Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAR log shows some ZeroAccess rootkit infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 computerisborked

computerisborked

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 20 August 2015 - 12:33 AM

Hi, I posted in "Am I infected" and got the bad news.  here are the results of the scan I was asked to run.  And a summary of my initial post.

What I'm seeing:

1. Firefox started showing random black rectangles  and bars when displaying pages, like parts just would not render.  

2. the W3C Link checker refused me, saying I'd made over 500 requests in 10 minutes.

3. there is a general slowdown - pages take a  long time to load (friefox, chrome, IE) and now programs on the computer (outlook, notepad++) are taking longer to start up.

4. The firefox favicon disappeared from my system tray. 

5. Google says they are seeing unusual behavior from my IP address and made me put in a captcha before allowing a search. "Our systems have detected unusual traffic from your network. This page checkes to see if it's really you sending the requests, and not a robot" - I got this after performing two searches.

6. I'm having to click twice instead of once on website links.  I didn't change any settings.

7. possibly irrelevent but maybe related to #2 and #5, I'm seeing new kinds of spam. (more porn instead of ads)

What I've done:

1. ran a malwarebytes free version fullscan, found nothing.

2. ran a housecall free version full scan, found nothing but never closed either.

3. running avast 10.3.2225 as my regular, on-all-the-time protection, nothing reported.

4. just in case the firefox slowdown was not a virus I also ran disk cleanup and defragmented the hard drive.  

5. ran super anti spyware free edition, which found only tracking cookies.

I'm running windows vista home premium with sp 2.

 

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:20-08-2015
Ran by Heather (administrator) on HEATHER (19-08-2015 20:46:51)
Running from C:\Users\Heather\Desktop\borked_again
Loaded Profiles: Heather (Available Profiles: Heather)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Adobe Systems Incorporated) C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Code 42 Software) C:\Program Files\CrashPlan\CrashPlanService.exe
(CrypKey (Canada) Ltd.) C:\Windows\System32\Crypserv.exe
( ) C:\Windows\System32\dlcxcoms.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
() C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(SigmaTel, Inc.) C:\Windows\System32\stacsv.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\WMSvc.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(SigmaTel, Inc.) C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Code 42 Software, Inc.) C:\Program Files\CrashPlan\CrashPlanTray.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE
() C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_18_0_0_232.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_18_0_0_232.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SigmatelSysTrayApp] => C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-09-12] (SigmaTel, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6109776 2015-07-29] (AVAST Software)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\Run: [CrashPlanTray] => C:\Program Files\CrashPlan\CrashPlanTray.exe [414208 2015-07-06] (Code 42 Software, Inc.)
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\...0c966feabec1\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess?
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\tray.exe [1010008 2015-04-08] (Garmin Ltd. or its subsidiaries)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2014-11-09] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-01-20]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-01-20]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-01-20]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-07-29] (AVAST Software)
ShellIconOverlayIdentifiers: [Panda Malware Icon] -> {F5D1CF73-C196-48F8-AAAC-B9181E22B4E6} =>  No File
ShellIconOverlayIdentifiers: [Panda Suspect Icon] -> {9AE343CB-BA45-4618-AF6A-0230EE6FC793} =>  No File
GroupPolicyScripts: Group Policy detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000 -> {63140ECF-C629-BE59-8F0E-90B4FF340C03} URL = hxxp://www.bing.com/search?q={searchTerms}&pc=Z128&form=ZGAIDF&install_date=20111014&iesrc={referrer:source}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-21] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-07-29] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-21] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000 -> No Name - {3E1201F4-1707-409F-BB45-A5F192381DA0} -  No File
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: AutorunsDisabled\grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll [2014-12-10] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-07-18] (SuperAdBlocker.com)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
Tcpip\..\Interfaces\{145AE6EB-647E-4AD7-95E0-658CE7CE3F83}: [NameServer] 68.87.69.150,68.87.85.102
Tcpip\..\Interfaces\{145AE6EB-647E-4AD7-95E0-658CE7CE3F83}: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-12] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-21] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-21] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-24] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-24] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1540569752-1271625846-3092027774-1000: LWAPlugin15.8 -> C:\Users\Heather\AppData\Roaming\Mozilla\Plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-12-12] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-12-12] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-12-12] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-12-12] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-12-12] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Heather\AppData\Roaming\mozilla\plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF Extension: FireSSH - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749\Extensions\firessh@nightlight.ws [2015-05-29]
FF Extension: Garmin Communicator - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [2015-02-15]
FF Extension: ColorZilla - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749\Extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326} [2015-08-18]
FF Extension: Firebug - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749\Extensions\firebug@software.joehewitt.com.xpi [2015-02-13]
FF Extension: Firepicker - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749\Extensions\firepicker@thedarkone.xpi [2015-02-13]
FF Extension: YSlow - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749\Extensions\yslow@yahoo-inc.com.xpi [2015-03-13]
FF Extension: Web Developer - C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\drqynn0g.default-1423894743749\Extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi [2015-02-17]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2008-12-19]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-02-06]

Chrome:
=======
CHR Profile: C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-02-20]
CHR Extension: (Google Drive) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-02-20]
CHR Extension: (YouTube) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-02-20]
CHR Extension: (Google Search) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-02-20]
CHR Extension: (Avast SafePrice) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2015-02-25]
CHR Extension: (Avast Online Security) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-02-25]
CHR Extension: (NetBeans Connector) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\hafdlehgocfcodbgjnpecfajgkeejnaa [2013-09-23]
CHR Extension: (No Name) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnkmfdileelhofjcijamephohjechhna [2015-01-09]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-18]
CHR Extension: (Gmail) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-02-20]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-03-22]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-22]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-11-09] (SUPERAntiSpyware.com)
R2 AdobeActiveFileMonitor9.0; C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [169408 2010-09-06] (Adobe Systems Incorporated)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-07-29] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [3218624 2015-07-29] (Avast Software)
R2 CrashPlanService; C:\Program Files\CrashPlan\CrashPlanService.exe [223000 2015-05-07] (Code 42 Software)
R2 Crypkey License; C:\Windows\system32\crypserv.exe [122880 2008-05-07] (CrypKey (Canada) Ltd.) [File not signed]
R2 dlcx_device; C:\Windows\system32\dlcxcoms.exe [537480 2006-11-03] ( )
R2 EpsonScanSvc; C:\Windows\system32\EscSvc.exe [122000 2011-12-12] (Seiko Epson Corporation)
S3 Garmin Device Interaction Service; C:\Program Files\Garmin\Device Interaction Service\GarminService.exe [708616 2015-04-08] (Garmin Ltd. or its subsidiaries)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [13824 2008-01-20] (Microsoft Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [67400 2011-04-01] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [43130032 2015-03-30] (Microsoft Corporation)
R2 MSSQLSERVER; c:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [43130032 2015-03-30] (Microsoft Corporation)
R2 MySQL55; C:\ProgramData\MySQL\MySQL Server 5.5\my.ini [9172 2012-04-22] () [File not signed]
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-12-10] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2013-12-02] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-12-02] (Intuit Inc.) [File not signed]
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [381104 2015-03-30] (Microsoft Corporation)
S4 SQLSERVERAGENT; c:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE [381104 2015-03-30] (Microsoft Corporation)
R2 STacSV; C:\Windows\system32\STacSV.exe [94208 2007-09-12] (SigmaTel, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)
S3 WLSetupSvc; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [266240 2007-10-25] (Microsoft Corporation) [File not signed]
S2 Apache2.2; no ImagePath
S4 RoxLiveShare10; "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [X]
S2 SessionLauncher; no ImagePath

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R5 ACPI; C:\Windows\System32\drivers\acpi.sys [265688 2009-04-10] (Microsoft Corporation)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-07-29] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [76000 2015-07-29] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55200 2015-07-29] (AVAST Software)
R5 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-07-29] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [788784 2015-07-29] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [433264 2015-07-29] (AVAST Software)
R3 aswStmXP; C:\Windows\system32\drivers\aswStmXP.sys [161472 2015-07-29] (AVAST Software)
S3 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57888 2015-07-29] (AVAST Software)
R5 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [208664 2015-07-29] (AVAST Software)
R5 CLFS; C:\Windows\System32\CLFS.sys [244152 2015-03-04] (Microsoft Corporation)
R5 crcdisk; C:\Windows\System32\drivers\crcdisk.sys [24632 2008-01-20] (Microsoft Corporation)
R5 disk; C:\Windows\System32\drivers\disk.sys [53736 2009-04-10] (Microsoft Corporation)
R5 Ecache; C:\Windows\System32\drivers\ecache.sys [140224 2015-07-21] (Microsoft Corporation)
R5 FileInfo; C:\Windows\System32\drivers\fileinfo.sys [58936 2008-01-20] (Microsoft Corporation)
R5 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [190424 2009-04-10] (Microsoft Corporation)
S3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
R5 iaStor; C:\Windows\System32\drivers\iastor.sys [308248 2007-12-11] (Intel Corporation)
R5 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [440768 2015-06-12] (Microsoft Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
R5 MountMgr; C:\Windows\System32\drivers\mountmgr.sys [56256 2015-07-21] (Microsoft Corporation)
R5 msisadrv; C:\Windows\System32\drivers\msisadrv.sys [16440 2008-01-20] (Microsoft Corporation)
R5 Mup; C:\Windows\System32\Drivers\mup.sys [48104 2009-04-10] (Microsoft Corporation)
R5 NDIS; C:\Windows\System32\drivers\ndis.sys [527848 2009-04-10] (Microsoft Corporation)
R1 NetworkX; C:\Windows\system32\ckldrv.sys [19584 2008-03-17] () [File not signed]
R5 ngvss; C:\Windows\system32\Drivers\ngvss.sys [95112 2015-07-29] (AVAST Software)
R5 partmgr; C:\Windows\System32\drivers\partmgr.sys [53120 2012-03-20] (Microsoft Corporation)
R5 pci; C:\Windows\System32\drivers\pci.sys [149480 2009-04-10] (Microsoft Corporation)
R5 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [45648 2010-03-19] (Sonic Solutions)
S3 QCDonner; C:\Windows\System32\DRIVERS\LVCD.sys [474304 2004-04-26] (Logitech Inc.)
S4 RsFx0102; C:\Windows\System32\DRIVERS\RsFx0102.sys [242712 2008-07-10] (Microsoft Corporation)
S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [250152 2015-03-30] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R5 spldr; C:\Windows\system32\Drivers\spldr.sys [21048 2008-01-20] (Microsoft Corporation)
R3 STHDA; C:\Windows\System32\drivers\stwrt.sys [326656 2007-09-12] (SigmaTel, Inc.)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2012-12-13] (Apple, Inc.) [File not signed]
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [220752 2015-07-29] (Avast Software)
R5 volmgr; C:\Windows\System32\drivers\volmgr.sys [52792 2008-01-20] (Microsoft Corporation)
R5 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [292840 2009-04-10] (Microsoft Corporation)
R5 volsnap; C:\Windows\System32\drivers\volsnap.sys [224640 2012-08-21] (Microsoft Corporation)
R5 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [527064 2013-06-26] (Microsoft Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [X]
S5 ersdduha; System32\drivers\owsbhw.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-19 20:46 - 2015-08-19 20:46 - 00000000 ____D C:\FRST
2015-08-19 09:43 - 2015-08-19 09:43 - 06258448 _____ (Tim Kosse) C:\Users\Heather\Downloads\FileZilla_3.13.0_win32-setup.exe
2015-08-19 08:49 - 2015-08-14 16:03 - 12386816 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-08-19 08:49 - 2015-08-14 15:56 - 01804288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-08-19 08:49 - 2015-08-14 15:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-08-18 22:17 - 2015-08-18 22:17 - 00042900 _____ C:\Users\Heather\Desktop\tabata.txt
2015-08-18 21:28 - 2015-08-18 21:28 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\Heather\Downloads\rkill.exe.part
2015-08-18 19:37 - 2015-08-19 20:46 - 00000000 ____D C:\Users\Heather\Desktop\borked_again
2015-08-18 14:56 - 2015-08-18 14:56 - 00074794 _____ C:\Users\Heather\Downloads\document_master_tendays(2).csv
2015-08-18 14:56 - 2015-08-18 14:56 - 00000417 _____ C:\Users\Heather\Downloads\document_master_tendays(3).csv
2015-08-18 14:52 - 2015-08-18 14:52 - 00204212 _____ C:\Users\Heather\Downloads\document_master.csv
2015-08-18 14:51 - 2015-08-18 14:51 - 00201441 _____ C:\Users\Heather\Downloads\document_master_tendays(1).csv
2015-08-18 14:51 - 2015-08-18 14:51 - 00201151 _____ C:\Users\Heather\Downloads\document_master_tendays.csv
2015-08-16 20:04 - 2015-08-18 21:20 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-08-14 16:19 - 2015-08-14 16:19 - 02073512 _____ (Trend Micro Inc.) C:\Users\Heather\Downloads\HousecallLauncher.exe
2015-08-14 16:19 - 2015-05-29 00:43 - 00303744 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-08-13 19:27 - 2015-08-13 19:27 - 00000000 ____D C:\Users\Heather\Downloads\bootstrap-datepicker-1.4.0-dist
2015-08-13 19:26 - 2015-08-13 19:26 - 00071110 _____ C:\Users\Heather\Downloads\bootstrap-datepicker-1.4.0-dist.zip
2015-08-12 23:48 - 2015-08-12 23:48 - 04015816 _____ C:\Users\Heather\Downloads\exiftool-9.99.zip
2015-08-12 23:48 - 2015-08-12 23:48 - 00000000 ____D C:\Users\Heather\Downloads\exiftool-9.99
2015-08-12 17:48 - 2015-08-12 17:48 - 00089287 _____ C:\Users\Heather\Downloads\document_detail.csv
2015-08-12 17:46 - 2015-08-12 17:46 - 00004298 _____ C:\Users\Heather\Downloads\document_detail.sql
2015-08-12 13:56 - 2015-08-12 14:16 - 00000000 ____D C:\snapshots
2015-08-12 03:41 - 2015-07-21 13:55 - 01206192 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-08-12 03:41 - 2015-07-21 09:07 - 03605440 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-08-12 03:41 - 2015-07-21 09:07 - 03553216 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-08-12 03:41 - 2015-07-21 09:07 - 00140224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ecache.sys
2015-08-12 03:41 - 2015-07-21 09:07 - 00056256 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2015-08-12 03:41 - 2015-07-21 09:03 - 00564224 _____ (Microsoft Corporation) C:\Windows\system32\emdmgmt.dll
2015-08-12 03:41 - 2015-07-21 09:03 - 00049664 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-08-12 03:41 - 2015-07-21 09:03 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2015-08-12 03:35 - 2015-07-09 07:20 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2015-08-12 03:32 - 2015-07-10 12:37 - 02067968 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-08-12 03:27 - 2015-07-11 08:56 - 11587584 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-08-12 03:13 - 2015-07-18 09:03 - 00068608 _____ (Microsoft Corporation) C:\Windows\system32\basesrv.dll
2015-08-12 03:09 - 2015-07-10 12:37 - 01402368 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-08-12 03:09 - 2015-07-10 12:37 - 01253376 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-08-12 03:07 - 2015-07-31 15:08 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-08-12 03:07 - 2015-07-31 14:46 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2015-08-12 03:07 - 2015-07-31 14:46 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2015-08-12 03:07 - 2015-07-31 14:46 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2015-08-12 03:07 - 2015-07-31 14:46 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2015-08-12 03:07 - 2015-07-31 13:41 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-08-12 03:07 - 2015-07-31 13:40 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2015-08-12 03:07 - 2015-07-31 13:35 - 00682496 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2015-08-12 03:07 - 2015-07-31 13:33 - 02066944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-08-12 03:07 - 2015-07-31 13:33 - 01072640 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-08-12 03:07 - 2015-07-31 13:33 - 00802304 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-08-12 03:07 - 2015-07-31 13:33 - 00297472 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-08-12 03:04 - 2015-07-01 08:57 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2015-08-12 03:03 - 2015-07-09 07:25 - 00151040 _____ (Microsoft Corporation) C:\Windows\system32\notepad.exe
2015-08-12 03:03 - 2015-07-09 07:25 - 00151040 _____ (Microsoft Corporation) C:\Windows\notepad.exe
2015-08-11 18:52 - 2015-08-11 18:52 - 00000882 _____ C:\Users\Heather\.recently-used.xbel
2015-08-11 16:03 - 2015-08-18 11:02 - 00012454 _____ C:\Users\Heather\Documents\dash2015.xlsx
2015-08-11 15:24 - 2015-07-22 13:54 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-08-11 15:24 - 2015-07-22 13:51 - 01810432 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-08-11 15:24 - 2015-07-22 13:47 - 09751040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-08-11 15:24 - 2015-07-22 13:46 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-08-11 15:24 - 2015-07-22 13:46 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-08-11 15:24 - 2015-07-22 13:45 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-08-11 15:24 - 2015-07-22 13:45 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-08-11 15:24 - 2015-07-22 13:45 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-08-11 15:24 - 2015-07-22 13:44 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-08-11 15:24 - 2015-07-22 13:44 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-08-11 15:24 - 2015-07-22 13:44 - 00421888 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-08-11 15:24 - 2015-07-22 13:44 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-08-11 15:24 - 2015-07-22 13:43 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-08-11 15:24 - 2015-07-22 13:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-08-11 15:24 - 2015-07-22 13:43 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-08-11 15:24 - 2015-07-22 13:43 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-08-11 15:24 - 2015-07-22 13:43 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-08-11 15:24 - 2015-07-22 13:43 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-08-11 15:24 - 2015-07-22 13:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-08-05 00:03 - 2015-08-05 00:03 - 00877152 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll
2015-08-05 00:03 - 2015-08-05 00:03 - 00538208 _____ (Microsoft Corporation) C:\Windows\system32\msvcp120_clr0400.dll
2015-08-04 22:36 - 2015-08-04 22:36 - 00000000 ____D C:\Users\Heather\AppData\Local\Garmin_Ltd._or_its_subsid
2015-08-04 17:46 - 2015-08-04 17:47 - 00000000 ____D C:\Users\Heather\Documents\portlandAug2015
2015-08-03 13:53 - 2015-08-03 13:54 - 42834472 _____ (Garmin Ltd or its subsidiaries) C:\Users\Heather\Downloads\GarminExpressInstaller.exe
2015-08-02 18:58 - 2015-08-02 19:03 - 00000000 ____D C:\Users\Heather\Documents\tasks-temporary
2015-08-02 18:44 - 2015-08-02 18:44 - 00000000 ____D C:\scripts
2015-07-31 19:07 - 2015-07-31 19:07 - 00000848 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-07-29 09:32 - 2015-07-29 09:31 - 00161472 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStmXP.sys
2015-07-29 09:31 - 2015-07-29 09:31 - 00313472 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-07-29 09:31 - 2015-07-29 09:31 - 00095112 _____ (AVAST Software) C:\Windows\system32\Drivers\ngvss.sys
2015-07-29 09:31 - 2015-07-29 09:31 - 00043112 _____ (AVAST Software) C:\Windows\avastSS.scr

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-19 20:22 - 2006-11-02 05:47 - 00003744 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-19 20:22 - 2006-11-02 05:47 - 00003744 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-19 20:14 - 2008-12-10 07:02 - 01597493 _____ C:\Windows\WindowsUpdate.log
2015-08-19 15:06 - 2014-10-13 11:35 - 00001732 ____H C:\Users\Heather\Documents\Default.rdp
2015-08-19 15:06 - 2008-12-19 19:45 - 00000000 ____D C:\Users\Heather\AppData\Roaming\FileZilla
2015-08-19 13:17 - 2015-02-04 16:27 - 00001787 _____ C:\Users\Public\Desktop\FileZilla Client.lnk
2015-08-19 13:17 - 2010-03-24 08:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2015-08-19 13:17 - 2010-01-08 12:46 - 00000000 ____D C:\Program Files\FileZilla FTP Client
2015-08-19 12:19 - 2010-09-10 16:40 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-19 10:20 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\system32\inetsrv
2015-08-19 10:18 - 2015-06-22 07:54 - 00001984 _____ C:\Windows\error.log
2015-08-19 10:17 - 2015-06-22 07:53 - 00000432 _____ C:\Windows\errord.log
2015-08-19 10:17 - 2006-11-02 06:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-19 10:16 - 2006-11-02 06:01 - 00032614 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-19 10:02 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\Microsoft.NET
2015-08-19 08:52 - 2009-03-13 12:14 - 00000000 ____D C:\Program Files\Opera
2015-08-19 08:36 - 2015-06-22 07:53 - 00015336 _____ C:\Windows\PFRO.log
2015-08-19 08:36 - 2014-11-10 11:20 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-08-18 22:20 - 2010-04-20 12:50 - 00032786 _____ C:\Users\Heather\Documents\stuff.xlsx
2015-08-18 21:20 - 2013-04-06 10:41 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-08-18 21:20 - 2012-05-22 15:03 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-08-18 21:09 - 2014-08-26 17:33 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-18 20:44 - 2014-06-13 23:45 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-18 20:43 - 2014-06-13 23:45 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-08-18 15:31 - 2012-05-22 15:08 - 00000000 ____D C:\Users\Heather\Documents\BORKED
2015-08-16 08:43 - 2008-12-30 19:58 - 00000000 ____D C:\Users\Heather\Documents\money
2015-08-14 22:01 - 2012-01-10 01:24 - 00221021 _____ C:\Users\Heather\AppData\Local\ars.cache
2015-08-14 16:33 - 2015-02-20 20:01 - 00000010 _____ C:\Users\Heather\AppData\Local\sponge.last.runtime.cache
2015-08-13 10:00 - 2014-12-20 17:41 - 00000000 ____D C:\Program Files\Notepad++
2015-08-12 09:09 - 2013-05-26 14:01 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-08-12 09:09 - 2013-05-26 14:01 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-08-12 04:04 - 2006-11-02 05:47 - 00456832 _____ C:\Windows\system32\FNTCACHE.DAT
2015-08-12 04:01 - 2011-03-26 15:53 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-08-12 03:44 - 2008-12-10 13:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-08-12 03:41 - 2011-03-26 15:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-08-12 03:25 - 2013-08-14 22:24 - 00000000 ____D C:\Windows\system32\MRT
2015-08-12 03:16 - 2006-11-02 03:24 - 129304528 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-08-11 18:53 - 2009-04-07 14:06 - 00000000 ____D C:\Users\Heather\.gimp-2.6
2015-08-11 18:52 - 2008-12-19 17:14 - 00000000 ____D C:\Users\Heather
2015-08-05 12:47 - 2014-06-13 23:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-05 12:47 - 2014-06-13 23:45 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-05 12:47 - 2012-05-22 20:50 - 00000901 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-08-01 11:29 - 2009-03-19 20:20 - 00000000 ____D C:\Users\Heather\WEBSITES
2015-07-31 19:07 - 2012-05-22 15:03 - 00000860 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-07-29 09:55 - 2015-03-22 12:36 - 00000000 ____D C:\Windows\system32\vbox
2015-07-29 09:31 - 2015-02-06 22:46 - 00788784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2015-07-29 09:31 - 2015-02-06 22:46 - 00433264 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-07-29 09:31 - 2015-02-06 22:46 - 00208664 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2015-07-29 09:31 - 2015-02-06 22:46 - 00076000 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-07-29 09:31 - 2015-02-06 22:46 - 00057888 _____ (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys
2015-07-29 09:31 - 2015-02-06 22:46 - 00055200 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr.sys
2015-07-29 09:31 - 2015-02-06 22:46 - 00049776 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2015-07-29 09:31 - 2015-02-06 22:46 - 00024016 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2015-07-28 02:20 - 2010-09-10 16:40 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

==================== Files in the root of some directories =======

2008-12-17 22:11 - 2009-01-01 20:20 - 0647024 _____ (Sysinternals - www.sysinternals.com) C:\Program Files\autoruns.exe
2013-12-13 10:45 - 2013-12-13 10:45 - 49940480 _____ () C:\Program Files\GUTEC06.tmp
2009-05-31 16:10 - 2009-05-31 16:10 - 0038435 _____ () C:\Users\Heather\AppData\Roaming\Comma Separated Values (DOS).ADR
2008-12-22 00:34 - 2009-05-31 16:15 - 0022241 _____ () C:\Users\Heather\AppData\Roaming\Comma Separated Values (Windows).ADR
2009-10-07 16:15 - 2009-10-07 16:22 - 0233472 _____ () C:\Users\Heather\AppData\Roaming\fontdb.mdb
2011-07-01 16:37 - 2011-07-11 18:56 - 0009290 _____ () C:\Users\Heather\AppData\Roaming\Microsoft Access 97-2003.EML
2010-06-25 11:56 - 2010-06-25 11:56 - 0855641 _____ () C:\Users\Heather\AppData\Roaming\PandaIDProtectHelp.chm
2012-08-19 20:09 - 2014-12-20 17:20 - 0601088 _____ () C:\Users\Heather\AppData\Roaming\SharedSettings.ccs
2012-01-10 01:24 - 2015-08-14 22:01 - 0221021 _____ () C:\Users\Heather\AppData\Local\ars.cache
2012-01-10 01:25 - 2015-02-20 19:59 - 2343634 _____ () C:\Users\Heather\AppData\Local\census.cache
2013-04-04 07:48 - 2013-05-20 16:56 - 0000680 _____ () C:\Users\Heather\AppData\Local\d3d9caps.dat
2009-08-11 21:40 - 2014-10-21 12:16 - 0028160 _____ () C:\Users\Heather\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-01-09 22:52 - 2012-01-09 22:52 - 0000036 _____ () C:\Users\Heather\AppData\Local\housecall.guid.cache
2011-05-21 23:06 - 2015-05-14 13:53 - 0000600 _____ () C:\Users\Heather\AppData\Local\PUTTY.RND
2015-02-20 20:01 - 2015-08-14 16:33 - 0000010 _____ () C:\Users\Heather\AppData\Local\sponge.last.runtime.cache
2012-09-20 23:14 - 2012-09-20 23:14 - 0000000 _____ () C:\ProgramData\0x0304A000.sfl
2010-07-23 16:19 - 2010-07-23 16:19 - 0000048 ____H () C:\ProgramData\ezsidmv.dat
2011-10-12 19:53 - 2011-10-12 22:04 - 0003072 _____ () C:\ProgramData\hpzinstall.log

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-08-19 10:23

==================== End of log ============================

 

 

 

thank you for any help you can provide.

 



BC AdBot (Login to Remove)

 


m

#2 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 22 August 2015 - 07:14 PM

Hello computerisborked, welcome to Bleeping Computer's Malware Removal forum!
 
My name is Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • I will notify you when I believe your computer is free of malware. Please bear in mind, absence of symptoms does not necessarily correlate to absence of malware, so please wait until the "All Clean". 
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 

======================================================
 
Please run the following diagnostic scans so I can ascertain the state of your computer.
 
STEP 1

xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

STEP 2
YARWD1t.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach (not copy/paste) the file in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • FRST.txt
  • Addition.txt
  • TDSSKiller log (attached!)

Posted Image

#3 computerisborked

computerisborked
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 22 August 2015 - 10:44 PM

Hello Adam, my name is Heather.  Thank you for helping me. 

 

FRST.txt


LastRegBack: 2015-08-21 15:50

==================== End of log ============================

 

addition.txt

CodeIntegrity:
===================================
  Date: 2015-08-22 20:34:07.951
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-22 20:34:07.593
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-22 20:34:07.249
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-22 20:34:06.891
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-22 20:33:40.105
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-22 20:33:39.747
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-22 20:33:39.372
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-22 20:33:38.982
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-19 20:47:36.607
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-08-19 20:47:36.237
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™2 Quad CPU Q9400 @ 2.66GHz
Percentage of memory in use: 59%
Total physical RAM: 3325.03 MB
Available physical RAM: 1355.21 MB
Total Virtual: 6867.05 MB
Available Virtual: 4608.36 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:450.71 GB) (Free:307.59 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:8.9 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 60000000)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=450.7 GB) - (Type=07 NTFS)

==================== End of log ============================

Attached Files



#4 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 22 August 2015 - 10:49 PM

Hi Heather,

Could you attach both FRST.txt and Addition.txt (found in the same location as FRST.exe) please? Neither log in your previous post is complete.
Posted Image

#5 computerisborked

computerisborked
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 23 August 2015 - 11:35 AM

they are very short files. i can run the scans again if you want.

Attached Files



#6 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 23 August 2015 - 03:11 PM

Yes, please rerun FRST. Ensure Addition.txt is checked before clicking Scan. 

 

If the logs are not complete after the rerun, we will need to run FRST in Safe Mode. 


Posted Image

#7 computerisborked

computerisborked
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 23 August 2015 - 03:24 PM

here they are.  I attached instead of pasting.

Attached Files



#8 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 24 August 2015 - 03:57 AM

Hi Heather, 

 

Please do the following:

 

STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    CreateRestorePoint:
    HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\...0c966feabec1\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess?
    ShellIconOverlayIdentifiers: [Panda Malware Icon] -> {F5D1CF73-C196-48F8-AAAC-B9181E22B4E6} =>  No File
    ShellIconOverlayIdentifiers: [Panda Suspect Icon] -> {9AE343CB-BA45-4618-AF6A-0230EE6FC793} =>  No File
    GroupPolicyScripts: Group Policy detected <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    Toolbar: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000 -> No Name - {3E1201F4-1707-409F-BB45-A5F192381DA0} -  No File
    CHR Extension: (No Name) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnkmfdileelhofjcijamephohjechhna [2015-01-09]
    S2 Apache2.2; no ImagePath
    S4 RoxLiveShare10; "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [X]
    S2 SessionLauncher; no ImagePath
    S0 ersdduha; System32\drivers\owsbhw.sys [X]
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00EEBF57-477D-4084-9921-7AB3C2C9459D}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{078759D3-423B-48AD-AB6A-5638C2884DBE}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0AF10CEC-2ECD-4B92-9581-34F6AE0637F3}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0B91A74B-AD7C-4A9D-B563-29EEF9167172}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0C15D503-D017-47CE-9016-7B3F978721CC}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{25CD009F-FFBF-418A-8E11-7A877CAFCAF5}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{3AD05575-8857-4850-9277-11B85BDB8E09}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{49F371E1-8C5C-4D9C-9A3B-54A6827F513C}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4DB26476-6787-4046-B836-E8412A9E8A27}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50EE5B75-5635-11D1-AC2A-D4EA0B000000}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50EF4544-AC9F-4A8E-B21B-8A26180DB13F}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{527C9A9B-B9A2-44B0-84F9-F0DC11C2BCFB}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{53BD6B4E-3780-4693-AFC3-7161C2F3EE9C}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{55C7A567-7B90-4885-9EDD-662D359ED389}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{5717060C-0509-11E0-B88E-001D60AF2322}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{603D3800-BD81-11D0-A3A5-00C04FD706EC}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6311429E-2F1A-4777-880F-C7289FD10169}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{640167B4-59B0-47A6-B335-A6B3C0695AEA}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6C467336-8281-4E60-8204-430CED96822D}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6D49AC84-BEAD-11D1-A074-0080C740BFBD}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{70D0238E-E029-4A94-B68D-182018B6C4FF}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{71F96385-DDD6-48D3-A0C1-AE06E8B055FB}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{72C57034-02C4-4E9F-BF9C-CA711031757E}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{72EB61E0-8672-4303-9175-F2E4C68B2E7C}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{7353C207-C0DA-45A1-93CC-47A853A736A1}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{77F419AA-771A-45FF-AC66-7567FA3243D3}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{82C588E7-E54B-408C-9F8C-6AF9ADF6F1E9}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{83B8BCA6-687C-11D0-A405-00AA0060275C}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{85E94D25-0712-47ED-8CDE-B0971177C6A1}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{8E85D0CE-DEAF-4EA1-9410-FD1A2105CEB5}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{8F170678-2A97-4D59-89A1-7A0A71C1B677}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9CFC2DF3-6BA3-46EF-A836-E519E81F0EC4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{A9B8E64D-3F7E-4D32-8FC9-E391DEE67D75}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{AB517586-73CF-489C-8D8C-5AE0EAD0613A}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B056521A-9B10-425E-B616-1FCD828DB3B1}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B8967F85-58AE-4F46-9FB2-5D7904798F4B}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{C206F324-BB45-4765-93FF-3BCA7306FF2E}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{C5621364-87CC-4731-8947-929CAE75323E}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CD773740-B187-4974-A1D5-E0FF91372277}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{D58960BA-2EF3-4910-9E34-C911B1710180}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E03E85B0-7BE3-4000-BA98-6C13DE9FA486}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E0629351-6F81-11D2-973F-00104B9B172F}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E97F7176-7C91-4648-A0CE-94F37BF016F8}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EDB5F444-CB8D-445A-A523-EC5AB6EA33C7}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EFDB41B0-5538-42F1-995B-460DA31C0924}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F3364BA0-65B9-11CE-A9BA-00AA004AE837}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F46316E4-FB1B-46EB-AEDF-9520BFBB916A}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F8383852-FCD3-11D1-A6B9-006097DF5BD4}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{FE841493-835C-4FA3-B6CC-B4B2D4719848}\InprocServer32 -> no filepath
    CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}\InprocServer32 -> no filepath
    Task: {2634120D-EC29-42D5-AD6A-CFFCBC404633} - System32\Tasks\{B8D39447-0605-42CF-B1A9-40228B527F5D} => pcalua.exe -a C:\Users\Heather\Downloads\NetFx64.exe -d C:\Users\Heather\Downloads
    Task: {62A5B205-3E0C-457B-A0C2-E321656B2F8B} - \{1A6EEA95-5720-4174-8446-CF0A382F15E7} -> No File <==== ATTENTION
    Task: {8589D92C-6A31-479A-8478-11BC2C579EC0} - \{8536D14C-DFD7-425D-9448-41D7A7F3116D} -> No File <==== ATTENTION
    Task: {A9494AF0-87EA-45D1-B89D-2BCE0467E786} - \CCleanerSkipUAC -> No File <==== ATTENTION
    Task: {BE5F052D-C9F5-429D-8A45-6B6E46F4992D} - \Delete inetpub log files -> No File <==== ATTENTION
    HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\Software\Classes\.exe:  =>  <===== ATTENTION
    CMD: ipconfig /flushdns
    EmptyTemp:
    end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
mlEX1wH.png RogueKiller

  • Please download RogueKiller (x32) and save the file to your Desktop.
  • Close any running programmes.
  • Right-Click RogueKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the programme. Do not fix anything!
  • A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • RKreport.txt

Posted Image

#9 computerisborked

computerisborked
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 24 August 2015 - 11:30 AM

Hi,

 

RogueKiller did not make RKreport.txt automatically when I clicked 'report' - I saved the file myself.  I assume that does not matter but I wanted to let you know.  Here are the results:

 

Fixlog.txt

Fix result of Farbar Recovery Scan Tool (x86) Version:21-08-2015 03
Ran by Heather (2015-08-24 08:27:19) Run:1
Running from C:\Users\Heather\Desktop\borked_again
Loaded Profiles: Heather (Available Profiles: Heather)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\...0c966feabec1\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess?
ShellIconOverlayIdentifiers: [Panda Malware Icon] -> {F5D1CF73-C196-48F8-AAAC-B9181E22B4E6} =>  No File
ShellIconOverlayIdentifiers: [Panda Suspect Icon] -> {9AE343CB-BA45-4618-AF6A-0230EE6FC793} =>  No File
GroupPolicyScripts: Group Policy detected <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000 -> No Name - {3E1201F4-1707-409F-BB45-A5F192381DA0} -  No File
CHR Extension: (No Name) - C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnkmfdileelhofjcijamephohjechhna [2015-01-09]
S2 Apache2.2; no ImagePath
S4 RoxLiveShare10; "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [X]
S2 SessionLauncher; no ImagePath
S0 ersdduha; System32\drivers\owsbhw.sys [X]
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00EEBF57-477D-4084-9921-7AB3C2C9459D}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{078759D3-423B-48AD-AB6A-5638C2884DBE}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0AF10CEC-2ECD-4B92-9581-34F6AE0637F3}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0B91A74B-AD7C-4A9D-B563-29EEF9167172}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0C15D503-D017-47CE-9016-7B3F978721CC}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{25CD009F-FFBF-418A-8E11-7A877CAFCAF5}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{3AD05575-8857-4850-9277-11B85BDB8E09}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{49F371E1-8C5C-4D9C-9A3B-54A6827F513C}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4DB26476-6787-4046-B836-E8412A9E8A27}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50EE5B75-5635-11D1-AC2A-D4EA0B000000}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50EF4544-AC9F-4A8E-B21B-8A26180DB13F}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{527C9A9B-B9A2-44B0-84F9-F0DC11C2BCFB}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{53BD6B4E-3780-4693-AFC3-7161C2F3EE9C}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{55C7A567-7B90-4885-9EDD-662D359ED389}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{5717060C-0509-11E0-B88E-001D60AF2322}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{603D3800-BD81-11D0-A3A5-00C04FD706EC}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6311429E-2F1A-4777-880F-C7289FD10169}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{640167B4-59B0-47A6-B335-A6B3C0695AEA}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6C467336-8281-4E60-8204-430CED96822D}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6D49AC84-BEAD-11D1-A074-0080C740BFBD}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{70D0238E-E029-4A94-B68D-182018B6C4FF}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{71F96385-DDD6-48D3-A0C1-AE06E8B055FB}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{72C57034-02C4-4E9F-BF9C-CA711031757E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{72EB61E0-8672-4303-9175-F2E4C68B2E7C}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{7353C207-C0DA-45A1-93CC-47A853A736A1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{77F419AA-771A-45FF-AC66-7567FA3243D3}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{82C588E7-E54B-408C-9F8C-6AF9ADF6F1E9}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{83B8BCA6-687C-11D0-A405-00AA0060275C}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{85E94D25-0712-47ED-8CDE-B0971177C6A1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{8E85D0CE-DEAF-4EA1-9410-FD1A2105CEB5}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{8F170678-2A97-4D59-89A1-7A0A71C1B677}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9CFC2DF3-6BA3-46EF-A836-E519E81F0EC4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{A9B8E64D-3F7E-4D32-8FC9-E391DEE67D75}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{AB517586-73CF-489C-8D8C-5AE0EAD0613A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B056521A-9B10-425E-B616-1FCD828DB3B1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B8967F85-58AE-4F46-9FB2-5D7904798F4B}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{C206F324-BB45-4765-93FF-3BCA7306FF2E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{C5621364-87CC-4731-8947-929CAE75323E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CD773740-B187-4974-A1D5-E0FF91372277}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{D58960BA-2EF3-4910-9E34-C911B1710180}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E03E85B0-7BE3-4000-BA98-6C13DE9FA486}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E0629351-6F81-11D2-973F-00104B9B172F}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E97F7176-7C91-4648-A0CE-94F37BF016F8}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EDB5F444-CB8D-445A-A523-EC5AB6EA33C7}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EFDB41B0-5538-42F1-995B-460DA31C0924}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F3364BA0-65B9-11CE-A9BA-00AA004AE837}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F46316E4-FB1B-46EB-AEDF-9520BFBB916A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F8383852-FCD3-11D1-A6B9-006097DF5BD4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{FE841493-835C-4FA3-B6CC-B4B2D4719848}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}\InprocServer32 -> no filepath
Task: {2634120D-EC29-42D5-AD6A-CFFCBC404633} - System32\Tasks\{B8D39447-0605-42CF-B1A9-40228B527F5D} => pcalua.exe -a C:\Users\Heather\Downloads\NetFx64.exe -d C:\Users\Heather\Downloads
Task: {62A5B205-3E0C-457B-A0C2-E321656B2F8B} - \{1A6EEA95-5720-4174-8446-CF0A382F15E7} -> No File <==== ATTENTION
Task: {8589D92C-6A31-479A-8478-11BC2C579EC0} - \{8536D14C-DFD7-425D-9448-41D7A7F3116D} -> No File <==== ATTENTION
Task: {A9494AF0-87EA-45D1-B89D-2BCE0467E786} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {BE5F052D-C9F5-429D-8A45-6B6E46F4992D} - \Delete inetpub log files -> No File <==== ATTENTION
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\Software\Classes\.exe:  =>  <===== ATTENTION
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************

Restore point was successfully created.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}" => key removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Panda Malware Icon" => key removed successfully.
"HKCR\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}" => key removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Panda Suspect Icon" => key removed successfully.
"HKCR\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}" => key removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3E1201F4-1707-409F-BB45-A5F192381DA0} => value removed successfully.
HKCR\CLSID\{3E1201F4-1707-409F-BB45-A5F192381DA0} => key not found.
C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnkmfdileelhofjcijamephohjechhna => moved successfully
Apache2.2 => service removed successfully.
RoxLiveShare10 => service removed successfully.
SessionLauncher => service removed successfully.
ersdduha => service removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00021401-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{00EEBF57-477D-4084-9921-7AB3C2C9459D}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{078759D3-423B-48AD-AB6A-5638C2884DBE}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0AF10CEC-2ECD-4B92-9581-34F6AE0637F3}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0B91A74B-AD7C-4A9D-B563-29EEF9167172}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0C15D503-D017-47CE-9016-7B3F978721CC}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{217FC9C0-3AEA-1069-A2DB-08002B30309D}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{25CD009F-FFBF-418A-8E11-7A877CAFCAF5}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{3AD05575-8857-4850-9277-11B85BDB8E09}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}" => key removed successfully.
HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1} => key not found.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{49F371E1-8C5C-4D9C-9A3B-54A6827F513C}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4DB26476-6787-4046-B836-E8412A9E8A27}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50EE5B75-5635-11D1-AC2A-D4EA0B000000}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{50EF4544-AC9F-4A8E-B21B-8A26180DB13F}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{527C9A9B-B9A2-44B0-84F9-F0DC11C2BCFB}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{53BD6B4E-3780-4693-AFC3-7161C2F3EE9C}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{55C7A567-7B90-4885-9EDD-662D359ED389}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{5717060C-0509-11E0-B88E-001D60AF2322}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{603D3800-BD81-11D0-A3A5-00C04FD706EC}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6311429E-2F1A-4777-880F-C7289FD10169}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{640167B4-59B0-47A6-B335-A6B3C0695AEA}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6C467336-8281-4E60-8204-430CED96822D}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{6D49AC84-BEAD-11D1-A074-0080C740BFBD}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{70D0238E-E029-4A94-B68D-182018B6C4FF}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{71F96385-DDD6-48D3-A0C1-AE06E8B055FB}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{72C57034-02C4-4E9F-BF9C-CA711031757E}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{72EB61E0-8672-4303-9175-F2E4C68B2E7C}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{7353C207-C0DA-45A1-93CC-47A853A736A1}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{77F419AA-771A-45FF-AC66-7567FA3243D3}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{78A51822-51F4-11D0-8F20-00805F2CD064}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{82C588E7-E54B-408C-9F8C-6AF9ADF6F1E9}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{83B8BCA6-687C-11D0-A405-00AA0060275C}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{85E94D25-0712-47ED-8CDE-B0971177C6A1}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{8E85D0CE-DEAF-4EA1-9410-FD1A2105CEB5}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{8F170678-2A97-4D59-89A1-7A0A71C1B677}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{9CFC2DF3-6BA3-46EF-A836-E519E81F0EC4}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{A9B8E64D-3F7E-4D32-8FC9-E391DEE67D75}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{AB517586-73CF-489C-8D8C-5AE0EAD0613A}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B056521A-9B10-425E-B616-1FCD828DB3B1}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{B8967F85-58AE-4F46-9FB2-5D7904798F4B}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{C206F324-BB45-4765-93FF-3BCA7306FF2E}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{C5621364-87CC-4731-8947-929CAE75323E}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{CD773740-B187-4974-A1D5-E0FF91372277}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{D58960BA-2EF3-4910-9E34-C911B1710180}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E03E85B0-7BE3-4000-BA98-6C13DE9FA486}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E0629351-6F81-11D2-973F-00104B9B172F}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{E97F7176-7C91-4648-A0CE-94F37BF016F8}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EDB5F444-CB8D-445A-A523-EC5AB6EA33C7}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{EFDB41B0-5538-42F1-995B-460DA31C0924}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F3364BA0-65B9-11CE-A9BA-00AA004AE837}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F46316E4-FB1B-46EB-AEDF-9520BFBB916A}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{F8383852-FCD3-11D1-A6B9-006097DF5BD4}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{FE841493-835C-4FA3-B6CC-B4B2D4719848}" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000_Classes\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2634120D-EC29-42D5-AD6A-CFFCBC404633}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2634120D-EC29-42D5-AD6A-CFFCBC404633}" => key removed successfully.
C:\Windows\System32\Tasks\{B8D39447-0605-42CF-B1A9-40228B527F5D} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{B8D39447-0605-42CF-B1A9-40228B527F5D}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{62A5B205-3E0C-457B-A0C2-E321656B2F8B}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62A5B205-3E0C-457B-A0C2-E321656B2F8B}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1A6EEA95-5720-4174-8446-CF0A382F15E7}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8589D92C-6A31-479A-8478-11BC2C579EC0}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8589D92C-6A31-479A-8478-11BC2C579EC0}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{8536D14C-DFD7-425D-9448-41D7A7F3116D}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A9494AF0-87EA-45D1-B89D-2BCE0467E786}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A9494AF0-87EA-45D1-B89D-2BCE0467E786}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BE5F052D-C9F5-429D-8A45-6B6E46F4992D}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE5F052D-C9F5-429D-8A45-6B6E46F4992D}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Delete inetpub log files" => key removed successfully.
"HKU\S-1-5-21-1540569752-1271625846-3092027774-1000\Software\Classes\.exe" => key removed successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => 386 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:37:18 ====

 

RKreport.txt

RogueKiller V10.10.2.0 [Aug 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Heather [Administrator]
Started from : C:\Users\Heather\Desktop\borked_again\RogueKiller.exe
Mode : Scan -- Date : 08/24/2015 09:24:10

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{145AE6EB-647E-4AD7-95E0-658CE7CE3F83} | NameServer : 68.87.69.150,68.87.85.102 ([-][UNITED STATES (US)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{145AE6EB-647E-4AD7-95E0-658CE7CE3F83} | NameServer : 68.87.69.150,68.87.85.102 ([-][UNITED STATES (US)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{145AE6EB-647E-4AD7-95E0-658CE7CE3F83} | NameServer : 68.87.69.150,68.87.85.102 ([-][UNITED STATES (US)])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{145AE6EB-647E-4AD7-95E0-658CE7CE3F83} | NameServer : 68.87.69.150,68.87.85.102 ([-][UNITED STATES (US)])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKS-75A7B0 +++++
--- User ---
[MBR] fa3960e58fd3cbcad383f43e8fb31422
[BSP] f447cd3dc644cd931fe7f4d39e641310 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 112640 | Size: 15360 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31569920 | Size: 461524 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 



#10 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 24 August 2015 - 07:21 PM

Hi Heather, 
 

RogueKiller did not make RKreport.txt automatically when I clicked 'report' - I saved the file myself.  I assume that does not matter but I wanted to let you know.  Here are the results:

Thank you. 
 
Please do the following: 
 
STEP 1
EtQetiM.png Uninstall Software

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall if you did not intentionally install the programme below.
    • Pando Media Booster
  • Follow the prompts.
  • Note: If you are offered the choice to install additional software, ensure you decline.
  • Reboot if necessary.
     

STEP 2
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab, and click Cleaning
  • Follow the prompts and allow your computer to reboot
  • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[S1].txt.
 
======================================================

STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did the programme uninstall successfully?
  • JRT.txt
  • AdwCleaner[C1].txt

Edited by LiquidTension, 24 August 2015 - 07:21 PM.

Posted Image

#11 computerisborked

computerisborked
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 24 August 2015 - 08:04 PM

Yes, Pando did uninstall. Here are the logs.

 

JRT.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.7 (08.18.2015:1)
OS: Windows Vista ™ Home Premium x86
Ran by Heather on Mon 08/24/2015 at 17:44:26.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\Program Files\GUTEC06.tmp



~~~ Folders

Successfully deleted: [Folder] C:\Users\Heather\AppData\Roaming\download manager



~~~ FireFox

Emptied folder: C:\Users\Heather\AppData\Roaming\mozilla\firefox\profiles\drqynn0g.default-1423894743749\minidumps [4 files]



~~~ Chrome


[C:\Users\Heather\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Heather\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Heather\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Heather\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/24/2015 at 17:47:14.25
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

adwcleaner[c1].txt

# AdwCleaner v5.003 - Logfile created 24/08/2015 at 17:55:04
# Updated 20/08/2015 by Xplode
# Database : 2015-08-23.3 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (x86)
# Username : Heather - HEATHER
# Running from : C:\Users\Heather\Desktop\borked_again\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKLM\SOFTWARE\WinWSD ToolBar

***** [ Web browsers ] *****

[-] [C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: Proxy settings cleared
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [965 bytes] ##########


 



#12 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 24 August 2015 - 08:11 PM

Good job. Can you rerun MBAR as you did in the Am I Infected? section, and let me know if the programme reports back all clean. 

 

Let's check for remnants. Errors in your logs indicate MBAM should be reinstalled. 
 
STEP 1
6YRrgUC.png Malwarebytes Anti-Malware (MBAM) Clean

  • Please read the following article on how to run MBAM Clean. 
  • (!) Ensure you follow the correct set of instructions depending on which version you have (Free or Premium).
  • Download and install the latest version of MBAM as per the instructions.  
     

STEP 2
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is selected and click Start Scan.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 3
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to KN1w2nv.png and click SzOC1p0.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did MBAR report all clean? 
  • Did MBAM Clean run successfully?
  • MBAM Scan log
  • ESET Online Scan log

Posted Image

#13 computerisborked

computerisborked
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 25 August 2015 - 02:31 PM

Mbar reported all clean.  Mbam uninstalled, reinstalled, and ran successfully. Eset found 3 items.

 

mbam log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/25/2015
Scan Time: 8:02:12 AM
Logfile: mbam082515.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.25.05
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Heather

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 348205
Time Elapsed: 22 min, 55 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

eset log:

C:\inetpub\wwwroot\kevin_transfers\leif_files_GODADDY2015\wp-content\themes\leifgrunseth\orig--footer.php    PHP/Obfuscated.F potentially unwanted application
C:\Users\Heather\WEBSITES\burton\PRG\wordpress_bak_april2015\wp-content\plugins\gravityformsmailchimp\jxmm.php    PHP/Kryptik.AJ trojan
C:\Users\Heather\WEBSITES\burton\PRG\wordpress_bak_april2015\wp-content\plugins\prg-testimonials\otes.php    PHP/Kryptik.AJ trojan
 



#14 computerisborked

computerisborked
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 25 August 2015 - 02:54 PM

Oh, I looked at the three items and they are all from backups of other people's systems.  so I need to let them know...  but I guess I'm okay.



#15 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 25 August 2015 - 10:04 PM

Hi Heather, 
 
Those detections by ESET look like false-positives. Let's double-check:
 
nWhGEI3.png VirusTotal Upload

  • Please go to VirusTotal.com.
  • Click Choose File and locate the first file detected by ESET. 
  • Click Scan it!.
  • If you receive the following notification: File already analysed click Reanalyse.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. 
  • Please do the same for the other files. 

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users