Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Adobe Flash Player Pop-Up Virus


  • This topic is locked This topic is locked
24 replies to this topic

#1 riley45

riley45

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 13 August 2015 - 12:43 AM

I have a Windows 8.1 64-bit PC.  I was away on vacation for a few days and did not use my PC.  When I returned home this evening, I  opened Internet Explorer to check my email (Juno is my email provider) and a few websites that I regularly visit (and hence believe are safe).

 

While Internet Explorer was open, I began to periodically receive pop-up windows titled "Adobe Flash Player" followed by the phrase "An ActionError script has occurred" and then a few lines describing the supposed error.  Each of these pop-up windows needs to be closed in order to continue working on the internet.  Often several of these pop-up windows appear in succession, and each needs to be closed in order to continue work on the internet.

 

The contents of these pop-up messages differ somewhat, but they all seem to be slight variations of one another.  Based on the wording of these messages, I believe that they are fake.

 

Here is an example of one of these pop-up messages:

 

SecurityError: Error #2148: SWF file http://p.jwpcdn.com/6/12/jwplayer.flash.swf cannot access local resource res://ieframe.dll/navcancl.htm?busted=18653. Only local-with-filesystem and trusted local SWF files may access local resources.
 at flash.display::Loader/_load()
 at flash.display::Loader/load()
 at com.longtailvideo.jwplayer.view::View/loadImage()
 at com.longtailvideo.jwplayer.view::View/_imageTimerHandler()
 at flash.events::EventDispatcher/dispatchEventFunction()
 at flash.events::EventDispatcher/dispatchEvent()
 at flash.utils::Timer/tick()

 

As a point of information, these pop-up messages seem to appear only when my Juno email is open.

 

I ran a Malwarebytes Free Edition scan which found no threats or malicious files.

 

I also ran the Farbar Recovery Security Tool.  Below is the content of the FRST.txt file, while the Addition.txt file is attached.

 

Any guidance that you can provide in helping me remove this virus would be greatly appreciated. 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:12-08-2015

Ran by knemlick (administrator) on KENPC (13-08-2015 00:33:47)

Running from C:\Users\knemlick\Desktop

Loaded Profiles: knemlick (Available Profiles: knemlick)

Platform: Windows 8.1 (X64) Language: English (United States)

Internet Explorer Version 11 (Default browser: IE)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe

(Microsoft Corporation) C:\Windows\System32\wlanext.exe

(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe

(Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\Realtek Bluetooth\AvrcpService.exe

() C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTDevMgr.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe

() C:\Program Files\CyberLink\Shared files\RichVideo64.exe

() C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe

(MAGIX AG) C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe

(AMD) C:\Windows\System32\atieclxx.exe

(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.5.2.15\N360.exe

() C:\Program Files (x86)\ASUS\ASUS Manager\PC Cleanup\SecureDeleteBackground.exe

(ASUSTeK) C:\Program Files (x86)\ASUS\ASUS Manager\Power Manager\Power Manager_background.exe

(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Manager\AsHKService.exe

(Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe

(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE

(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.5.2.15\N360.exe

(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe

(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe

(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe

(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSPanel.exe

(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\winword.exe

(Microsoft Corporation) C:\Windows\splwow64.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe

 

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7199448 2013-09-05] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)

HKLM\...\Run: [BtServer] => C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe [280576 2013-09-25] (Realtek Semiconductor Corporation)

HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3216032 2014-04-25] (ASUSTek Computer Inc.)

HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\ASUSWSLoader.exe [63296 2013-08-16] ()

HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-08-19] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [95192 2013-03-08] (CyberLink Corp.)

Startup: C:\Users\knemlick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2014-09-14]

ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()

Startup: C:\Users\knemlick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2014-11-10]

ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)

ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.2.15\buShell.dll [2015-07-13] (Symantec Corporation)

ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.2.15\buShell.dll [2015-07-13] (Symantec Corporation)

ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.2.15\buShell.dll [2015-07-13] (Symantec Corporation)

ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3351969478-1937094124-811777867-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://google.com

SearchScopes: HKLM -> DefaultScope value is missing

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 -> DefaultScope value is missing

SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-21-3351969478-1937094124-811777867-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=S1122&geo=US&ver=21&locale=en_US&gct=kwd&qsrc=2869

BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-06-09] (Microsoft Corporation)

BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.2.15\coIEPlg.dll [2015-07-09] (Symantec Corporation)

BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-06-16] (Microsoft Corporation)

BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.5.2.15\coIEPlg.dll [2015-07-09] (Symantec Corporation)

BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL No File

Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.2.15\coIEPlg.dll [2015-07-09] (Symantec Corporation)

Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.2.15\coIEPlg.dll [2015-07-09] (Symantec Corporation)

Toolbar: HKU\S-1-5-21-3351969478-1937094124-811777867-1002 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\22.5.2.15\coIEPlg.dll [2015-07-09] (Symantec Corporation)

DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab

Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

Tcpip\..\Interfaces\{26BE4CCA-DD37-4358-8535-07EBE3858AAC}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Tcpip\..\Interfaces\{8E18BFBB-B2D7-4C9D-A0AE-8A1C7A3A925A}: [DhcpNameServer] 192.168.1.1

FireFox:

========

FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-11-10] (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-01-10] (Microsoft Corporation)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)

FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn

FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn [2015-08-12]

Chrome:

=======

CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.2.15\Exts\Chrome.crx [2015-08-04]

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.5.2.15\Exts\Chrome.crx [2015-08-04]

CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-08-19] (Advanced Micro Devices, Inc.) [File not signed]

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2013-11-06] ()

R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe [71680 2013-08-16] (ASUS Cloud Corporation) [File not signed]

R2 AvrcpService; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\AvrcpService.exe [35328 2013-05-07] (Realtek Semiconductor Corporation) [File not signed]

R2 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [59392 2013-09-26] () [File not signed]

S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2753720 2015-07-01] (Microsoft Corporation)

R2 Fabs; C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [1858048 2012-01-23] (MAGIX AG) [File not signed]

S3 FirebirdServerMAGIXInstance; C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2702848 2011-04-26] (MAGIX®) [File not signed]

S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)

R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\22.5.2.15\N360.exe [282016 2015-07-16] (Symantec Corporation)

R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()

S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()

R0 assdv2; C:\Windows\System32\Drivers\assdv2.sys [21816 2013-12-05] ()

R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [138240 2013-06-22] (Advanced Micro Devices)

R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\BASHDefs\20150810.001\BHDrvx64.sys [1650936 2015-07-23] (Symantec Corporation)

R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-12] (Microsoft Corporation)

R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1605020.00F\ccSetx64.sys [173808 2015-07-10] (Symantec Corporation)

R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-07-27] (Symantec Corporation)

R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\IPSDefs\20150812.001\IDSvia64.sys [692984 2015-08-12] (Symantec Corporation)

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)

S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)

R3 NAVENG; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20150812.003\ENG64.SYS [138488 2015-05-20] (Symantec Corporation)

R3 NAVEX15; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20150812.003\EX64.SYS [2146040 2015-05-20] (Symantec Corporation)

R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [548056 2013-09-05] (Realtek Semiconductor Corporation)

R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [2944216 2013-08-21] (Realtek Semiconductor Corporation )

R1 SRTSP; C:\Windows\System32\Drivers\N360x64\1605020.00F\SRTSP64.SYS [926448 2015-07-10] (Symantec Corporation)

R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1605020.00F\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)

R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1605020.00F\SYMEFASI64.SYS [1620720 2015-07-10] (Symantec Corporation)

S0 SymELAM; C:\Windows\System32\drivers\N360x64\1605020.00F\SymELAM.sys [24192 2015-07-10] (Symantec Corporation)

R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-08-04] (Symantec Corporation)

R1 SymIRON; C:\Windows\system32\drivers\N360x64\1605020.00F\Ironx64.SYS [297720 2015-07-10] (Symantec Corporation)

R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1605020.00F\SYMNETS.SYS [576248 2015-07-10] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-13 00:33 - 2015-08-13 00:33 - 00015868 _____ C:\Users\knemlick\Desktop\FRST.txt

2015-08-13 00:30 - 2015-08-13 00:30 - 02173952 _____ (Farbar) C:\Users\knemlick\Desktop\FRST64.exe

2015-08-12 20:15 - 2015-08-12 20:15 - 00000000 ____D C:\Windows\System32\Tasks\Norton 360

2015-08-12 20:07 - 2015-08-12 20:07 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Suite

2015-08-12 18:26 - 2015-07-30 09:04 - 00124624 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll

2015-08-12 18:26 - 2015-07-30 08:48 - 00103120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll

2015-08-12 18:10 - 2015-07-18 20:58 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe

2015-08-12 18:10 - 2015-07-18 13:51 - 03704320 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll

2015-08-12 18:10 - 2015-07-18 13:31 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll

2015-08-12 18:10 - 2015-07-18 13:31 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll

2015-08-12 18:10 - 2015-07-18 13:31 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe

2015-08-12 18:10 - 2015-07-18 13:29 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll

2015-08-12 18:10 - 2015-07-18 13:29 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll

2015-08-12 18:10 - 2015-07-18 13:29 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

2015-08-12 18:10 - 2015-07-18 13:28 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll

2015-08-12 18:10 - 2015-07-18 13:12 - 02228736 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll

2015-08-12 18:10 - 2015-07-18 13:10 - 00891904 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll

2015-08-12 18:10 - 2015-07-18 13:09 - 00721920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll

2015-08-12 18:10 - 2015-07-16 16:14 - 25192448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2015-08-12 18:10 - 2015-07-16 15:20 - 19870208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2015-08-12 18:10 - 2015-07-16 14:34 - 14451200 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2015-08-12 18:10 - 2015-06-09 13:27 - 00411133 _____ C:\Windows\system32\ApnDatabase.xml

2015-08-12 18:09 - 2015-07-29 09:37 - 01994752 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll

2015-08-12 18:09 - 2015-07-29 09:30 - 01381888 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll

2015-08-12 18:09 - 2015-07-29 09:23 - 01559552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2015-08-12 18:09 - 2015-07-28 18:24 - 00025776 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe

2015-08-12 18:09 - 2015-07-28 09:24 - 01148416 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2015-08-12 18:09 - 2015-07-28 09:24 - 01116160 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll

2015-08-12 18:09 - 2015-07-28 09:24 - 00774144 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll

2015-08-12 18:09 - 2015-07-28 09:24 - 00743424 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll

2015-08-12 18:09 - 2015-07-28 09:24 - 00437248 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll

2015-08-12 18:09 - 2015-07-28 09:24 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll

2015-08-12 18:09 - 2015-07-24 13:57 - 04177408 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2015-08-12 18:09 - 2015-07-24 13:57 - 00358912 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll

2015-08-12 18:09 - 2015-07-24 13:52 - 00044032 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll

2015-08-12 18:09 - 2015-07-24 12:27 - 00301568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2015-08-12 18:09 - 2015-07-24 12:23 - 00035840 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2015-08-12 18:09 - 2015-07-16 15:36 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2015-08-12 18:09 - 2015-07-16 15:36 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec

2015-08-12 18:09 - 2015-07-16 15:35 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2015-08-12 18:09 - 2015-07-16 15:26 - 05923328 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2015-08-12 18:09 - 2015-07-16 15:23 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2015-08-12 18:09 - 2015-07-16 15:21 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2015-08-12 18:09 - 2015-07-16 14:53 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll

2015-08-12 18:09 - 2015-07-16 14:51 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2015-08-12 18:09 - 2015-07-16 14:50 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec

2015-08-12 18:09 - 2015-07-16 14:45 - 02279424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2015-08-12 18:09 - 2015-07-16 14:45 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll

2015-08-12 18:09 - 2015-07-16 14:41 - 00479232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2015-08-12 18:09 - 2015-07-16 14:39 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2015-08-12 18:09 - 2015-07-16 14:38 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll

2015-08-12 18:09 - 2015-07-16 14:36 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2015-08-12 18:09 - 2015-07-16 14:32 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2015-08-12 18:09 - 2015-07-16 14:14 - 02880000 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll

2015-08-12 18:09 - 2015-07-16 14:13 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll

2015-08-12 18:09 - 2015-07-16 14:12 - 04520448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2015-08-12 18:09 - 2015-07-16 14:12 - 02427904 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2015-08-12 18:09 - 2015-07-16 14:10 - 12856832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2015-08-12 18:09 - 2015-07-16 14:06 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2015-08-12 18:09 - 2015-07-16 14:01 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2015-08-12 18:09 - 2015-07-16 13:52 - 01048576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll

2015-08-12 18:09 - 2015-07-16 13:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2015-08-12 18:09 - 2015-07-16 13:42 - 01951232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2015-08-12 18:09 - 2015-07-16 13:38 - 01310720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2015-08-12 18:09 - 2015-07-16 13:37 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2015-08-12 18:09 - 2015-07-15 19:29 - 07458648 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe

2015-08-12 18:09 - 2015-07-15 19:29 - 01735000 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll

2015-08-12 18:09 - 2015-07-15 19:29 - 00101720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys

2015-08-12 18:09 - 2015-07-15 19:28 - 01499920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll

2015-08-12 18:09 - 2015-07-14 16:59 - 01113944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys

2015-08-12 18:09 - 2015-07-14 16:59 - 00487256 _____ (Microsoft Corporation) C:\Windows\system32\netcfgx.dll

2015-08-12 18:09 - 2015-07-14 16:59 - 00393560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netcfgx.dll

2015-08-12 18:09 - 2015-07-13 22:22 - 02529880 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll

2015-08-12 18:09 - 2015-07-13 22:21 - 01901776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2015-08-12 18:09 - 2015-07-13 14:46 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll

2015-08-12 18:09 - 2015-07-13 14:45 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\basesrv.dll

2015-08-12 18:09 - 2015-07-10 13:19 - 01101824 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll

2015-08-12 18:09 - 2015-07-10 12:54 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\sysmain.dll

2015-08-12 18:09 - 2015-07-10 12:42 - 02345472 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

2015-08-12 18:09 - 2015-07-10 12:14 - 00856064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll

2015-08-12 18:09 - 2015-07-10 12:13 - 07032320 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll

2015-08-12 18:09 - 2015-07-10 11:47 - 01556992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2015-08-12 18:09 - 2015-07-10 11:31 - 06213120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll

2015-08-12 18:09 - 2015-07-09 12:13 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\notepad.exe

2015-08-12 18:09 - 2015-07-09 12:13 - 00221184 _____ (Microsoft Corporation) C:\Windows\notepad.exe

2015-08-12 18:09 - 2015-07-09 11:30 - 00212992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe

2015-08-12 18:09 - 2015-07-07 04:40 - 00270168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdFilter.sys

2015-08-12 18:09 - 2015-07-07 04:40 - 00114520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdNisDrv.sys

2015-08-12 18:09 - 2015-07-07 04:40 - 00044560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdBoot.sys

2015-08-12 18:09 - 2015-07-01 17:19 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll

2015-08-12 18:09 - 2015-07-01 17:16 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll

2015-08-12 18:09 - 2015-07-01 16:37 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll

2015-08-12 18:09 - 2015-07-01 16:35 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll

2015-08-12 18:09 - 2015-06-12 12:03 - 18823680 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Xaml.dll

2015-08-12 18:09 - 2015-06-12 11:36 - 15159296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Xaml.dll

2015-08-12 18:09 - 2015-06-11 15:12 - 02476376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys

2015-08-12 18:09 - 2015-06-11 15:12 - 00428888 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS

2015-08-12 18:09 - 2015-05-11 19:24 - 00536920 _____ (Microsoft Corporation) C:\Windows\system32\mcupdate_GenuineIntel.dll

2015-07-31 09:34 - 2015-08-12 18:55 - 00000000 ____D C:\Windows\System32\Tasks\Remediation

2015-07-30 14:32 - 2015-07-30 14:33 - 00000000 ____D C:\Users\knemlick\Documents\Jake Sherman

2015-07-22 20:13 - 2015-07-22 20:13 - 00944818 _____ C:\Users\knemlick\Documents\Text%20for%20July28,%202015

2015-07-18 13:07 - 2015-07-18 13:07 - 00000000 ____D C:\Program Files\Common Files\AV

2015-07-14 14:52 - 2015-07-09 13:40 - 00359936 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll

2015-07-14 14:52 - 2015-06-28 00:07 - 00442712 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll

2015-07-14 14:52 - 2015-06-28 00:07 - 00178008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys

2015-07-14 14:52 - 2015-06-28 00:06 - 01311960 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll

2015-07-14 14:52 - 2015-06-28 00:06 - 00332120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll

2015-07-14 14:52 - 2015-06-27 11:42 - 00747520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll

2015-07-14 14:52 - 2015-06-26 22:13 - 00202240 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys

2015-07-14 14:52 - 2015-06-26 22:12 - 00401408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys

2015-07-14 14:52 - 2015-06-26 22:12 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys

2015-07-14 14:52 - 2015-06-26 22:08 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll

2015-07-14 14:52 - 2015-06-26 22:08 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll

2015-07-14 14:52 - 2015-06-26 21:40 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll

2015-07-14 14:52 - 2015-06-26 21:14 - 00027136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll

2015-07-14 14:52 - 2015-06-26 21:05 - 01441792 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2015-07-14 14:52 - 2015-06-26 21:00 - 00989184 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2015-07-14 14:52 - 2015-06-26 20:53 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll

2015-07-14 14:52 - 2015-06-26 20:26 - 00802816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

2015-07-14 14:52 - 2015-06-15 17:41 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe

2015-07-14 14:52 - 2015-06-15 17:24 - 03320320 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll

2015-07-14 14:52 - 2015-06-15 16:16 - 00059904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe

2015-07-14 14:52 - 2015-06-15 16:09 - 03607552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

2015-07-14 14:52 - 2015-06-15 15:50 - 02774528 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll

2015-07-14 14:52 - 2015-06-15 14:57 - 02460160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2015-07-14 14:52 - 2015-05-30 16:18 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\werdiagcontroller.dll

2015-07-14 14:52 - 2015-05-30 14:36 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\AudioEndpointBuilder.dll

2015-07-14 14:52 - 2015-05-30 14:35 - 00911360 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll

2015-07-14 14:52 - 2015-05-11 13:17 - 01201664 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\bthport.sys

2015-07-14 14:52 - 2015-05-07 12:50 - 22292672 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll

2015-07-14 14:52 - 2015-05-07 12:00 - 03109376 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll

2015-07-14 14:52 - 2015-05-07 11:53 - 19734960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2015-07-14 14:52 - 2015-05-07 11:12 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll

2015-07-14 14:52 - 2015-05-07 10:21 - 00522240 _____ (Microsoft Corporation) C:\Windows\system32\GeofenceMonitorService.dll

2015-07-14 14:52 - 2015-05-07 10:05 - 00367104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GeofenceMonitorService.dll

2015-07-14 14:52 - 2015-05-02 19:39 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll

2015-07-14 14:52 - 2015-04-29 18:22 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\WiFiDisplay.dll

2015-07-14 14:51 - 2015-06-26 18:21 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2015-07-14 14:51 - 2015-05-03 10:09 - 00274944 _____ (Microsoft Corporation) C:\Windows\system32\Windows.ApplicationModel.Store.TestingFramework.dll

2015-07-14 14:51 - 2015-05-03 09:58 - 00210944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll

2015-07-14 14:51 - 2015-05-03 09:55 - 00971776 _____ (Microsoft Corporation) C:\Windows\system32\WSShared.dll

2015-07-14 14:51 - 2015-05-03 09:49 - 00811008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSShared.dll

2015-07-14 14:51 - 2015-04-24 21:25 - 00020992 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usb8023.sys

2015-07-14 14:51 - 2014-11-04 14:25 - 00059712 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\kbdclass.sys

2015-07-14 14:51 - 2014-11-04 14:25 - 00051008 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\mouclass.sys

2015-07-14 14:51 - 2014-11-04 01:55 - 00026112 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\sermouse.sys

2015-07-14 14:51 - 2014-11-04 01:54 - 00108544 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\i8042prt.sys

2015-07-14 14:51 - 2014-11-04 01:54 - 00032256 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\kbdhid.sys

2015-07-14 14:51 - 2014-11-04 01:54 - 00030208 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\mouhid.sys

2015-07-14 14:50 - 2015-06-16 00:36 - 01661576 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll

2015-07-14 14:50 - 2015-06-16 00:36 - 01212248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll

2015-07-14 14:50 - 2015-06-15 17:38 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll

2015-07-14 14:50 - 2015-06-15 17:02 - 00087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx

2015-07-14 14:50 - 2015-06-15 16:58 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2015-07-14 14:50 - 2015-06-15 16:57 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2015-07-14 14:50 - 2015-06-15 16:55 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2015-07-14 14:50 - 2015-06-15 16:13 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll

2015-07-14 14:50 - 2015-06-15 15:47 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx

2015-07-14 14:50 - 2015-06-15 15:44 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2015-07-14 14:50 - 2015-06-15 15:43 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2015-07-14 14:50 - 2015-06-15 15:42 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll

2015-07-14 14:50 - 2015-06-15 15:41 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2015-07-14 14:50 - 2015-06-15 15:32 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll

2015-07-14 14:50 - 2015-06-15 15:30 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2015-07-14 14:50 - 2015-06-15 15:30 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2015-07-14 14:50 - 2015-06-10 22:49 - 01380600 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll

2015-07-14 14:50 - 2015-06-10 11:13 - 01097216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll

2015-07-14 14:50 - 2015-05-12 08:19 - 00294912 _____ (Microsoft Corporation) C:\Windows\system32\SystemEventsBrokerServer.dll

2015-07-14 14:50 - 2015-05-11 11:34 - 00332800 _____ (Microsoft Corporation) C:\Windows\system32\fhcpl.dll

2015-07-14 14:50 - 2015-05-07 11:47 - 00564224 _____ (Microsoft Corporation) C:\Windows\system32\apphelp.dll

2015-07-14 14:50 - 2015-05-03 10:07 - 07784448 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll

2015-07-14 14:50 - 2015-05-03 09:57 - 05264384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll

2015-07-14 14:50 - 2015-04-28 08:13 - 00513480 _____ C:\Windows\SysWOW64\locale.nls

2015-07-14 14:50 - 2015-04-28 08:13 - 00513480 _____ C:\Windows\system32\locale.nls

2015-07-14 14:50 - 2015-04-23 10:47 - 03084288 _____ (Microsoft Corporation) C:\Windows\system32\msftedit.dll

2015-07-14 14:50 - 2015-04-23 10:16 - 02471424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msftedit.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-13 00:33 - 2014-09-05 22:12 - 00000000 ____D C:\FRST

2015-08-13 00:29 - 2014-05-26 02:56 - 01782740 _____ C:\Windows\WindowsUpdate.log

2015-08-13 00:00 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\sru

2015-08-12 23:54 - 2014-08-16 00:01 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3351969478-1937094124-811777867-1002

2015-08-12 23:49 - 2014-09-06 13:28 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2015-08-12 23:48 - 2014-09-06 13:28 - 00001121 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2015-08-12 23:48 - 2014-09-06 13:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2015-08-12 23:48 - 2014-09-06 13:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware

2015-08-12 23:33 - 2014-08-30 14:57 - 00000000 ____D C:\Users\knemlick\Documents\Taxes

2015-08-12 23:31 - 2014-10-15 01:26 - 00004974 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for KENPC-knemlick KenPC

2015-08-12 23:23 - 2014-09-15 23:21 - 00000000 ____D C:\Users\knemlick\AppData\Local\CrashDumps

2015-08-12 23:18 - 2014-08-15 23:55 - 02627943 _____ C:\Users\knemlick\AppData\Local\BTServer.log

2015-08-12 22:50 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\ELAM

2015-08-12 20:13 - 2014-09-08 06:51 - 00000000 ___DO C:\Users\knemlick\OneDrive

2015-08-12 20:10 - 2014-09-14 15:09 - 00000000 ____D C:\ProgramData\Norton

2015-08-12 20:09 - 2014-04-25 17:32 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI

2015-08-12 20:07 - 2014-09-14 15:15 - 00003228 _____ C:\Windows\System32\Tasks\Norton WSC Integration

2015-08-12 20:07 - 2014-09-14 15:15 - 00002385 _____ C:\Users\Public\Desktop\Norton Security Suite.LNK

2015-08-12 20:07 - 2014-09-14 15:14 - 00000000 ____D C:\Windows\system32\Drivers\N360x64

2015-08-12 20:07 - 2013-08-22 10:36 - 00000000 ___HD C:\Windows\ELAMBKUP

2015-08-12 20:03 - 2013-08-22 09:46 - 00035797 _____ C:\Windows\setupact.log

2015-08-12 20:03 - 2013-08-22 09:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2015-08-12 20:03 - 2013-08-22 09:44 - 00569528 _____ C:\Windows\system32\FNTCACHE.DAT

2015-08-12 20:02 - 2014-04-25 16:22 - 00192604 _____ C:\Windows\PFRO.log

2015-08-12 18:58 - 2015-04-16 15:17 - 00000000 ____D C:\Windows\system32\appraiser

2015-08-12 18:58 - 2015-03-03 07:37 - 00000000 ___SD C:\Windows\system32\CompatTel

2015-08-12 18:58 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools

2015-08-12 18:58 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools

2015-08-12 18:58 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Defender

2015-08-12 18:58 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files (x86)\Windows Defender

2015-08-12 18:27 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\AppReadiness

2015-08-12 18:27 - 2013-08-22 10:20 - 00000000 ____D C:\Windows\CbsTemp

2015-08-12 18:24 - 2014-08-15 22:57 - 00000000 ____D C:\Windows\system32\MRT

2015-08-12 18:21 - 2014-08-15 22:57 - 132483416 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2015-08-12 18:15 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2015-08-12 18:15 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2015-08-08 08:55 - 2014-08-16 00:14 - 00794088 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2015-08-08 08:55 - 2014-08-16 00:14 - 00179688 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2015-08-07 01:08 - 2015-05-14 23:41 - 00000000 ____D C:\Users\knemlick\Documents\Marcela Kepicova

2015-08-06 18:03 - 2014-08-30 21:30 - 00039936 _____ C:\Users\knemlick\Documents\Tutoring Income.xlr

2015-08-06 10:05 - 2014-09-08 07:09 - 00000000 ____D C:\Users\knemlick\AppData\Local\Packages

2015-08-04 22:39 - 2014-09-14 15:15 - 00111344 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

2015-08-04 22:39 - 2014-09-14 15:15 - 00008214 _____ C:\Windows\system32\Drivers\SYMEVENT64x86.CAT

2015-08-04 22:39 - 2014-09-14 15:15 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2015-08-04 22:37 - 2014-09-14 15:09 - 00000000 ____D C:\Users\Public\Downloads\Norton

2015-08-04 09:17 - 2014-08-30 21:30 - 00116224 _____ C:\Users\knemlick\Documents\Tutoring Clients.xlr

2015-08-01 13:33 - 2014-04-25 17:22 - 00000000 ____D C:\Windows\Panther

2015-08-01 13:30 - 2015-07-10 08:39 - 00000000 ___HD C:\$Windows.~BT

2015-07-30 01:25 - 2015-05-26 21:05 - 00000000 ____D C:\Users\knemlick\Documents\Megan Delaney Article

2015-07-28 21:44 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\NDF

2015-07-28 21:28 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\LiveKernelReports

2015-07-27 17:05 - 2014-08-30 15:01 - 00000000 ____D C:\Users\knemlick\Documents\Algebra 2 Tutoring

2015-07-27 17:05 - 2014-08-30 14:57 - 00000000 ____D C:\Users\knemlick\Documents\Resume

2015-07-25 07:40 - 2015-04-04 16:33 - 00000000 ___SD C:\Windows\system32\GWX

2015-07-23 23:17 - 2014-08-30 14:57 - 00000000 ____D C:\Users\knemlick\Documents\RKYHS

2015-07-22 00:00 - 2014-08-15 23:55 - 00000000 ____D C:\Users\knemlick

2015-07-21 15:18 - 2014-11-10 14:19 - 00000000 ____D C:\Program Files\Microsoft Office 15

2015-07-18 23:25 - 2014-11-28 16:23 - 00000000 ____D C:\Users\knemlick\Documents\Lisa Babkair

2015-07-17 08:26 - 2014-08-15 22:35 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2015-07-17 08:25 - 2015-05-12 20:57 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task

2015-07-16 09:16 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\rescache

2015-07-16 09:04 - 2015-04-04 16:33 - 00000000 ___SD C:\Windows\SysWOW64\GWX

2015-07-14 21:14 - 2015-02-16 21:08 - 00000000 ____D C:\Users\knemlick\Documents\Jill Hayes

2015-07-14 15:17 - 2013-08-22 10:36 - 00000000 ___RD C:\Windows\ToastData

2015-07-14 15:17 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\WinStore

==================== Files in the root of some directories =======

2014-08-15 23:55 - 2015-08-12 23:18 - 2627943 _____ () C:\Users\knemlick\AppData\Local\BTServer.log

2014-04-25 17:30 - 2014-04-25 17:30 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

LastRegBack: 2015-08-02 09:48

==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 PM

Posted 13 August 2015 - 10:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3351969478-1937094124-811777867-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3351969478-1937094124-811777867-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=S1122&geo=US&ver=21&locale=en_US&gct=kwd&qsrc=2869
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL No File
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Clean your Flash cache.
https://forums.adobe.com/message/4278569
===

Any remaining issues?

#3 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 13 August 2015 - 02:59 PM

I ran the FRST with the fixlist.txt file per your instructions.  The contents of Fixlog.txt file generated by this run are shown below.

 

After restarting my computer, I also reset Internet Explorer, cleaned the Internet Explorer cache, and cleaned the Adobe Flash cache using the instructions given by you and provided in the links.  Please note that I could not clear the IE Browser cache using the F12 developer tools since my computer has Internet Explorer 11.

 

Finally, I went back on the internet to see if the problem was resolved.  Unfortunately, I still was receiving those Adobe Flash Player pop-up messages when my Juno email was open.  (The pop-up messages did not appear when the Juno site was not open even though I was still online.)

 

Fix result of Farbar Recovery Scan Tool (x64) Version:12-08-2015

Ran by knemlick (2015-08-13 14:58:22) Run:1

Running from C:\Users\knemlick\Desktop

Loaded Profiles: knemlick (Available Profiles: knemlick)

Boot Mode: Normal

==============================================

fixlist content:

*****************

start

CreateRestorePoint:

EmptyTemp:

CloseProcesses:

HKU\S-1-5-21-3351969478-1937094124-811777867-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

SearchScopes: HKLM -> DefaultScope value is missing

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 -> DefaultScope value is missing

SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-21-3351969478-1937094124-811777867-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=S1122&geo=US&ver=21&locale=en_US&gct=kwd&qsrc=2869

BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL No File

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

End

*****************

Restore point was successfully created.

Processes closed successfully.

"HKU\S-1-5-21-3351969478-1937094124-811777867-1002\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully

"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully

HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully

HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

"HKU\S-1-5-21-3351969478-1937094124-811777867-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully

HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found.

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully

"HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully

"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully

EmptyTemp: => 177.9 MB temporary data Removed.

 

The system needed a reboot..

==== End of Fixlog 15:00:55 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 PM

Posted 14 August 2015 - 07:37 AM


This this method to clean the IE cache.
http://refreshyourcache.com/en/internet-explorer-11/

Also clean all the cookies associated with Juno site.

Keep me posted.

#5 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 14 August 2015 - 05:00 PM

I followed the instructions given on the link of your previous post in order to clean the IE cache.  I also deleted the cookies associated with the Juno site. 

 

Unfortunately, I am still getting the Adobe Flash Player pop-up messages when my Juno email webpage is open.

 

Please advise what I should do next. 

 

Thank you.



#6 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 14 August 2015 - 09:41 PM

One other piece of information:  I occasionally get the Adobe Flash Player pop-up messages when I am on the internet but my Juno email webpage is not open.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 PM

Posted 15 August 2015 - 08:01 AM

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.
<<<>>>

#8 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 15 August 2015 - 10:53 AM

I ran the ESET scan per your instructions.  The following 3 threats were found:

 

C:\FRST\Quarantine\C\Users\knemlick\AppData\Roaming\RGMDMNF.xBAD JS/Toolbar.Crossrider.C potentially unwanted application

C:\FRST\Quarantine\C\Users\knemlick\AppData\Roaming\TCUCBK.xBAD JS/Toolbar.Crossrider.C potentially unwanted application

C:\Users\knemlick\Documents\Quarantine.zip JS/Toolbar.Crossrider.C potentially unwanted application



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 PM

Posted 15 August 2015 - 02:07 PM

Remove everything that was found.

#10 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 15 August 2015 - 04:31 PM

I removed the three threat files found by the ESET scan. 

 

I then restarted my computer and accessed the internet.  While online, I am still periodically receiving the Adobe Flash Player pop-up messages.

 

As a point of information, the three threat files found by this ESET scan that I subsequently deleted were files which were previously quarantined by an ESET scan that I ran in September 2014.  Since these are old files, I doubt that they are related to the Adobe Flash Player pop-up messages that I am currently receiving.

 

Please let me know if there are any other steps that I should take in order to try to detect and eliminate the cause of the Adobe Flash Player pop-up messages.

 

Thank you.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 PM

Posted 16 August 2015 - 07:50 AM

Clean your Flash cache.
https://forums.adobe.com/message/4278569
===

If the problem persists continue.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.


#12 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 16 August 2015 - 10:01 AM

I cleaned the Adobe Flash Player cache per the instructions provided in the link.

 

After doing this and rebooting my machine, I was still periodically getting the Adobe Flash Player pop-up messages.

 

I then downloaded and ran Rogue Killer according to your instructions.  The RogueReport.txt contents are shown below.

 

RogueKiller V10.10.0.0 [Aug 11 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : knemlick [Administrator]
Started from : C:\Users\knemlick\Desktop\RogueKiller.exe
Mode : Scan -- Date : 08/16/2015 10:50:45

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA100 +++++
--- User ---
[MBR] 7d9f7d833b6fa3f95bbdeb7924cd96d3
[BSP] 27a3335a479af53836421d33e987b5fd : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 800 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1640448 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2172928 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2435072 | Size: 938659 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1924808704 | Size: 14021 MB
User = LL1 ... OK
User = LL2 ... OK



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 PM

Posted 17 August 2015 - 06:42 AM

Remove these items. They will be replaced.

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found


==

If confident that these are from Flash try this.

In I/E: http://www.ehow.com/...-off-flash.html
•1 Launch Internet Explorer. Click "Tools" and click "Internet Options." Click the "Programs" tab.

•2 Open the "Manage add-ons" button. Click the drop-down list under "Show" and select "Run without permission."

•3 Click "Shockwave Flash Object" under the "Adobe System Incorporated" section. Click the "Disable" button. Reboot your system.

Disable Flash in IE10 Windows 8.
http://www.eightforums.com/browsers-mail/27982-disable-flash-ie10.html

___

In Chrome: https://support.google.com/chrome/answer/108086?hl=en

- Enter the following address in Chrome’s address bar to access the Plug-ins screen:
chrome://plugins/

Scroll down the list of plug-ins and click the “Disable” link located at the bottom of the Adobe Flash Player section to disable Flash.
___

In Firefox: Tools> Addons> Plugins> Shockwave Flash - Never Activate

>> Browser check: https://support.mozilla.org/en-US/questions/988836

#14 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 17 August 2015 - 07:09 AM

How do I locate and remove the follow two items from my computer?

 

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found

 



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 PM

Posted 17 August 2015 - 07:36 AM

Run the RogueKiller tool one more time and delete the items.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users