)
Toolbar: HKU\S-1-5-21-2325793436-3083908946-974748653-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-07-14] (Google Inc.)
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2013-03-02] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2013-03-02] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2013-03-02] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2013-03-02] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{51BB37EF-35A3-4D08-A732-9D472EC8E396}: [DhcpNameServer] 192.168.2.1
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-10]
CHR Extension: (Google Drive) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-10]
CHR Extension: (YouTube) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-10]
CHR Extension: (Google Search) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-10]
CHR Extension: (Office Editing for Docs, Sheets & Slides) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbkeegbaiigmenfmjfclcdgdpimamgkj [2015-01-16]
CHR Extension: (AdBlock) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-05-20]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-14]
CHR Extension: (SaveFrom.net helper) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdpljndcmbeikfnlflcggaipgnhiedbl [2014-09-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-19]
CHR Extension: (Gmail) - C:\Users\Jeenine\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-10]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S3 intelsba; C:\Program Files\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [54976 2013-07-25] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [198120 2013-08-01] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 MSI_SuperCharger; C:\Program Files (x86)\MSI\Super-Charger\ChargeService.exe [161776 2013-09-09] (MSI)
R2 MSI_Trigger_Service; C:\Program Files (x86)\MSI\MSITrigger\MSI_Trigger_Service.exe [30240 2013-09-26] (MICRO-STAR INTERNATIONAL CO., LTD.)
R2 SbieSvc; C:\Users\Jeenine\Desktop\Desk\Sandboxie\SbieSvc.exe [175752 2015-06-23] (Sandboxie Holdings, LLC)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ElgatoGC658Y; C:\Windows\System32\Drivers\ElgatoGC658.sys [50288 2012-11-12] (UB658)
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [21408 2013-08-01] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [21920 2013-08-01] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [29088 2013-08-01] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [46568 2013-08-01] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-08-05] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
R3 NTIOLib_1_0_3; C:\Program Files (x86)\MSI\Super-Charger\NTIOLib_X64.sys [13368 2012-10-25] (MSI)
R3 SbieDrv; C:\Users\Jeenine\Desktop\Desk\Sandboxie\SbieDrv.sys [190088 2015-06-23] (Sandboxie Holdings, LLC)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-08-04] ()
S3 vmulti; C:\Windows\System32\DRIVERS\vmulti.sys [10752 2014-09-16] (Windows ® Win 7 DDK provider)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-05 00:49 - 2015-08-05 00:49 - 00012952 _____ C:\Users\Jeenine\Desktop\FRST.txt
2015-08-05 00:49 - 2015-08-05 00:49 - 00000000 ____D C:\FRST
2015-08-05 00:48 - 2015-08-05 00:48 - 02169856 _____ (Farbar) C:\Users\Jeenine\Desktop\FRST64.exe
2015-08-04 02:43 - 2015-08-04 02:43 - 00022678 _____ C:\ComboFix.txt
2015-08-04 02:00 - 2015-08-04 02:34 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-08-04 02:00 - 2015-08-04 02:05 - 00000000 ____D C:\ProgramData\RogueKiller
2015-08-04 01:56 - 2015-08-04 01:56 - 18718280 _____ C:\Users\Jeenine\Desktop\RogueKiller.exe
2015-08-03 01:17 - 2015-08-03 01:17 - 00020478 _____ C:\Users\Jeenine\Desktop\enbseries.ini
2015-08-03 01:06 - 2015-08-03 01:20 - 00001613 _____ C:\Users\Jeenine\Desktop\enblocal.ini
2015-08-03 01:06 - 2014-01-26 14:35 - 00021504 _____ ( Author: William Hedrick) C:\Users\Jeenine\Desktop\d3dx9_42.dll
2015-08-03 01:06 - 2014-01-26 14:18 - 00001046 _____ C:\Users\Jeenine\Desktop\ssme.ini
2015-08-02 18:17 - 2015-08-04 02:43 - 00000000 ____D C:\Qoobox
2015-08-02 18:17 - 2015-08-02 18:20 - 00000000 ____D C:\Windows\erdnt
2015-08-02 18:17 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2015-08-02 18:17 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2015-08-02 18:17 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-08-02 18:17 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-08-02 18:17 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-08-02 18:17 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2015-08-02 18:17 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2015-08-02 18:17 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2015-08-02 18:16 - 2015-08-02 18:16 - 05634591 ____R (Swearware) C:\Users\Jeenine\Desktop\ComboFix.exe
2015-08-01 23:19 - 2015-08-01 23:26 - 00000000 ____D C:\TDSSKiller_Quarantine
2015-08-01 23:06 - 2015-08-04 02:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-07-31 21:08 - 2015-07-31 21:08 - 00001314 _____ C:\Users\Jeenine\Desktop\Temp - Shortcut.lnk
2015-07-31 20:52 - 2015-07-31 20:53 - 00000066 _____ C:\Users\Jeenine\Desktop\virus.txt
2015-07-25 22:53 - 2015-08-02 18:25 - 00001598 _____ C:\Windows\Sandboxie.ini
2015-07-25 22:41 - 2015-07-25 22:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sandboxie
2015-07-25 01:38 - 2015-07-25 01:38 - 00000000 ____D C:\Users\Jeenine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wrye Bash
2015-07-24 18:08 - 2015-07-24 18:08 - 00000010 _____ C:\Users\Public\Documents\test.txt
2015-07-24 18:07 - 2015-07-24 18:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\(Default)
2015-07-24 18:07 - 2015-07-24 18:07 - 00929953 _____ C:\Windows\unins000.exe
2015-07-24 18:07 - 2015-07-24 18:07 - 00001145 _____ C:\Windows\unins000.dat
2015-07-24 18:06 - 2015-07-24 18:06 - 00000000 ____D C:\Program Files (x86)\MyPCBU
2015-07-24 18:06 - 2015-07-24 18:06 - 00000000 ____D C:\Program Files (x86)\Media Toolbar Extension
2015-07-23 18:39 - 2015-07-25 00:29 - 00000000 ____D C:\Users\Jeenine\Desktop\Merged Plugins
2015-07-23 12:26 - 2015-07-23 12:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID
2015-07-23 06:11 - 2015-07-23 06:11 - 00000383 _____ C:\Users\Jeenine\d3d_antilag.log
2015-07-23 05:45 - 2015-07-23 05:45 - 00000000 ____D C:\Users\Jeenine\Desktop\Best ini
2015-07-23 00:57 - 2015-07-23 00:58 - 00000000 ____D C:\Users\Jeenine\Desktop\Vanilla ini Better look
2015-07-23 00:31 - 2015-07-23 00:31 - 00000000 ____D C:\Users\Jeenine\Desktop\Vanilla ini polished
2015-07-22 22:16 - 2015-07-22 22:16 - 00001923 _____ C:\Users\Jeenine\Desktop\SkyrimLauncher.exe.lnk
2015-07-22 22:09 - 2015-08-03 02:51 - 00003722 _____ C:\Users\Jeenine\Desktop\SkyrimPrefs.ini
2015-07-22 22:09 - 2015-07-23 04:54 - 00001491 _____ C:\Users\Jeenine\Desktop\Skyrim.ini
2015-07-22 21:59 - 2015-07-22 21:59 - 00053615 _____ C:\Windows\SysWOW64\CCCInstall_201507222159118179.log
2015-07-22 21:59 - 2015-07-22 21:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
2015-07-22 21:59 - 2015-07-22 21:59 - 00000000 ____D C:\ProgramData\ATI
2015-07-22 18:44 - 2015-07-22 18:44 - 00000000 ____D C:\Program Files (x86)\AMD
2015-07-19 18:32 - 2015-07-19 18:32 - 00000000 ____D C:\Users\Jeenine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiAlgo
2015-07-19 04:27 - 2015-07-23 05:40 - 00000000 ____D C:\Users\Jeenine\Desktop\SKYRIM PERFORMANCE BOOSTER_Pdf_v11-59305-11
2015-07-16 23:24 - 2015-07-16 23:25 - 00000000 ____D C:\Users\Jeenine\Desktop\RecuScolaire
2015-07-16 03:05 - 2015-07-16 03:05 - 00000000 ____D C:\Users\Jeenine\Desktop\Stuff
2015-07-07 03:57 - 2015-07-07 03:57 - 00003144 _____ C:\Windows\System32\Tasks\{2FB99D1F-357D-4D47-9816-420E1E109F42}
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-05 00:47 - 2009-07-14 01:13 - 00779724 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-05 00:46 - 2014-04-09 20:27 - 02071247 _____ C:\Windows\WindowsUpdate.log
2015-08-05 00:43 - 2014-09-10 20:06 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-05 00:43 - 2014-04-09 23:28 - 01084142 _____ C:\Windows\PFRO.log
2015-08-05 00:43 - 2014-04-09 23:23 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-05 00:43 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-05 00:43 - 2009-07-14 00:51 - 00451247 _____ C:\Windows\setupact.log
2015-08-04 02:42 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
2015-08-04 02:13 - 2014-04-09 23:23 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-04 01:50 - 2014-09-10 20:05 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-08-04 01:37 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system
2015-08-03 02:20 - 2015-06-27 02:10 - 00000000 ____D C:\Users\Jeenine\AppData\Local\Skyrim
2015-08-02 18:22 - 2014-05-20 13:19 - 00000000 ___RD C:\Users\Jeenine\Desktop\Desk
2015-08-02 18:07 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2015-08-02 02:11 - 2015-07-04 23:51 - 00000000 ____D C:\Textures Backup
2015-08-01 23:26 - 2009-07-14 00:45 - 00016352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-01 23:26 - 2009-07-14 00:45 - 00016352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-31 21:27 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Microsoft Games
2015-07-31 21:20 - 2014-05-23 19:22 - 00000000 ____D C:\Users\Jeenine\AppData\Local\CrashDumps
2015-07-31 21:17 - 2014-04-10 00:52 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-31 20:54 - 2014-07-17 00:41 - 00000000 ____D C:\Windows\Minidump
2015-07-25 22:41 - 2014-04-09 20:27 - 00000000 ____D C:\Users\Jeenine
2015-07-24 18:58 - 2014-10-13 02:05 - 00000000 ____D C:\ProgramData\TEMP
2015-07-24 18:30 - 2009-07-14 00:45 - 00000000 ____D C:\Windows\Setup
2015-07-24 18:07 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\TAPI
2015-07-22 22:13 - 2014-10-14 20:38 - 00000000 ____D C:\Program Files (x86)\R.G. Mechanics
2015-07-22 21:58 - 2014-04-10 00:54 - 00000000 ____D C:\Program Files\AMD
2015-07-22 21:48 - 2014-04-10 00:44 - 00000000 ____D C:\AMD
2015-07-22 21:14 - 2014-04-09 23:50 - 00000000 ____D C:\Users\Jeenine\AppData\Roaming\Google
2015-07-22 21:11 - 2014-10-08 21:41 - 00000000 ____D C:\Games
2015-07-22 21:11 - 2014-04-10 00:52 - 00000000 ____D C:\Program Files\ATI
2015-07-22 21:11 - 2014-04-09 23:32 - 00000000 ____D C:\SuperChargerProfile
2015-07-22 18:44 - 2014-04-10 00:52 - 00000000 ____D C:\Program Files\ATI Technologies
2015-07-21 18:04 - 2014-04-09 23:23 - 00000000 ____D C:\Users\Jeenine\AppData\Local\Google
2015-07-17 18:59 - 2014-10-08 20:47 - 00000000 ____D C:\Users\Jeenine\Documents\Nexus Mod Manager
2015-07-15 23:07 - 2014-04-09 23:23 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-07-15 23:07 - 2014-04-09 23:23 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-07-09 15:26 - 2009-07-14 01:08 - 00032552 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-07 04:01 - 2014-11-12 00:42 - 00000000 ____D C:\Program Files (x86)\Java
2015-07-07 04:01 - 2014-10-12 15:56 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
 
==================== Files in the root of some directories =======
 
2014-07-16 14:16 - 2015-04-07 21:55 - 0000132 _____ () C:\Users\Jeenine\AppData\Roaming\Adobe PNG Format CS6 Prefs
2014-09-25 14:20 - 2014-09-25 14:26 - 0001456 _____ () C:\Users\Jeenine\AppData\Local\Adobe Save for Web 13.0 Prefs
2015-01-20 18:57 - 2015-01-20 18:57 - 0000017 _____ () C:\Users\Jeenine\AppData\Local\resmon.resmoncfg
2015-04-30 03:29 - 2015-04-30 03:29 - 0000000 _____ () C:\Users\Jeenine\AppData\Local\{D3E3E17A-AC60-4D53-9456-0CEF7F94ECD4}
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-08-02 00:43
 
==================== End of log ============================

Edited by Jeenine, 04 August 2015 - 11:59 PM.


#5 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 04 August 2015 - 11:55 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version:02-08-2015 01
Ran by Jeenine (2015-08-05 00:49:29)
Running from C:\Users\Jeenine\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2325793436-3083908946-974748653-500 - Administrator - Disabled)
Guest (S-1-5-21-2325793436-3083908946-974748653-501 - Limited - Disabled)
Jeenine (S-1-5-21-2325793436-3083908946-974748653-1000 - Administrator - Enabled) => C:\Users\Jeenine
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe After Effects CC (HKLM-x32\...\{317243C1-6580-4F43-AED7-37D4438C3DD5}) (Version: 12.2.1 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 2.5.0.367 - Adobe Systems Incorporated)
Adobe Flash Player 13 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{14D58A97-B60E-A858-34D8-95469C02F7EC}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Br Media Player 1.05 (HKLM-x32\...\Br Media Player 1.05) (Version: 1.05 - Br Media Player)
CamStudio Lossless Codec v1.5 (HKLM-x32\...\camcodec) (Version: 1.5 - CamStudio)
ContentExplorer (HKLM-x32\...\ContentExplorer) (Version: 8.4 - ContentExplorer.net)
CPUID CPU-Z 1.72.1 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
Dll-Files Fixer (HKLM-x32\...\Dll-Files Fixer_is1) (Version: 3.1.81 - Dll-Files.com)
Elgato Game Capture HD (HKLM-x32\...\{FEF7696C-E39A-4E1B-8E73-D242A7AB8DDE}) (Version: 1.42.24.539 - Elgato Systems GmbH)
FlashGamesRockstar (HKLM-x32\...\FlashGamesRockstar) (Version: 1.1.0.20 - FlashGamesRockstar) <==== ATTENTION
Fraps (HKLM-x32\...\Fraps) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.125 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6710.2136 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.28.1 - Google Inc.) Hidden
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1011 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Intel® Small Business Advantage (HKLM-x32\...\{6A6D86CD-B004-46b7-8951-7BB75A776F8C}) (Version: 2.2.39.7991 - Intel® Corporation)
Intel® Smart Connect Technology (HKLM\...\{D6FBF816-ACB8-46CC-ACC6-C8BBA85F497D}) (Version: 4.2.40.2418 - Intel Corporation)
Intel® Update Manager (x32 Version: 1.0.0.36888 - Intel Corporation) Hidden
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Java SE Development Kit 8 Update 25 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0180250}) (Version: 8.0.250.18 - Oracle Corporation)
LOOT (HKLM-x32\...\LOOT) (Version: 0.6.0 - LOOT Development Team)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Media Toolbar Extension version na (HKLM-x32\...\{7EDFA426-2089-4E61-9831-D6FACE9A4190}_is1) (Version: na - )
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
MyPCBU version 2.25 (HKLM-x32\...\{7D7D6742-5B49-4454-9E9B-748E731E741A}_is1) (Version: 2.25 - )
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.52.3 - Black Tree Gaming)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.6.9 - Notepad++ Team)
PCSX2 - Playstation 2 Emulator (HKLM-x32\...\pcsx2-r5875) (Version:  - )
PenDisplay version 10.0 (HKLM\...\{39089688-F09E-4DAD-8C80-647D3DF68630}_is1) (Version: 10.0 - Huion Animation)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.72.410.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7188 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 3.1.2 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.2 - VS Revo Group, Ltd.)
Sandboxie 4.20 (64-bit) (HKLM\...\Sandboxie) (Version: 4.20 - Sandboxie Holdings, LLC)
Skyrim - Legendary Edition (HKLM-x32\...\Skyrim - Legendary Edition_R.G. Mechanics_is1) (Version:  - R.G. Mechanics, spider91)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Super-Charger (HKLM-x32\...\{7CDF10DD-A9B5-4DA3-AB95-E193248D4369}_is1) (Version: 1.2.022 - MSI)
TinyTake by MangoApps (32 bit) (x32 Version: 2.0.3.0 - MangoApps) Hidden
TinyTake by MangoApps (HKLM-x32\...\{9a932bcc-8a10-418b-9ce7-02731cd6e553}) (Version: 2.0.3.0 - MangoApps)
Tixati (HKLM-x32\...\tixati) (Version:  - )
Vegas Pro 12.0 (64-bit) (HKLM\...\{BD422D00-5232-11E3-A6F3-F04DA23A5C58}) (Version: 12.0.770 - Sony)
VGA Boost (HKLM-x32\...\{809ACFAE-9A4D-4C60-9223-D8B615CD8CBA}}_is1) (Version: 1.0.0.7 - MSI)
Windows Driver Package - Graphics Tablet (WinUsb) USBDevice  (04/10/2014 8.33.30.0) (HKLM\...\142118DF51345EA02D2B1583E102C8FB95FD6D52) (Version: 04/10/2014 8.33.30.0 - Graphics Tablet)
WinRAR 5.10 beta 4 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.10.4 - win.rar GmbH)
Wondershare Video Converter Ultimate(Build 7.1.0.2) (HKLM-x32\...\Wondershare Video Converter Ultimate_is1) (Version: 7.1.0.2 - Wondershare Software)
Wrye Bash (HKLM-x32\...\Wrye Bash) (Version: 0.3.0.5 - Wrye & Wrye Bash Development Team)
x264vfw - H.264/MPEG-4 AVC codec (remove only) (HKLM-x32\...\x264vfw) (Version:  - )
Youtube Downloader version 2.0.0 (HKLM-x32\...\{B3E84B4A-ACDB-4B40-BA8A-5AD2675B8735}_is1) (Version: 2.0.0 - Mintra)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2325793436-3083908946-974748653-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Jeenine\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
 
==================== Restore Points =========================
 
26-07-2015 04:52:16 Scheduled Checkpoint
31-07-2015 21:11:04 Windows Update
01-08-2015 23:25:51 before intel rootkit removal
04-08-2015 02:39:45 ComboFix created restore point
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2015-08-02 18:20 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {642C8E9E-D756-4A2D-A346-7FB026BBF4FA} - System32\Tasks\DLL-Files.Com Fixer_Updates => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: {7F4125DD-A83C-4B4A-86A3-C98B679C1ACD} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-09] (Google Inc.)
Task: {97AD6072-0CC5-40E1-9937-D1F45B26B47D} - System32\Tasks\{2FB99D1F-357D-4D47-9816-420E1E109F42} => pcalua.exe -a C:\Users\Jeenine\Desktop\chromeinstall-8u45.exe -d C:\Users\Jeenine\Desktop
Task: {D323C8E5-6ECE-4D3E-85EB-992AE9B42079} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-09] (Google Inc.)
Task: {F7ABEE5A-D08E-41C2-9381-3D7501A3DD09} - System32\Tasks\DLL-Files.Com Fixer_MONTHLY => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: {F8F40EDB-9719-4D00-8F41-2698BDF2C0A1} - System32\Tasks\RDReminder => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2013-08-01 17:31 - 2013-08-01 17:31 - 00198120 _____ () C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
2013-08-01 17:31 - 2013-08-01 17:31 - 00054760 _____ () C:\Program Files\Intel\Intel® Smart Connect Technology Agent\NetworkHeuristic.dll
2013-08-01 17:31 - 2013-08-01 17:31 - 00034792 _____ () C:\Program Files\Intel\Intel® Smart Connect Technology Agent\ISCTNetMon.dll
2015-07-31 21:13 - 2015-07-25 04:46 - 01405768 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.125\libglesv2.dll
2015-07-31 21:13 - 2015-07-25 04:46 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.125\libegl.dll
2014-04-09 23:25 - 2013-09-16 15:19 - 01242584 ____R () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2325793436-3083908946-974748653-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{4B06FCAF-54C0-483C-9BA0-61F85EB53C9E}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{902EA5A0-6BD9-44C2-A333-AA19A5CDA9BB}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{8921B2B9-C355-4869-857C-B426ACE4A4B4}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{C1686102-7AAA-42DE-9AF1-2E3CD3BB40BD}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{A697A867-3D47-4775-858E-888109B75672}] => (Allow) C:\Users\Jeenine\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{1EF13F97-DB20-473D-861F-ED6F760F0F17}] => (Allow) C:\Users\Jeenine\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{A1B2B890-15BA-456E-BAAD-CFA07850EDFA}C:\program files (x86)\wondershare\video converter ultimate\videoconverterultimate.exe] => (Block) C:\program files (x86)\wondershare\video converter ultimate\videoconverterultimate.exe
FirewallRules: [UDP Query User{76B7A2B5-0AF3-406C-B710-DF69784A4F5A}C:\program files (x86)\wondershare\video converter ultimate\videoconverterultimate.exe] => (Block) C:\program files (x86)\wondershare\video converter ultimate\videoconverterultimate.exe
FirewallRules: [{E0483C5D-BEA6-458D-A88C-C0D858975460}] => (Allow) C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
FirewallRules: [TCP Query User{3CC26C18-57D1-432D-84E7-FC2070399719}C:\program files (x86)\r.g. mechanics\skyrim - legendary edition\creationkit.exe] => (Block) C:\program files (x86)\r.g. mechanics\skyrim - legendary edition\creationkit.exe
FirewallRules: [UDP Query User{2228EF70-6007-463C-A409-9DB2799F9311}C:\program files (x86)\r.g. mechanics\skyrim - legendary edition\creationkit.exe] => (Block) C:\program files (x86)\r.g. mechanics\skyrim - legendary edition\creationkit.exe
FirewallRules: [TCP Query User{F6A1E428-EF07-4538-A0DB-77E6504FA830}E:\apps\wondershare\video converter ultimate\videoconverterultimate.exe] => (Block) E:\apps\wondershare\video converter ultimate\videoconverterultimate.exe
FirewallRules: [UDP Query User{95AA1490-6D6E-4CDE-BDF6-00F973E356D1}E:\apps\wondershare\video converter ultimate\videoconverterultimate.exe] => (Block) E:\apps\wondershare\video converter ultimate\videoconverterultimate.exe
FirewallRules: [{A0301A7D-A3F7-42BE-B28D-3B11E024D44F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{B0A82166-22DB-4FB6-8E47-93947918386C}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [TCP Query User{33F04337-801B-4F9E-9A6F-8BC3CD73CAEA}C:\program files (x86)\java\jdk1.8.0_25\bin\jmc.exe] => (Block) C:\program files (x86)\java\jdk1.8.0_25\bin\jmc.exe
FirewallRules: [UDP Query User{EA60C26C-EB24-4041-B835-3604899CA11B}C:\program files (x86)\java\jdk1.8.0_25\bin\jmc.exe] => (Block) C:\program files (x86)\java\jdk1.8.0_25\bin\jmc.exe
FirewallRules: [TCP Query User{323894BF-78D1-4FD6-8279-C966A96DCB29}E:\apps\tixati\tixati\tixati.exe] => (Block) E:\apps\tixati\tixati\tixati.exe
FirewallRules: [UDP Query User{76ABD8D4-B5DF-41E8-A57E-F5838D238953}E:\apps\tixati\tixati\tixati.exe] => (Block) E:\apps\tixati\tixati\tixati.exe
FirewallRules: [{F20FBC70-E668-44C5-8B89-B1DFAD4CFAA1}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/02/2015 03:45:17 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program TES5Edit.exe version 3.1.1.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: f70
 
Start Time: 01d0ccf6ba12c216
 
Termination Time: 10
 
Application Path: E:\Apps\TES5Edit 3.1.1-25859-3-1-1\TES5Edit.exe
 
Report Id: 68f8a1ba-38ea-11e5-8c47-448a5b5e1a2f
 
Error: (08/01/2015 11:05:54 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mbam.exe version 1.0.1.711 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 9f0
 
Start Time: 01d0ccc7f217b7d3
 
Termination Time: 3
 
Application Path: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
 
Report Id:
 
Error: (07/31/2015 09:20:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wmprph.exe, version: 12.0.7600.16385, time stamp: 0x4a5bd018
Faulting module name: ntdll.dll, version: 6.1.7600.16915, time stamp: 0x4ec4b137
Exception code: 0xc0000005
Fault offset: 0x000000000004c8f4
Faulting process id: 0xf88
Faulting application start time: 0xwmprph.exe0
Faulting application path: wmprph.exe1
Faulting module path: wmprph.exe2
Report Id: wmprph.exe3
 
Error: (07/26/2015 01:01:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winsat.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc551
Faulting module name: atiuxp64.dll, version: 8.14.1.6463, time stamp: 0x5588b209
Exception code: 0xc0000005
Fault offset: 0x000000000000aa66
Faulting process id: 0x1254
Faulting application start time: 0xwinsat.exe0
Faulting application path: winsat.exe1
Faulting module path: winsat.exe2
Report Id: winsat.exe3
 
Error: (07/24/2015 07:07:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mbam.exe version 1.0.1.711 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: d30
 
Start Time: 01d0c66541b5be52
 
Termination Time: 16
 
Application Path: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
 
Report Id:
 
Error: (07/24/2015 07:05:30 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mbam.exe version 1.0.1.711 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: a64
 
Start Time: 01d0c66064f8c09c
 
Termination Time: 0
 
Application Path: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
 
Report Id:
 
Error: (07/22/2015 09:22:20 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: ATI EEU Client event error
 
Error: (07/19/2015 10:24:22 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program GenerateFNISforUsers.exe version 5.4.2.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1328
 
Start Time: 01d0c2930eb8e3a3
 
Termination Time: 5
 
Application Path: C:\Program Files (x86)\R.G. Mechanics\Skyrim - Legendary Edition\Data\tools\GenerateFNIS_for_Users\GenerateFNISforUsers.exe
 
Report Id:
 
Error: (07/17/2015 09:01:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program TESV.exe version 1.9.32.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: f24
 
Start Time: 01d0c0f4d1ecb499
 
Termination Time: 433
 
Application Path: C:\Program Files (x86)\R.G. Mechanics\Skyrim - Legendary Edition\TESV.exe
 
Report Id:
 
Error: (07/17/2015 06:59:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NexusClient.exe, version: 0.52.3.0, time stamp: 0x542956f4
Faulting module name: KERNELBASE.dll, version: 6.1.7600.17206, time stamp: 0x50e669a2
Exception code: 0xe0434352
Fault offset: 0x000000000000ac3d
Faulting process id: 0xdc0
Faulting application start time: 0xNexusClient.exe0
Faulting application path: NexusClient.exe1
Faulting module path: NexusClient.exe2
Report Id: NexusClient.exe3
 
 
System errors:
=============
Error: (08/04/2015 02:42:12 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (08/04/2015 02:41:12 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (08/04/2015 02:34:29 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/04/2015 02:05:49 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/04/2015 02:00:36 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/02/2015 06:20:10 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (08/02/2015 06:19:57 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/02/2015 06:18:57 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (07/25/2015 01:37:35 AM) (Source: cdrom) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\CdRom0.
 
Error: (07/24/2015 04:34:03 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
 
 
Microsoft Office:
=========================
Error: (08/02/2015 03:45:17 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: TES5Edit.exe3.1.1.0f7001d0ccf6ba12c21610E:\Apps\TES5Edit 3.1.1-25859-3-1-1\TES5Edit.exe68f8a1ba-38ea-11e5-8c47-448a5b5e1a2f
 
Error: (08/01/2015 11:05:54 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: mbam.exe1.0.1.7119f001d0ccc7f217b7d33C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
 
Error: (07/31/2015 09:20:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: wmprph.exe12.0.7600.163854a5bd018ntdll.dll6.1.7600.169154ec4b137c0000005000000000004c8f4f8801d0cbf84e010a90C:\Program Files\Windows Media Player\wmprph.exeC:\Windows\SYSTEM32\ntdll.dll8faef10c-37eb-11e5-be5a-448a5b5e1a2f
 
Error: (07/26/2015 01:01:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: winsat.exe6.1.7600.163854a5bc551atiuxp64.dll8.14.1.64635588b209c0000005000000000000aa66125401d0c75fed26e36aC:\Windows\system32\winsat.exeC:\Windows\system32\atiuxp64.dll6bda7263-3353-11e5-ad51-448a5b5e1a2f
 
Error: (07/24/2015 07:07:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: mbam.exe1.0.1.711d3001d0c66541b5be5216C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
 
Error: (07/24/2015 07:05:30 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: mbam.exe1.0.1.711a6401d0c66064f8c09c0C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
 
Error: (07/22/2015 09:22:20 PM) (Source: ATIeRecord) (EventID: 16388) (User: )
Description: 
 
Error: (07/19/2015 10:24:22 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: GenerateFNISforUsers.exe5.4.2.0132801d0c2930eb8e3a35C:\Program Files (x86)\R.G. Mechanics\Skyrim - Legendary Edition\Data\tools\GenerateFNIS_for_Users\GenerateFNISforUsers.exe
 
Error: (07/17/2015 09:01:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: TESV.exe1.9.32.0f2401d0c0f4d1ecb499433C:\Program Files (x86)\R.G. Mechanics\Skyrim - Legendary Edition\TESV.exe
 
Error: (07/17/2015 06:59:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: NexusClient.exe0.52.3.0542956f4KERNELBASE.dll6.1.7600.1720650e669a2e0434352000000000000ac3ddc001d0c0e367357f29C:\Program Files\Nexus Mod Manager\NexusClient.exeC:\Windows\system32\KERNELBASE.dll87814e8b-2cd7-11e5-974f-448a5b5e1a2f
 
 
CodeIntegrity:
===================================
  Date: 2015-08-02 18:19:57.655
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-08-02 18:19:57.648
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 22:05:46.935
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 22:05:46.918
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 22:05:35.854
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 22:05:35.836
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 22:05:14.365
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 22:05:14.351
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 21:46:36.636
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-16 21:46:36.627
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\chatpad_filter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-4770S CPU @ 3.10GHz
Percentage of memory in use: 24%
Total physical RAM: 8119.97 MB
Available physical RAM: 6145.93 MB
Total Virtual: 16238.08 MB
Available Virtual: 14029.65 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.69 GB) (Free:27.95 GB) NTFS
Drive e: (Massive Storage) (Fixed) (Total:931.51 GB) (Free:311.68 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: ED44EA73)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 408DB4CD)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.7 GB) - (Type=07 NTFS)
 

 

==================== End of log ============================

Edited by Jeenine, 05 August 2015 - 12:00 AM.


#6 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 05 August 2015 - 12:02 AM

Thanks a lot for the help, it's really appreciated!
*(do not mind my post edits)

I have a question, because my Rootkit will try to download other viruses from my temp, those I can delete with Malawarebytes antimalaware... anyhow, those  virus appear every few hours in my "Temp" folder, what should I do with them, do you want me to keep them or to delete them as they appear? If I dont delete them I will be prompted with a blue screen error on startup.

for now, here comes the next scan:


Edited by Jeenine, 05 August 2015 - 12:09 AM.


#7 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 05 August 2015 - 12:07 AM

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2015-08-05 00:56:01
-----------------------------
00:56:01.111    OS Version: Windows x64 6.1.7600 
00:56:01.111    Number of processors: 8 586 0x3C03
00:56:01.112    ComputerName: JARVIS  UserName: 
00:56:01.295    Initialize success
00:56:01.314    VM: initialized successfully
00:56:01.314    VM: Intel CPU supported 
00:56:04.510    VM: supported disk I/O ataport.SYS
00:57:17.292    AVAST engine defs: 15080402
00:57:31.847    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
00:57:31.847    Disk 0 Vendor: WDC_WD10EZRX-00L4HB0 01.01A01 Size: 953869MB BusType: 11
00:57:31.847    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0
00:57:31.862    Disk 1 Vendor: KINGSTON_SV300S37A120G 521ABBF0 Size: 114473MB BusType: 11
00:57:31.862    VM: Disk 1 MBR read successfully
00:57:31.878    Disk 1 MBR scan
00:57:31.878    Disk 1 Windows 7 default MBR code
00:57:31.878    Disk 1 Partition 1 80 (A) 07      HPFS/NTFS NTFS          100 MB offset 2048
00:57:31.894    Disk 1 Boot: NTFS     code=2
00:57:31.894    Disk 1 Partition 2 00     07      HPFS/NTFS NTFS       114371 MB offset 206848
00:57:31.909    Disk 1 scanning C:\Windows\system32\drivers
00:57:33.734    Service scanning
00:57:37.690    Service MSICDSetup D:\CDriver64.sys **LOCKED** 21
00:57:37.999    Service NTIOLib_1_0_C D:\NTIOLib_X64.sys **LOCKED** 21
00:57:40.461    Modules scanning
00:57:40.461    Disk 1 trace - called modules:
00:57:40.477    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
00:57:40.493    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa80076a7060]
00:57:40.493    3 CLASSPNP.SYS[fffff8800141743f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800714c060]
00:57:40.805    AVAST engine scan C:\Windows
00:57:41.351    AVAST engine scan C:\Windows\system32
00:58:37.023    AVAST engine scan C:\Windows\system32\drivers
00:58:39.317    AVAST engine scan C:\Users\Jeenine
00:58:43.718    File: C:\Users\Jeenine\AppData\Roaming\WindowsUpdater\Updater.exe  **INFECTED** Win32:Dropper-gen [Drp]
00:58:45.662    AVAST engine scan C:\ProgramData
00:58:48.601    Disk 1 statistics 3924971/0/18 @ 88,91 MB/s
00:58:48.608    Scan finished successfully
01:00:25.123    Disk 1 MBR has been saved successfully to "C:\Users\Jeenine\Desktop\MBR.dat"
01:00:25.125    The log file has been saved successfully to "C:\Users\Jeenine\Desktop\aswMBR.txt"


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 07 August 2015 - 01:34 AM

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Full System Scan with Malwarebytes Antimalware



  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 August 2015 - 01:50 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:06-08-2015
Ran by Jeenine (2015-08-07 02:47:39) Run:1
Running from C:\Users\Jeenine\Desktop
Loaded Profiles: Jeenine (Available Profiles: Jeenine)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
C:\Users\Jeenine\AppData\Roaming\WindowsUpdater
2015-07-24 18:06 - 2015-07-24 18:06 - 00000000 ____D C:\Program Files (x86)\Media Toolbar Extension
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2325793436-3083908946-974748653-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
 
CloseProcesses:
EmptyTemp:
Reboot:
*****************
 
C:\Users\Jeenine\AppData\Roaming\WindowsUpdater => moved successfully.
C:\Program Files (x86)\Media Toolbar Extension => moved successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2325793436-3083908946-974748653-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
Processes closed successfully.
EmptyTemp: => 597.2 MB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 02:47:42 ====


#10 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 August 2015 - 02:20 AM

  <?xml version="1.0" encoding="UTF-8" ?>
- <logs>
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T02:48:31.439048-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="e528b38d-6ace-4d9b-9cae-eba690cb5067" result="Starting" subtype="Malware Protection" />
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T02:48:31.460049-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="2307841c-fa4c-4bcb-a537-323df38d9a47" result="Started" subtype="Malware Protection" />
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T02:48:31.484050-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="3baa2de4-9455-452d-9d48-c7f44b9e20a1" result="Starting" subtype="Malicious Website Protection" />
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T02:48:32.265095-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="e802796c-effa-4a8a-b242-f98653194694" result="Started" subtype="Malicious Website Protection" />
  <record severity="debug" LoggingEventType="1" datetime="2015-08-07T02:52:32.572154-04:00" source="Manual" type="Update" username="SYSTEM" systemname="JARVIS" fromVersion="2015.7.30.1" last_modified_tag="de0dd837-e872-4aa4-8d94-e0c626063c13" name="Rootkit Database" toVersion="2015.8.6.1" />
  <record severity="debug" LoggingEventType="1" datetime="2015-08-07T02:52:35.193958-04:00" source="Manual" type="Update" username="SYSTEM" systemname="JARVIS" fromVersion="2015.8.1.6" last_modified_tag="26b33382-9d6e-4ab8-aae9-d6c5c89a6db1" name="Malware Database" toVersion="2015.8.7.1" />
  <record severity="debug" LoggingEventType="6" datetime="2015-08-07T03:00:04.000257-04:00" source="Manual" type="Scan" username="SYSTEM" systemname="JARVIS" duration="185" last_modified_tag="b52a6f98-879a-4bef-8460-444c573c77b4" malwaredetections="0" nonmalwaredetections="4" scanresult="completed" scantype="threat" starttime="2015-08-07T02:56:34-04:00" />
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T03:00:47.284444-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="be7b9678-002d-448e-98b4-c32dd24d6844" result="Starting" subtype="Malware Protection" />
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T03:00:47.303445-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="4876e8b6-cf45-4b7e-af82-ca9cb1c5a607" result="Started" subtype="Malware Protection" />
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T03:00:47.326446-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="606746a6-5424-45ba-bc9e-5613c7e3c1a1" result="Starting" subtype="Malicious Website Protection" />
  <record severity="debug" LoggingEventType="2" datetime="2015-08-07T03:00:48.094490-04:00" source="Protection" type="Protection" username="SYSTEM" systemname="JARVIS" last_modified_tag="687cd870-d078-4f27-96a0-ad52d50c821e" result="Started" subtype="Malicious Website Protection" />
  </logs>


#11 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 August 2015 - 02:40 AM

C:\FRST\Quarantine\C\Users\Jeenine\AppData\Roaming\WindowsUpdater\Updater.exe a variant of MSIL/Adware.OxyPumper.D application
C:\Windows\System32\roboot64.exe a variant of Win64/Systweak.A potentially unwanted application


I'm not sure this is the right log, but i d'ont see anything else (eset scanner). 
I did not delete those treats either, please tell me when I can delete them.
*Thanks again (a lot)

Edited by Jeenine, 07 August 2015 - 02:56 AM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 07 August 2015 - 08:51 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.



Tell me: Are any problems left now or may I post the final reply? :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 August 2015 - 01:47 PM

# AdwCleaner v4.208 - Logfile created 07/08/2015 at 14:45:50
# Updated 09/07/2015 by Xplode
# Database : 2015-07-09.2 [Local]
# Operating system : Windows 7 Ultimate  (x64)
# Username : Jeenine - JARVIS
# Running from : C:\Users\Jeenine\Desktop\adwcleaner_4.208.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accelerer PC
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\FlashGamesRockstar
File Deleted : C:\Windows\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
File Deleted : C:\Windows\System32\roboot64.exe
 
***** [ Scheduled tasks ] *****
 
Task Deleted : RDReminder
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
Key Deleted : HKCU\Software\powerpack
Key Deleted : HKCU\Software\ContentExplorer
Key Deleted : HKLM\SOFTWARE\Br MediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentExplorer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FlashGamesRockstar
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v8.0.7600.17267
 
 
-\\ Google Chrome v44.0.2403.130
 
 
*************************
 
AdwCleaner[R0].txt - [1819 bytes] - [07/08/2015 14:45:23]
AdwCleaner[S0].txt - [1682 bytes] - [07/08/2015 14:45:50]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1741  bytes] ##########


#14 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 August 2015 - 01:54 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.5 (08.05.2015:1)
OS: Windows 7 Ultimate x64
Ran by Jeenine on 2015-08-07 at 14:51:56,12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
Successfully deleted: [Task] C:\Windows\system32\tasks\DLL-Files.Com Fixer_MONTHLY
Successfully deleted: [Task] C:\Windows\system32\tasks\DLL-Files.Com Fixer_Updates
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\ProgramData\google
Successfully deleted: [Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\(default)
Successfully deleted: [Folder] C:\Users\Jeenine\AppData\Roaming\dll-files.com
Successfully deleted: [Folder] C:\Users\Jeenine\Appdata\Local\15554
 
 
 
~~~ Chrome
 
 
[C:\Users\Jeenine\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Jeenine\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\Jeenine\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Jeenine\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
  booedmolknjekdopkepjjeckmjkdpfgl,
  flpcjncodpafbgdpnkljologafpionhb
]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2015-08-07 at 14:53:21,04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#15 Jeenine

Jeenine
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 August 2015 - 01:58 PM

 Results of screen317's Security Check version 1.006  
 Windows 7  x64 (UAC is enabled)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 45  
 Java SE Development Kit 8 Update 25 
 Java version 32-bit out of Date! 
 Google Chrome (44.0.2403.125) 
 Google Chrome (44.0.2403.130) 
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 7% 
````````````````````End of Log`````````````````````` 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users