Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Phishing victim here; malicious link clicked; https crossed out on email acct


  • Please log in to reply
20 replies to this topic

#1 auklet

auklet

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:washington state and Ecuador
  • Local time:08:10 PM

Posted 10 September 2015 - 05:56 PM

Today Sept 10, 2015,  your staff member Angoid referred me to this forum.  

 

The following is a narrative that occurred yesterday Sept 9 or the day before.  The computer used is a February manufactured Lenovo laptop with a Windows 8.1 OS and a Chrome browser is being used. Purchased in May, it had been carefully gone through to clean it of much bloatware, and arguably suspicious malware.

 

While in web mail, mail was opened before identifying later it was not from the assumed, trusted sender, AND a link within the text of the email was clicked on.  The site the link was associated with had more links, but none were clicked on there. Besides the unwanted email address of the sender, there was other obvious evidence it was illicit email such as off beat content, and similarly so the web site that the clicked-on link was associated with.

 

Results:  The web email was signed off and shortly later signed on to in order to get to the Inbox.  The https in the address window of the signed on to email inbox has a red, diagonal line across it. Just the https has this. Normal functioning inside the email was possible.   After signing off, another (clean) computer was used to open the same email account and experienced no red, diagonal line across the https.  The first computer continues to have the red, diagonal line across the https.  Care has been taken not to sign into bank accounts or on line shopping, etc. 

 

The technical staff of the email service (Earthlink) advised to do a full AV scan, and also try resetting Chrome browser to Chrome's default configuration.  Neither of these actions eliminated the red, diagonal line over the https in the browser's address window after being logged into the email account.  In the chat with Earthlink tech support, a temporary password was issued in order to log on.  (The traditional password had worked, but it was advised to change it.) The newly issued password was used to  log on line at the Earthlink server which then an even newer, more sophisticated password was established.  

 

Both Windows Defender using full scan and Malwarebytes Premium came up with negative findings in a search. The assumed sender of the email who did not send it, stated on the phone she was aware her email address book had been Hi-Jacked.

 

Questions:  Is this ONLY a hit and run with the address book ?  What is the meaning of the red, diagonal line over the https ? ... occurring only on the Lenovo and not a different computer after logging in.  Should contacts on the address book of the email account  be notified to be leery of receiving email from this account until they get a follow up that the coast is clear once again ?   Please assist in restoring the security of the email address account and locating anything spurious in the computer that may have been affected.

 

FRST scan was run and the text of the search results follow.  There was not a prompt for running a second scan (producing the Additional scan).

 

Today Angoid referred me to this forum.  
 
The following is a narrative that occurred yesterday Sept 9 or the day before.  The computer used is a February manufactured Lenovo laptop with a Windows 8.1 OS and a Chrome browser is being used. Purchased in May, it had been carefully gone through to clean it of much bloatware, and arguably suspicious malware.
 
While in web mail, mail was opened before identifying later it was not from the assumed, trusted sender, AND a link within the text of the email was clicked on.  The site the link was associated with had more links, but none were clicked on there. Besides the unwanted email address of the sender, there was other obvious evidence it was illicit email such as off beat content, and similarly so the web site that the clicked-on link was associated with.
 
Results:  The web email was signed off and shortly later signed on to in order to get to the Inbox.  The https in the address window of the signed on to email inbox has a red, diagonal line across it. Just the https has this. Normal functioning inside the email was possible.   After signing off, another (clean) computer was used to open the same email account and experienced no red, diagonal line across the https.  The first computer continues to have the red, diagonal line across the https.  Care has been taken not to sign into bank accounts or on line shopping, etc. 
 
The technical staff of the email service (Earthlink) advised to do a full AV scan, and also try resetting Chrome browser to Chrome's default configuration.  Neither of these actions eliminated the red, diagonal line over the https in the browser's address window after being logged into the email account.  In the chat with Earthlink tech support, a temporary password was issued in order to log on.  (The traditional password had worked, but it was advised to change it.) The newly issued password was used to  log on line at the Earthlink server which then an even newer, more sophisticated password was established.  
 
Both Windows Defender using full scan and Malwarebytes Premium came up with negative findings in a search. The assumed sender of the email who did not send it, stated on the phone she was aware her email address book had been Hi-Jacked.
 
Questions:  Is this ONLY a hit and run with the address book ?  What is the meaning of the red, diagonal line over the https ? ... occurring only on the Lenovo and not a different computer after logging in.  Should contacts on the address book of the email account  be notified to be leery of receiving email from this account until they get a follow up that the coast is clear once again ?   Please assist in restoring the security of the email address account and locating anything spurious in the computer that may have been affected.
 
FRST scan was run and the text of the search results follow.  There was not a prompt for running a second scan (producing the Additional scan).
 
Today Angoid referred me to this forum.  
 
The following is a narrative that occurred yesterday Sept 9 or the day before.  The computer used is a February manufactured Lenovo laptop with a Windows 8.1 OS and a Chrome browser is being used. Purchased in May, it had been carefully gone through to clean it of much bloatware, and arguably suspicious malware.
 
While in web mail, mail was opened before identifying later it was not from the assumed, trusted sender, AND a link within the text of the email was clicked on.  The site the link was associated with had more links, but none were clicked on there. Besides the unwanted email address of the sender, there was other obvious evidence it was illicit email such as off beat content, and similarly so the web site that the clicked-on link was associated with.
 
Results:  The web email was signed off and shortly later signed on to in order to get to the Inbox.  The https in the address window of the signed on to email inbox has a red, diagonal line across it. Just the https has this. Normal functioning inside the email was possible.   After signing off, another (clean) computer was used to open the same email account and experienced no red, diagonal line across the https.  The first computer continues to have the red, diagonal line across the https.  Care has been taken not to sign into bank accounts or on line shopping, etc. 
 
The technical staff of the email service (Earthlink) advised to do a full AV scan, and also try resetting Chrome browser to Chrome's default configuration.  Neither of these actions eliminated the red, diagonal line over the https in the browser's address window after being logged into the email account.  In the chat with Earthlink tech support, a temporary password was issued in order to log on.  (The traditional password had worked, but it was advised to change it.) The newly issued password was used to  log on line at the Earthlink server which then an even newer, more sophisticated password was established.  
 
Both Windows Defender using full scan and Malwarebytes Premium came up with negative findings in a search. The assumed sender of the email who did not send it, stated on the phone she was aware her email address book had been Hi-Jacked.
 
Questions:  Is this ONLY a hit and run with the address book ?  What is the meaning of the red, diagonal line over the https ? ... occurring only on the Lenovo and not a different computer after logging in.  Should contacts on the address book of the email account  be notified to be leery of receiving email from this account until they get a follow up that the coast is clear once again ?   Please assist in restoring the security of the email address account and locating anything spurious in the computer that may have been affected.
 
FRST scan was run and the text of the search results follow.  There was not a prompt for running a second scan (producing the Additional scan).
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-09-2015
Ran by CPUOA User (ATTENTION: The user is not administrator) on CPUOAF0101P (10-09-2015 16:06:12)
Running from C:\Users\CPUOA User\Downloads
Loaded Profiles: CPUOA User & Admin 18 Aug 2015 (Available Profiles: CPUOA User & Admin 18 Aug 2015)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> igfxCUIService.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> svchost.exe
Failed to access process -> AdminService.exe
Failed to access process -> svchost.exe
Failed to access process -> HeciServer.exe
Failed to access process -> dasHost.exe
Failed to access process -> SystemAgentService.exe
Failed to access process -> LenovoWiFiHotspotSvr.exe
Failed to access process -> LsvUIService.exe
Failed to access process -> MaxthonUpdateSvc.exe
Failed to access process -> mbamscheduler.exe
Failed to access process -> mbamservice.exe
Failed to access process -> NitroPDFDriverService8x64.exe
Failed to access process -> NLSSRV32.EXE
Failed to access process -> PGService.exe
Failed to access process -> PhoneCompanionPusher.exe
Failed to access process -> RichVideo64.exe
Failed to access process -> SynTPEnhService.exe
Failed to access process -> VfConnectorService.exe
Failed to access process -> MsMpEng.exe
Failed to access process -> Ath_CoexAgent.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> WUDFHost.exe
Failed to access process -> svchost.exe
Failed to access process -> NisSrv.exe
Failed to access process -> PresentationFontCache.exe
Failed to access process -> SearchIndexer.exe
Failed to access process -> GoogleCrashHandler.exe
Failed to access process -> GoogleCrashHandler64.exe
Failed to access process -> CCSDK.exe
Failed to access process -> IAStorDataMgrSvc.exe
Failed to access process -> IntelMeFWService.exe
Failed to access process -> jhi_service.exe
Failed to access process -> LMS.exe
Failed to access process -> csrss.exe
Failed to access process -> wmpnetwk.exe
Failed to access process -> winlogon.exe
Failed to access process -> dwm.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek semiconductor) C:\Windows\RTFTrack.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
() C:\Windows\SysWOW64\UMonit64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\Lenovo\Lenovo Messenger\NotificationsViewHost.exe
Failed to access process -> MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(VS Revo Group) C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
Failed to access process -> dllhost.exe
(Farbar) C:\Users\CPUOA User\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IgfxTray] => C:\windows\system32\igfxtray.exe [404376 2015-08-09] ()
HKLM\...\Run: [HotKeysCmds] => "C:\windows\system32\hkcmd.exe"
HKLM\...\Run: [Persistence] => "C:\windows\system32\igfxpers.exe"
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [320360 2014-08-04] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13667032 2014-02-24] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1381744 2014-02-25] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1381744 2014-02-25] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1381744 2014-02-25] (Realtek Semiconductor)
HKLM\...\Run: [RtsFT] => C:\windows\RTFTrack.exe [6340312 2014-01-21] (Realtek semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2808560 2014-08-07] (Synaptics Incorporated)
HKLM\...\Run: [PhoneCompanion] => C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe [836592 2015-02-23] (Lenovo)
HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [16094704 2015-02-23] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [10841584 2015-02-23] (Lenovo(beijing) Limited)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [133760 2013-12-24] (Qualcomm®Atheros®)
HKU\S-1-5-21-3330058123-2019430083-2832955609-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8418584 2015-07-17] (Piriform Ltd)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 200.107.10.105
Tcpip\..\Interfaces\{25A23817-B02E-4630-8797-6C81A1049349}: [DhcpNameServer] 200.107.10.105
Tcpip\..\Interfaces\{E54BD572-122C-4282-AAC6-153B261DA584}: [DhcpNameServer] 192.168.10.1
 
Internet Explorer:
==================
HKU\S-1-5-21-3330058123-2019430083-2832955609-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/
HKU\S-1-5-21-3330058123-2019430083-2832955609-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
URLSearchHook: [S-1-5-21-3330058123-2019430083-2832955609-1004] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
 
FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-28] (Google Inc.)
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxps://www.yahoo.com/"
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}
CHR DefaultSearchKeyword: Default -> yahoo.com
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
CHR Profile: C:\Users\CPUOA User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (WordCaptureX) - C:\Users\CPUOA User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnbndllceljcgmoekbckoekjnhdpophi [2015-09-03]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\CPUOA User\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-08-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\CPUOA User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-13]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [318592 2013-12-24] (Windows ® Win 7 DDK provider) [File not signed]
R2 CCSDK; C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe [592880 2014-07-09] ()
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-08-04] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-03] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [561408 2014-09-22] (Lenovo)
R2 Lenovo System Agent Service; C:\Program Files\Lenovo\iMController\SystemAgentService.exe [584632 2015-03-06] (LENOVO INCORPORATED.)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [198192 2015-02-23] (Lenovo(beijing) Limited)
R2 lmhosts; C:\Windows\system32\svchost.exe [38792 2014-10-28] (Microsoft Corporation)
R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)
R2 LsvUIService; C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvUIService.exe [70416 2015-02-23] (Lenovo)
R2 MaxthonUpdateSvc; C:\Program Files (x86)\Maxthon\Modules\Service\Update\MaxthonUpdateSvc.exe [1871784 2015-08-29] (Maxthon)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-08-17] (Nitro PDF Software)
R2 NlaSvc; C:\Windows\System32\svchost.exe [38792 2014-10-28] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [38792 2014-10-28] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)
R2 PGService; C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe [163624 2014-01-07] (PointGrab LTD)
R2 PhoneCompanionPusher; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe [288240 2015-02-23] (Lenovo)
S3 PhoneCompanionVap; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionVap.exe [305136 2015-02-23] (Lenovo)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [190704 2014-08-07] (Synaptics Incorporated)
S3 TESHelper; c:\Program Files\Common Files\Lenovo\Magic Transfer\x64\MagicTransferTESHelper.exe [104696 2015-02-23] (Lenovo)
R2 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe [67856 2015-02-23] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2013-12-24] (Atheros) [File not signed]
S2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3892224 2014-03-07] (Qualcomm Atheros Communications, Inc.)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-12-24] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
U5 GeneStor; C:\Windows\System32\Drivers\GeneStor.sys [111336 2014-04-17] (GenesysLogic)
R1 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [109272 2015-06-18] (Malwarebytes Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-08-29] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [9105624 2014-01-21] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-08-07] (Synaptics Incorporated)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-10 15:57 - 2015-09-10 15:57 - 02190848 _____ (Farbar) C:\Users\CPUOA User\Downloads\FRST64 (1).exe
2015-09-09 13:22 - 2015-09-09 13:22 - 00010110 _____ C:\Users\CPUOA User\Documents\earthlink chat Sept 9, 2015.txt
2015-09-09 11:59 - 2015-09-02 21:18 - 02531400 _____ (Microsoft Corporation) C:\windows\system32\msxml6.dll
2015-09-09 11:59 - 2015-09-02 21:17 - 01903848 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml6.dll
2015-09-09 11:59 - 2015-09-02 13:48 - 02345472 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2015-09-09 11:59 - 2015-09-02 12:09 - 01556992 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2015-09-09 11:59 - 2015-07-22 09:19 - 00041984 _____ (Microsoft Corporation) C:\windows\system32\UtcResources.dll
2015-09-09 11:59 - 2015-07-22 08:52 - 01633792 _____ (Microsoft Corporation) C:\windows\system32\diagtrack.dll
2015-09-09 11:59 - 2015-07-17 09:15 - 00951296 _____ (Microsoft Corporation) C:\windows\system32\tdh.dll
2015-09-09 11:59 - 2015-07-17 09:10 - 00749568 _____ (Microsoft Corporation) C:\windows\SysWOW64\tdh.dll
2015-09-09 11:59 - 2015-07-03 16:51 - 01380056 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2015-09-09 11:59 - 2015-07-03 09:00 - 01097216 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2015-09-09 11:59 - 2015-06-27 06:47 - 00118616 _____ (Microsoft Corporation) C:\windows\system32\consent.exe
2015-09-09 11:58 - 2015-07-13 14:10 - 00411455 _____ C:\windows\system32\ApnDatabase.xml
2015-09-09 11:58 - 2015-07-10 14:06 - 00118272 ____C (Microsoft Corporation) C:\windows\system32\Drivers\bthpan.sys
2015-09-09 11:58 - 2015-07-09 11:14 - 00228864 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-09-09 11:58 - 2015-06-19 12:07 - 02819072 _____ (Microsoft Corporation) C:\windows\system32\SettingsHandlers.dll
2015-09-09 11:05 - 2015-08-26 21:48 - 00136904 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
2015-09-09 11:05 - 2015-08-26 13:00 - 00721920 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll
2015-09-09 11:05 - 2015-08-26 13:00 - 00124928 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll
2015-09-09 11:05 - 2015-08-26 13:00 - 00081920 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll
2015-09-09 11:05 - 2015-08-26 13:00 - 00029696 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe
2015-09-09 11:05 - 2015-08-26 09:46 - 03705344 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2015-09-09 11:05 - 2015-08-26 09:29 - 02240512 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
2015-09-09 11:05 - 2015-08-26 09:27 - 00891904 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
2015-09-09 11:05 - 2015-08-26 09:27 - 00409088 _____ (Microsoft Corporation) C:\windows\system32\WUSettingsProvider.dll
2015-09-09 11:05 - 2015-08-26 09:26 - 00140288 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
2015-09-09 11:05 - 2015-08-26 09:26 - 00095744 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
2015-09-09 11:05 - 2015-08-26 09:26 - 00035840 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe
2015-09-09 11:05 - 2015-08-22 13:19 - 25188352 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-09-09 11:05 - 2015-08-22 12:35 - 02886144 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-09-09 11:05 - 2015-08-22 12:34 - 00585216 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-09-09 11:05 - 2015-08-22 12:22 - 19856384 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-09-09 11:05 - 2015-08-22 12:21 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2015-09-09 11:05 - 2015-08-22 12:20 - 05923840 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-09-09 11:05 - 2015-08-22 11:55 - 00504832 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-09-09 11:05 - 2015-08-22 11:50 - 02279424 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-09-09 11:05 - 2015-08-22 11:45 - 00665600 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2015-09-09 11:05 - 2015-08-22 11:44 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2015-09-09 11:05 - 2015-08-22 11:41 - 14451712 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-09-09 11:05 - 2015-08-22 11:41 - 00801280 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-09-09 11:05 - 2015-08-22 11:41 - 00720384 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-09-09 11:05 - 2015-08-22 11:41 - 00374784 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-09-09 11:05 - 2015-08-22 11:39 - 02126336 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-09-09 11:05 - 2015-08-22 11:28 - 04520448 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-09-09 11:05 - 2015-08-22 11:26 - 02427392 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-09-09 11:05 - 2015-08-22 11:22 - 12857344 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-09-09 11:05 - 2015-08-22 11:20 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2015-09-09 11:05 - 2015-08-22 11:18 - 02052608 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-09-09 11:05 - 2015-08-22 11:18 - 00689152 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-09-09 11:05 - 2015-08-22 11:18 - 00327168 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-09-09 11:05 - 2015-08-22 11:14 - 01545728 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-09-09 11:05 - 2015-08-22 11:00 - 01951232 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-09-09 11:05 - 2015-08-22 10:56 - 01310720 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-09-09 11:05 - 2015-07-30 12:18 - 00268288 _____ (Microsoft Corporation) C:\windows\system32\InkEd.dll
2015-09-09 11:05 - 2015-07-30 11:22 - 00230912 _____ (Microsoft Corporation) C:\windows\SysWOW64\InkEd.dll
2015-09-09 11:04 - 2015-09-01 21:56 - 04175872 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2015-09-09 11:04 - 2015-09-01 21:55 - 00358912 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2015-09-09 11:04 - 2015-09-01 21:50 - 00044032 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2015-09-09 11:04 - 2015-09-01 21:17 - 00301568 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\atmfd.dll
2015-09-09 11:04 - 2015-09-01 21:13 - 00035840 _____ (Adobe Systems) C:\windows\SysWOW64\atmlib.dll
2015-09-09 11:04 - 2015-08-22 11:50 - 01032704 _____ (Microsoft Corporation) C:\windows\system32\inetcomm.dll
2015-09-09 11:04 - 2015-08-22 11:23 - 00880128 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcomm.dll
2015-09-09 11:04 - 2015-08-22 11:01 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-09-09 11:04 - 2015-08-22 10:55 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-09-09 11:04 - 2015-08-03 16:15 - 00074928 _____ (Microsoft Corporation) C:\windows\system32\appidapi.dll
2015-09-09 11:04 - 2015-08-03 16:15 - 00065600 _____ (Microsoft Corporation) C:\windows\SysWOW64\appidapi.dll
2015-09-09 11:04 - 2015-08-01 09:22 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\appidsvc.dll
2015-09-09 11:04 - 2015-07-31 22:47 - 00229376 _____ (Microsoft Corporation) C:\windows\system32\schtasks.exe
2015-09-09 11:04 - 2015-07-31 22:45 - 00182784 _____ (Microsoft Corporation) C:\windows\SysWOW64\schtasks.exe
2015-09-09 11:04 - 2015-07-31 22:38 - 01265152 _____ (Microsoft Corporation) C:\windows\system32\schedsvc.dll
2015-09-09 11:04 - 2015-07-31 22:37 - 00468992 _____ (Microsoft Corporation) C:\windows\system32\taskeng.exe
2015-09-09 11:04 - 2015-07-31 22:37 - 00359936 _____ (Microsoft Corporation) C:\windows\SysWOW64\taskeng.exe
2015-09-09 11:04 - 2015-07-22 09:34 - 02775552 _____ (Microsoft Corporation) C:\windows\system32\authui.dll
2015-09-09 11:04 - 2015-07-22 09:33 - 01728000 _____ (Microsoft Corporation) C:\windows\system32\Windows.UI.Immersive.dll
2015-09-09 11:04 - 2015-07-22 09:25 - 02461184 _____ (Microsoft Corporation) C:\windows\SysWOW64\authui.dll
2015-09-09 11:04 - 2015-07-22 09:25 - 01546752 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.UI.Immersive.dll
2015-09-09 11:04 - 2015-07-18 13:31 - 00194048 _____ (Microsoft Corporation) C:\windows\system32\shacct.dll
2015-09-09 11:04 - 2015-07-18 13:29 - 00655872 _____ (Microsoft Corporation) C:\windows\system32\SettingSync.dll
2015-09-09 11:04 - 2015-07-18 13:29 - 00148480 _____ (Microsoft Corporation) C:\windows\SysWOW64\shacct.dll
2015-09-09 11:04 - 2015-07-18 13:27 - 00520192 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingSync.dll
2015-09-09 11:04 - 2015-07-13 22:27 - 00063488 _____ (Microsoft Corporation) C:\windows\system32\tzsync.exe
2015-09-03 10:17 - 2015-09-03 10:17 - 00000000 ____D C:\Users\CPUOA User\Documents\MBT Navigator
2015-09-03 10:11 - 2015-09-03 10:11 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\MBTrading
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\MBTrading
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBT Desktop Pro
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\ProgramData\MBTrading
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\Program Files (x86)\MBTrading
2015-09-03 10:07 - 2011-04-08 17:28 - 00040960 _____ (OLSOFT) C:\windows\SysWOW64\PLC.ocx
2015-09-03 10:07 - 2005-04-15 19:58 - 01351392 _____ (Microsoft Corporation) C:\windows\SysWOW64\comctl32.ocx
2015-09-03 10:07 - 2005-04-15 19:58 - 01071088 _____ (Microsoft Corporation) C:\windows\SysWOW64\mscomctl.ocx
2015-09-03 10:07 - 2004-03-09 03:00 - 00167968 _____ (Microsoft Corporation) C:\windows\SysWOW64\msmask32.ocx
2015-09-03 10:07 - 2004-03-09 02:00 - 00212240 _____ (Microsoft Corporation) C:\windows\SysWOW64\Richtx32.ocx
2015-09-03 10:07 - 2004-03-09 01:00 - 00662288 _____ (Microsoft Corporation) C:\windows\SysWOW64\Mscomct2.ocx
2015-09-03 10:07 - 2003-04-01 06:36 - 00094208 _____ (vbAccelerator) C:\windows\SysWOW64\vbalIml6.ocx
2015-09-03 10:07 - 2003-01-18 16:30 - 00200704 _____ (OLSOFT) C:\windows\SysWOW64\axlsbcls.dll
2015-09-03 10:07 - 1999-02-19 08:54 - 00040960 _____ (<none>) C:\windows\SysWOW64\SSubTmr6.dll
2015-09-03 10:07 - 1998-06-18 02:00 - 00032768 _____ (Microsoft Corporation) C:\windows\SysWOW64\Regtool5.dll
2015-09-03 09:31 - 2015-09-03 09:32 - 24838656 _____ C:\Users\CPUOA User\Downloads\MbtWebMbtDesktopPro_2.2.0.72_12.0.0.72_20150116_release.exe
2015-09-03 09:15 - 2015-09-03 09:15 - 00001975 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WordWeb.lnk
2015-09-03 09:15 - 2015-09-03 09:15 - 00000000 ____D C:\Program Files (x86)\WordWeb
2015-09-03 09:15 - 2015-08-02 16:32 - 02940032 ____N (WordWeb Software) C:\windows\wweb32.dll
2015-09-03 09:10 - 2015-09-03 09:11 - 22159800 _____ C:\Users\CPUOA User\Downloads\wordweb7.exe
2015-09-03 02:14 - 2015-09-04 00:37 - 00010752 ___SH C:\Users\CPUOA User\Documents\Thumbs.db
2015-09-03 02:13 - 2015-09-03 02:13 - 00001229 _____ C:\Users\CPUOA User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\i_view32.lnk
2015-09-03 02:12 - 2015-09-03 02:12 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\IrfanView
2015-09-03 01:48 - 2015-09-03 01:48 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\IrfanView
2015-09-03 01:48 - 2015-09-03 01:48 - 00000000 ____D C:\Program Files (x86)\IrfanView
2015-09-03 01:44 - 2015-09-03 01:44 - 02126264 _____ (Irfan Skiljan) C:\Users\CPUOA User\Downloads\iview440_setup.exe
2015-09-03 00:46 - 2015-09-03 00:46 - 00000000 __SHD C:\windows\SysWOW64\AI_RecycleBin
2015-08-29 14:24 - 2015-08-29 14:24 - 00000118 _____ C:\windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2015-08-29 13:00 - 2015-08-29 13:00 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-29 12:59 - 2015-08-29 12:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-29 12:58 - 2015-08-29 12:59 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-08-29 12:58 - 2015-08-29 12:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-08-29 12:58 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-08-29 12:58 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-08-29 12:58 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2015-08-29 12:56 - 2015-08-29 12:56 - 00000401 _____ C:\windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2015-08-29 12:47 - 2015-08-29 12:47 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\CPUOA User\Downloads\mbam-setup-2.1.8.1057 (4).exe
2015-08-29 12:14 - 2015-08-29 12:15 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\CPUOA User\Downloads\mbam-setup-2.1.8.1057 (3).exe
2015-08-23 23:16 - 2015-08-23 23:16 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\CPUOA User\Downloads\mbam-setup-2.1.8.1057 (2).exe
2015-08-22 22:38 - 2015-08-22 22:38 - 09815040 _____ C:\Users\CPUOA User\Downloads\openofficeorg31.msi
2015-08-22 20:39 - 2015-09-09 12:01 - 00046592 ___SH C:\Users\CPUOA User\Downloads\Thumbs.db
2015-08-22 11:16 - 2015-08-22 11:16 - 00034886 _____ C:\Users\CPUOA User\Downloads\Addition.txt
2015-08-22 11:15 - 2015-09-10 16:06 - 00016327 _____ C:\Users\CPUOA User\Downloads\FRST.txt
2015-08-22 11:12 - 2015-09-10 16:06 - 00000000 ____D C:\FRST
2015-08-22 11:10 - 2015-08-22 11:10 - 02173952 _____ (Farbar) C:\Users\CPUOA User\Downloads\FRST64.exe
2015-08-22 07:49 - 2015-08-22 07:49 - 00257024 _____ (Intel® Corporation) C:\Users\CPUOA User\Downloads\ChipUtil.exe
2015-08-21 16:32 - 2015-08-21 16:32 - 00000000 ____D C:\Program Files (x86)\ESET
2015-08-21 16:02 - 2015-08-21 16:40 - 02870984 _____ (ESET) C:\Users\CPUOA User\Downloads\esetsmartinstaller_enu.exe
2015-08-21 14:59 - 2015-08-21 14:59 - 01798576 _____ (Malwarebytes Corporation) C:\Users\CPUOA User\Downloads\JRT.exe
2015-08-21 13:37 - 2015-08-21 13:37 - 01605632 _____ C:\Users\CPUOA User\Downloads\AdwCleaner.exe
2015-08-21 12:07 - 2015-08-21 12:08 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\CPUOA User\Downloads\mbam-setup-2.1.8.1057 (1).exe
2015-08-21 12:00 - 2015-08-22 13:03 - 00000000 ____D C:\Users\CPUOA User\Desktop\bleeping cleaning sweep
2015-08-20 16:33 - 2015-08-20 16:33 - 00000000 ____D C:\Users\CPUOA User\Documents\Bleeping computer
2015-08-20 08:45 - 2014-04-15 18:35 - 00028352 _____ (Microsoft Corporation) C:\windows\SysWOW64\aspnet_counters.dll
2015-08-20 08:45 - 2014-04-15 18:34 - 00029888 _____ (Microsoft Corporation) C:\windows\system32\aspnet_counters.dll
2015-08-19 21:36 - 2015-08-19 21:36 - 00001238 _____ C:\windows\SysWOW64\ServiceConfig.xml
2015-08-19 01:17 - 2015-08-21 14:44 - 00000000 ____D C:\AdwCleaner
2015-08-19 00:53 - 2015-08-19 00:53 - 01585664 _____ C:\Users\CPUOA User\Downloads\adwcleaner_5.002.exe
2015-08-18 22:53 - 2015-08-18 22:53 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\Nitro
2015-08-18 22:53 - 2015-08-18 22:53 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\FileOpen
2015-08-18 22:53 - 2015-08-18 22:53 - 00000000 ____D C:\ProgramData\FileOpen
2015-08-18 20:54 - 2015-09-10 00:45 - 00003106 _____ C:\windows\setupact.log
2015-08-18 20:54 - 2015-09-03 08:39 - 00012034 _____ C:\windows\PFRO.log
2015-08-18 20:54 - 2015-08-18 20:54 - 00000000 _____ C:\windows\setuperr.log
2015-08-18 20:10 - 2015-08-18 20:10 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\CyberLink
2015-08-18 19:39 - 2015-08-18 19:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-08-18 19:39 - 2015-08-18 19:39 - 00000000 ____D C:\Program Files\CCleaner
2015-08-18 19:31 - 2015-08-18 19:35 - 06609608 _____ (Piriform Ltd) C:\Users\CPUOA User\Downloads\ccsetup508 (1).exe
2015-08-18 19:24 - 2015-08-18 19:24 - 00000000 _____ C:\windows\system32\SBRC.dat
2015-08-18 19:21 - 2015-09-05 10:48 - 00001164 _____ C:\Users\CPUOA User\Desktop\U.S. & World Econ.txt
2015-08-18 19:20 - 2015-08-18 19:20 - 00000000 _____ C:\Users\CPUOA User\Desktop\CNBC text.txt
2015-08-18 18:28 - 2015-08-18 18:28 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\IsolatedStorage
2015-08-18 17:03 - 2015-08-29 12:59 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\4B773B73.sys
2015-08-18 15:11 - 2015-08-18 15:11 - 06557296 _____ (ThreatTrack Security, Inc) C:\Users\CPUOA User\Downloads\setup-vipre-internet-security-en-us.exe
2015-08-18 13:47 - 2015-08-18 13:47 - 00000000 _____ C:\Users\Admin 18 Aug 2015\agent.log
2015-08-18 13:16 - 2015-08-18 13:16 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\Intel Corporation
2015-08-18 13:15 - 2015-08-18 13:15 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\Atheros
2015-08-18 13:14 - 2015-08-21 12:53 - 00000000 ____D C:\Users\Admin 18 Aug 2015
2015-08-18 13:14 - 2015-08-18 13:14 - 00000020 ___SH C:\Users\Admin 18 Aug 2015\ntuser.ini
2015-08-18 13:14 - 2015-08-18 13:14 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\Adobe
2015-08-18 12:04 - 2015-08-18 12:04 - 01190120 _____ (Adobe Systems Incorporated) C:\Users\CPUOA User\Downloads\readerdc_en_ha_install.exe
2015-08-18 11:49 - 2015-09-10 15:24 - 00000000 ____D C:\Users\CPUOA User\Documents\Vipre Security
2015-08-15 09:36 - 2015-09-10 14:01 - 01988805 _____ C:\windows\WindowsUpdate.log
2015-08-14 15:07 - 2015-08-14 15:07 - 00030510 _____ C:\Users\CPUOA User\Documents\cc_20150814_150655.reg
2015-08-14 11:57 - 2015-08-14 11:57 - 00000000 ____D C:\Users\CPUOA User\Desktop\Lenovo prep
2015-08-14 11:35 - 2015-07-30 09:04 - 00124624 _____ (Microsoft Corporation) C:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-08-14 11:35 - 2015-07-30 08:48 - 00103120 _____ (Microsoft Corporation) C:\windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-08-14 10:42 - 2015-07-07 04:40 - 00270168 _____ (Microsoft Corporation) C:\windows\system32\Drivers\WdFilter.sys
2015-08-14 10:42 - 2015-07-07 04:40 - 00114520 _____ (Microsoft Corporation) C:\windows\system32\Drivers\WdNisDrv.sys
2015-08-14 10:42 - 2015-07-07 04:40 - 00044560 _____ (Microsoft Corporation) C:\windows\system32\Drivers\WdBoot.sys
2015-08-13 17:29 - 2015-07-16 15:36 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2015-08-13 17:29 - 2015-07-16 15:23 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2015-08-13 17:29 - 2015-07-16 14:53 - 00145408 _____ (Microsoft Corporation) C:\windows\system32\iepeers.dll
2015-08-13 17:29 - 2015-07-16 14:50 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2015-08-13 17:29 - 2015-07-16 14:41 - 00479232 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2015-08-13 17:29 - 2015-07-16 14:14 - 02880000 _____ (Microsoft Corporation) C:\windows\system32\actxprxy.dll
2015-08-13 17:29 - 2015-07-16 13:52 - 01048576 _____ (Microsoft Corporation) C:\windows\SysWOW64\actxprxy.dll
2015-08-13 17:28 - 2015-07-15 19:29 - 07458648 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-08-13 17:28 - 2015-07-15 19:29 - 01735000 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2015-08-13 17:28 - 2015-07-15 19:29 - 00101720 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mountmgr.sys
2015-08-13 17:28 - 2015-07-15 19:28 - 01499920 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2015-08-13 17:28 - 2015-07-10 12:54 - 01217024 _____ (Microsoft Corporation) C:\windows\system32\sysmain.dll
2015-08-13 17:27 - 2015-08-13 17:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-08-13 17:27 - 2015-07-01 17:19 - 00228864 _____ (Microsoft Corporation) C:\windows\system32\WebClnt.dll
2015-08-13 17:27 - 2015-07-01 17:16 - 00104448 _____ (Microsoft Corporation) C:\windows\system32\davclnt.dll
2015-08-13 17:27 - 2015-07-01 16:37 - 00198656 _____ (Microsoft Corporation) C:\windows\SysWOW64\WebClnt.dll
2015-08-13 17:27 - 2015-07-01 16:35 - 00087040 _____ (Microsoft Corporation) C:\windows\SysWOW64\davclnt.dll
2015-08-13 17:26 - 2015-09-10 15:37 - 00000930 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-13 17:26 - 2015-09-10 11:59 - 00000926 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-13 17:26 - 2015-08-13 17:27 - 00000000 ____D C:\Program Files (x86)\Google
2015-08-13 17:25 - 2015-08-13 17:27 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\Google
2015-08-13 17:23 - 2015-08-13 17:25 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\Deployment
2015-08-13 17:23 - 2015-08-13 17:23 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\Apps\2.0
2015-08-13 17:22 - 2015-07-29 09:37 - 01994752 _____ (Microsoft Corporation) C:\windows\system32\DWrite.dll
2015-08-13 17:22 - 2015-07-29 09:30 - 01381888 _____ (Microsoft Corporation) C:\windows\system32\FntCache.dll
2015-08-13 17:22 - 2015-07-29 09:23 - 01559552 _____ (Microsoft Corporation) C:\windows\SysWOW64\DWrite.dll
2015-08-13 17:22 - 2015-07-13 14:46 - 00059392 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2015-08-13 17:22 - 2015-07-13 14:45 - 00059392 _____ (Microsoft Corporation) C:\windows\system32\basesrv.dll
2015-08-13 17:22 - 2015-07-10 13:19 - 01101824 _____ (Microsoft Corporation) C:\windows\system32\rdvidcrl.dll
2015-08-13 17:22 - 2015-07-10 12:14 - 00856064 _____ (Microsoft Corporation) C:\windows\SysWOW64\rdvidcrl.dll
2015-08-13 17:22 - 2015-07-10 12:13 - 07032320 _____ (Microsoft Corporation) C:\windows\system32\mstscax.dll
2015-08-13 17:22 - 2015-07-10 11:31 - 06213120 _____ (Microsoft Corporation) C:\windows\SysWOW64\mstscax.dll
2015-08-13 17:22 - 2015-07-09 12:13 - 00221184 _____ (Microsoft Corporation) C:\windows\system32\notepad.exe
2015-08-13 17:22 - 2015-07-09 12:13 - 00221184 _____ (Microsoft Corporation) C:\windows\notepad.exe
2015-08-13 17:22 - 2015-07-09 11:30 - 00212992 _____ (Microsoft Corporation) C:\windows\SysWOW64\notepad.exe
2015-08-13 17:16 - 2015-08-13 17:16 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\GWX
2015-08-13 17:08 - 2015-08-13 17:08 - 00000068 _____ C:\Users\CPUOA User\Documents\download chrome.txt
2015-08-13 16:56 - 2015-07-28 18:24 - 00025776 _____ (Microsoft Corporation) C:\windows\system32\CompatTelRunner.exe
2015-08-13 16:56 - 2015-07-28 09:24 - 01148416 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2015-08-13 16:56 - 2015-07-28 09:24 - 01116160 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2015-08-13 16:56 - 2015-07-28 09:24 - 00774144 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2015-08-13 16:56 - 2015-07-28 09:24 - 00743424 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2015-08-13 16:56 - 2015-07-28 09:24 - 00437248 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2015-08-13 16:56 - 2015-07-28 09:24 - 00069120 _____ (Microsoft Corporation) C:\windows\system32\acmigration.dll
2015-08-13 16:56 - 2015-07-14 16:59 - 01113944 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ndis.sys
2015-08-13 16:56 - 2015-07-14 16:59 - 00487256 _____ (Microsoft Corporation) C:\windows\system32\netcfgx.dll
2015-08-13 16:56 - 2015-07-14 16:59 - 00393560 _____ (Microsoft Corporation) C:\windows\SysWOW64\netcfgx.dll
2015-08-13 16:56 - 2015-06-12 12:03 - 18823680 _____ (Microsoft Corporation) C:\windows\system32\Windows.UI.Xaml.dll
2015-08-13 16:56 - 2015-06-12 11:36 - 15159296 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.UI.Xaml.dll
2015-08-13 16:56 - 2015-06-11 15:12 - 02476376 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2015-08-13 16:56 - 2015-06-11 15:12 - 00428888 _____ (Microsoft Corporation) C:\windows\system32\Drivers\FWPKCLNT.SYS
2015-08-13 16:54 - 2015-05-11 19:24 - 00536920 _____ (Microsoft Corporation) C:\windows\system32\mcupdate_GenuineIntel.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-10 16:00 - 2013-08-22 10:36 - 00000000 ____D C:\windows\system32\sru
2015-09-10 15:38 - 2013-08-22 10:36 - 00000000 ____D C:\windows\rescache
2015-09-10 14:21 - 2015-08-09 13:50 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\Nitro PDF
2015-09-10 12:01 - 2014-03-18 04:53 - 00865408 _____ C:\windows\system32\PerfStringBackup.INI
2015-09-10 00:45 - 2013-08-22 09:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-09-10 00:45 - 2013-08-22 09:44 - 00346744 _____ C:\windows\system32\FNTCACHE.DAT
2015-09-10 00:44 - 2015-02-23 13:58 - 00002560 _____ C:\windows\system32\VfService.trf
2015-09-10 00:43 - 2014-03-18 04:38 - 00000000 ____D C:\Program Files\Windows Journal
2015-09-10 00:43 - 2013-08-22 10:36 - 00000000 ____D C:\windows\PolicyDefinitions
2015-09-10 00:43 - 2013-08-22 10:20 - 00000000 ____D C:\windows\CbsTemp
2015-09-10 00:40 - 2015-06-01 12:37 - 00000000 ____D C:\windows\system32\MRT
2015-09-09 10:58 - 2013-08-22 10:36 - 00000000 ____D C:\windows\AppReadiness
2015-09-03 02:28 - 2015-07-27 01:53 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\CrashDumps
2015-08-29 12:56 - 2015-02-23 13:19 - 00000000 ___HD C:\Intel
2015-08-26 18:37 - 2015-06-01 12:37 - 134753440 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-08-22 19:35 - 2015-06-01 11:36 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\Packages
2015-08-22 08:08 - 2015-06-01 11:37 - 00000000 ____D C:\Users\CPUOA User\Documents\Bluetooth Folder
2015-08-21 12:54 - 2015-02-23 13:58 - 00000000 ____D C:\ProgramData\Downloaded Installations
2015-08-18 22:07 - 2015-02-23 13:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2015-08-18 22:07 - 2015-02-23 13:51 - 00000000 ____D C:\Program Files (x86)\Lenovo
2015-08-18 20:40 - 2015-02-23 13:22 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-08-18 20:39 - 2015-02-23 14:00 - 00000000 ____D C:\ProgramData\CyberLink
2015-08-18 18:26 - 2015-08-08 23:14 - 00001283 _____ C:\Users\CPUOA User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wi-FiHotspotChgToast.lnk
2015-08-18 13:15 - 2015-06-01 11:37 - 00000000 ____D C:\ProgramData\Atheros
2015-08-15 12:42 - 2014-04-03 14:15 - 00000000 ____D C:\windows\Panther
2015-08-15 12:37 - 2015-07-10 08:39 - 00000000 ___HD C:\$Windows.~BT
2015-08-14 13:35 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-08-14 13:35 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-08-14 13:35 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Defender
2015-08-14 13:35 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2015-08-14 11:30 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-08-14 11:30 - 2013-08-22 10:36 - 00000000 ___RD C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-08-13 17:13 - 2015-06-01 13:36 - 00000000 ____D C:\windows\system32\appraiser
2015-08-13 17:13 - 2015-06-01 13:34 - 00000000 ___SD C:\windows\system32\CompatTel
 
==================== Files in the root of some directories =======
 
2015-02-23 13:23 - 2015-02-23 13:23 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
ATTENTION: ==> Could not access BCD. The user is not administrator
 
==================== End of FRST.txt ============================
 

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 12 September 2015 - 09:11 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Ran by CPUOA User (ATTENTION: The user is not administrator) on CPUOAF0101P (10-09-2015 16:06:12)
Running from C:\Users\CPUOA User\Downloads


This program must be run in an Administrator account.
The Program file must also be located on the Desktop and not the Downloads folder.

Please run the program as suggested and post the log(s) in your next reply.

I will review it.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 17 September 2015 - 09:46 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 19 September 2015 - 09:17 AM

This topic has been re-opened at the request of the person who originally posted.

#5 auklet

auklet
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:washington state and Ecuador
  • Local time:08:10 PM

Posted 21 September 2015 - 04:16 PM

Attached File  Addition.txt   32.57KB   1 downloadsThank you for re-opening.  

1,  The original issue is still in effect (the first post, above).  When opening the web mail, the https has a diagonal line across it which does not occur when logging on from a different computer.  We have wanted to not log on to that web mail account from the affected computer, but a few days ago, forgot and we did log on once.  We realized what we had done only after a half hour, and signed off of it. 

2.  Since the first post, another event has occurred which must be malware.  When going to web sites, a bar (like a tool bar) appears superimposed and totally across and on top of the text of the web page, at the bottom of the page  Although it occludes this text at the bottom of the page, one can use the scroll bar to allow the page to be scrolled and read, but the bar remains stationery at the bottom of the page.. It has icons on it for selecting facebook, twitter3, email and a few other icons I am not familiar with.  It also manifests itself at other times on web pages as a condensed toolbar and is located more discretely on a web page and out of the way.  

 

The following is the FRST scan text copied and pasted.  Hopefully the Addition text will attach to this post ok.  

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:15-09-2015
Ran by Admin 18 Aug 2015 (administrator) on CPUOAF0101P (21-09-2015 15:15:38)
Running from C:\Users\Admin 18 Aug 2015\Desktop
Loaded Profiles: CPUOA User & Admin 18 Aug 2015 (Available Profiles: CPUOA User & Admin 18 Aug 2015)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(LENOVO INCORPORATED.) C:\Program Files\Lenovo\iMController\SystemAgentService.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvUIService.exe
(Maxthon) C:\Program Files (x86)\Maxthon\Modules\Service\Update\MaxthonUpdateSvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(PointGrab LTD) C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe
(Lenovo) C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
() C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
() C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler64.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
() C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek semiconductor) C:\Windows\RTFTrack.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
() C:\Windows\SysWOW64\UMonit64.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
() C:\Program Files (x86)\Lenovo\Lenovo Messenger\NotificationsViewHost.exe
() C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Map.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek semiconductor) C:\Windows\RTFTrack.exe
(WordWeb Software) C:\Program Files (x86)\WordWeb\wweb32.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
() C:\Program Files (x86)\Lenovo\Lenovo Messenger\NotificationsViewHost.exe
(VS Revo Group) C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IgfxTray] => C:\windows\system32\igfxtray.exe [404376 2015-08-09] ()
HKLM\...\Run: [HotKeysCmds] => "C:\windows\system32\hkcmd.exe"
HKLM\...\Run: [Persistence] => "C:\windows\system32\igfxpers.exe"
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [320360 2014-08-04] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13667032 2014-02-24] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1381744 2014-02-25] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1381744 2014-02-25] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1381744 2014-02-25] (Realtek Semiconductor)
HKLM\...\Run: [RtsFT] => C:\windows\RTFTrack.exe [6340312 2014-01-21] (Realtek semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2808560 2014-08-07] (Synaptics Incorporated)
HKLM\...\Run: [PhoneCompanion] => C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe [836592 2015-02-23] (Lenovo)
HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [16094704 2015-02-23] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [10841584 2015-02-23] (Lenovo(beijing) Limited)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [133760 2013-12-24] (Qualcomm®Atheros®)
HKU\S-1-5-21-3330058123-2019430083-2832955609-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8418584 2015-07-17] (Piriform Ltd)
HKU\S-1-5-21-3330058123-2019430083-2832955609-1004\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8418584 2015-07-17] (Piriform Ltd)
HKU\S-1-5-21-3330058123-2019430083-2832955609-1004\...\Run: [WordWeb] => C:\Program Files (x86)\WordWeb\wweb32.exe [80000 2015-08-02] (WordWeb Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 200.107.10.105
Tcpip\..\Interfaces\{25A23817-B02E-4630-8797-6C81A1049349}: [DhcpNameServer] 200.107.10.105
Tcpip\..\Interfaces\{E54BD572-122C-4282-AAC6-153B261DA584}: [DhcpNameServer] 192.168.10.1
 
Internet Explorer:
==================
HKU\S-1-5-21-3330058123-2019430083-2832955609-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/
HKU\S-1-5-21-3330058123-2019430083-2832955609-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
 
FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF HKU\S-1-5-21-3330058123-2019430083-2832955609-1004\...\Firefox\Extensions: [wcapturex@deskperience.com] - C:\Program Files (x86)\WordWeb\WCaptureMoz
FF Extension: WordWeb one-click lookup - C:\Program Files (x86)\WordWeb\WCaptureMoz [2015-09-03]
 
Chrome: 
=======
CHR Profile: C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-22]
CHR Extension: (Google Docs) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-22]
CHR Extension: (Google Drive) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-08-22]
CHR Extension: (YouTube) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-08-22]
CHR Extension: (Google Search) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-08-22]
CHR Extension: (Google Sheets) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-22]
CHR Extension: (Google Docs Offline) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-08-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-22]
CHR Extension: (Gmail) - C:\Users\Admin 18 Aug 2015\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-22]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [318592 2013-12-24] (Windows ® Win 7 DDK provider) [File not signed]
R2 CCSDK; C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe [592880 2014-07-09] ()
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-08-04] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-03] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [561408 2014-09-22] (Lenovo)
R2 Lenovo System Agent Service; C:\Program Files\Lenovo\iMController\SystemAgentService.exe [584632 2015-03-06] (LENOVO INCORPORATED.)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [198192 2015-02-23] (Lenovo(beijing) Limited)
R2 LsvUIService; C:\Program Files (x86)\Lenovo\Lenovo Smart Voice\LsvUIService.exe [70416 2015-02-23] (Lenovo)
R2 MaxthonUpdateSvc; C:\Program Files (x86)\Maxthon\Modules\Service\Update\MaxthonUpdateSvc.exe [1871784 2015-08-29] (Maxthon)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-08-17] (Nitro PDF Software)
R2 PGService; C:\Program Files (x86)\Lenovo\Motion Control\PGService.exe [163624 2014-01-07] (PointGrab LTD)
R2 PhoneCompanionPusher; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe [288240 2015-02-23] (Lenovo)
S3 PhoneCompanionVap; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionVap.exe [305136 2015-02-23] (Lenovo)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [190704 2014-08-07] (Synaptics Incorporated)
S3 TESHelper; c:\Program Files\Common Files\Lenovo\Magic Transfer\x64\MagicTransferTESHelper.exe [104696 2015-02-23] (Lenovo)
R2 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe [67856 2015-02-23] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2013-12-24] (Atheros) [File not signed]
S2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3892224 2014-03-07] (Qualcomm Atheros Communications, Inc.)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-12-24] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
U5 GeneStor; C:\Windows\System32\Drivers\GeneStor.sys [111336 2014-04-17] (GenesysLogic)
R1 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [109272 2015-06-18] (Malwarebytes Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-09-21] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [9105624 2014-01-21] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-08-07] (Synaptics Incorporated)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-21 15:15 - 2015-09-21 15:15 - 00018307 _____ C:\Users\Admin 18 Aug 2015\Desktop\FRST.txt
2015-09-21 15:15 - 2015-09-21 15:15 - 00000000 ____D C:\FRST
2015-09-21 15:13 - 2015-09-21 15:13 - 02191360 _____ (Farbar) C:\Users\Admin 18 Aug 2015\Desktop\FRST64.exe
2015-09-21 13:59 - 2015-09-21 15:09 - 00000000 ____D C:\Users\Admin 18 Aug 2015\Desktop\Bleeping computer scans Sept 21, 2015
2015-09-19 15:21 - 2015-09-19 15:31 - 00000000 ____D C:\Users\CPUOA User\Documents\elite trader testing
2015-09-10 15:57 - 2015-09-10 15:57 - 02190848 _____ (Farbar) C:\Users\CPUOA User\Downloads\FRST64 (1).exe
2015-09-09 13:22 - 2015-09-09 13:22 - 00010110 _____ C:\Users\CPUOA User\Documents\earthlink chat Sept 9, 2015.txt
2015-09-09 11:59 - 2015-09-02 21:18 - 02531400 _____ (Microsoft Corporation) C:\windows\system32\msxml6.dll
2015-09-09 11:59 - 2015-09-02 21:17 - 01903848 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml6.dll
2015-09-09 11:59 - 2015-09-02 13:48 - 02345472 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2015-09-09 11:59 - 2015-09-02 12:09 - 01556992 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2015-09-09 11:59 - 2015-07-22 09:19 - 00041984 _____ (Microsoft Corporation) C:\windows\system32\UtcResources.dll
2015-09-09 11:59 - 2015-07-22 08:52 - 01633792 _____ (Microsoft Corporation) C:\windows\system32\diagtrack.dll
2015-09-09 11:59 - 2015-07-17 09:15 - 00951296 _____ (Microsoft Corporation) C:\windows\system32\tdh.dll
2015-09-09 11:59 - 2015-07-17 09:10 - 00749568 _____ (Microsoft Corporation) C:\windows\SysWOW64\tdh.dll
2015-09-09 11:59 - 2015-07-03 16:51 - 01380056 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2015-09-09 11:59 - 2015-07-03 09:00 - 01097216 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2015-09-09 11:59 - 2015-06-27 06:47 - 00118616 _____ (Microsoft Corporation) C:\windows\system32\consent.exe
2015-09-09 11:58 - 2015-07-13 14:10 - 00411455 _____ C:\windows\system32\ApnDatabase.xml
2015-09-09 11:58 - 2015-07-10 14:06 - 00118272 ____C (Microsoft Corporation) C:\windows\system32\Drivers\bthpan.sys
2015-09-09 11:58 - 2015-07-09 11:14 - 00228864 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-09-09 11:58 - 2015-06-19 12:07 - 02819072 _____ (Microsoft Corporation) C:\windows\system32\SettingsHandlers.dll
2015-09-09 11:05 - 2015-08-26 21:48 - 00136904 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
2015-09-09 11:05 - 2015-08-26 13:00 - 00721920 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll
2015-09-09 11:05 - 2015-08-26 13:00 - 00124928 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll
2015-09-09 11:05 - 2015-08-26 13:00 - 00081920 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll
2015-09-09 11:05 - 2015-08-26 13:00 - 00029696 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe
2015-09-09 11:05 - 2015-08-26 09:46 - 03705344 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2015-09-09 11:05 - 2015-08-26 09:29 - 02240512 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
2015-09-09 11:05 - 2015-08-26 09:27 - 00891904 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
2015-09-09 11:05 - 2015-08-26 09:27 - 00409088 _____ (Microsoft Corporation) C:\windows\system32\WUSettingsProvider.dll
2015-09-09 11:05 - 2015-08-26 09:26 - 00140288 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
2015-09-09 11:05 - 2015-08-26 09:26 - 00095744 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
2015-09-09 11:05 - 2015-08-26 09:26 - 00035840 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe
2015-09-09 11:05 - 2015-08-22 13:19 - 25188352 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-09-09 11:05 - 2015-08-22 12:35 - 02886144 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-09-09 11:05 - 2015-08-22 12:34 - 00585216 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-09-09 11:05 - 2015-08-22 12:22 - 19856384 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-09-09 11:05 - 2015-08-22 12:21 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2015-09-09 11:05 - 2015-08-22 12:20 - 05923840 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-09-09 11:05 - 2015-08-22 11:55 - 00504832 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-09-09 11:05 - 2015-08-22 11:50 - 02279424 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-09-09 11:05 - 2015-08-22 11:45 - 00665600 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2015-09-09 11:05 - 2015-08-22 11:44 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2015-09-09 11:05 - 2015-08-22 11:41 - 14451712 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-09-09 11:05 - 2015-08-22 11:41 - 00801280 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-09-09 11:05 - 2015-08-22 11:41 - 00720384 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-09-09 11:05 - 2015-08-22 11:41 - 00374784 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-09-09 11:05 - 2015-08-22 11:39 - 02126336 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-09-09 11:05 - 2015-08-22 11:28 - 04520448 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-09-09 11:05 - 2015-08-22 11:26 - 02427392 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-09-09 11:05 - 2015-08-22 11:22 - 12857344 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-09-09 11:05 - 2015-08-22 11:20 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2015-09-09 11:05 - 2015-08-22 11:18 - 02052608 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-09-09 11:05 - 2015-08-22 11:18 - 00689152 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-09-09 11:05 - 2015-08-22 11:18 - 00327168 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-09-09 11:05 - 2015-08-22 11:14 - 01545728 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-09-09 11:05 - 2015-08-22 11:00 - 01951232 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-09-09 11:05 - 2015-08-22 10:56 - 01310720 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-09-09 11:05 - 2015-07-30 12:18 - 00268288 _____ (Microsoft Corporation) C:\windows\system32\InkEd.dll
2015-09-09 11:05 - 2015-07-30 11:22 - 00230912 _____ (Microsoft Corporation) C:\windows\SysWOW64\InkEd.dll
2015-09-09 11:04 - 2015-09-01 21:56 - 04175872 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2015-09-09 11:04 - 2015-09-01 21:55 - 00358912 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2015-09-09 11:04 - 2015-09-01 21:50 - 00044032 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2015-09-09 11:04 - 2015-09-01 21:17 - 00301568 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\atmfd.dll
2015-09-09 11:04 - 2015-09-01 21:13 - 00035840 _____ (Adobe Systems) C:\windows\SysWOW64\atmlib.dll
2015-09-09 11:04 - 2015-08-22 11:50 - 01032704 _____ (Microsoft Corporation) C:\windows\system32\inetcomm.dll
2015-09-09 11:04 - 2015-08-22 11:23 - 00880128 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcomm.dll
2015-09-09 11:04 - 2015-08-22 11:01 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-09-09 11:04 - 2015-08-22 10:55 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-09-09 11:04 - 2015-08-03 16:15 - 00074928 _____ (Microsoft Corporation) C:\windows\system32\appidapi.dll
2015-09-09 11:04 - 2015-08-03 16:15 - 00065600 _____ (Microsoft Corporation) C:\windows\SysWOW64\appidapi.dll
2015-09-09 11:04 - 2015-08-01 09:22 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\appidsvc.dll
2015-09-09 11:04 - 2015-07-31 22:47 - 00229376 _____ (Microsoft Corporation) C:\windows\system32\schtasks.exe
2015-09-09 11:04 - 2015-07-31 22:45 - 00182784 _____ (Microsoft Corporation) C:\windows\SysWOW64\schtasks.exe
2015-09-09 11:04 - 2015-07-31 22:38 - 01265152 _____ (Microsoft Corporation) C:\windows\system32\schedsvc.dll
2015-09-09 11:04 - 2015-07-31 22:37 - 00468992 _____ (Microsoft Corporation) C:\windows\system32\taskeng.exe
2015-09-09 11:04 - 2015-07-31 22:37 - 00359936 _____ (Microsoft Corporation) C:\windows\SysWOW64\taskeng.exe
2015-09-09 11:04 - 2015-07-22 09:34 - 02775552 _____ (Microsoft Corporation) C:\windows\system32\authui.dll
2015-09-09 11:04 - 2015-07-22 09:33 - 01728000 _____ (Microsoft Corporation) C:\windows\system32\Windows.UI.Immersive.dll
2015-09-09 11:04 - 2015-07-22 09:25 - 02461184 _____ (Microsoft Corporation) C:\windows\SysWOW64\authui.dll
2015-09-09 11:04 - 2015-07-22 09:25 - 01546752 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.UI.Immersive.dll
2015-09-09 11:04 - 2015-07-18 13:31 - 00194048 _____ (Microsoft Corporation) C:\windows\system32\shacct.dll
2015-09-09 11:04 - 2015-07-18 13:29 - 00655872 _____ (Microsoft Corporation) C:\windows\system32\SettingSync.dll
2015-09-09 11:04 - 2015-07-18 13:29 - 00148480 _____ (Microsoft Corporation) C:\windows\SysWOW64\shacct.dll
2015-09-09 11:04 - 2015-07-18 13:27 - 00520192 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingSync.dll
2015-09-09 11:04 - 2015-07-13 22:27 - 00063488 _____ (Microsoft Corporation) C:\windows\system32\tzsync.exe
2015-09-03 10:17 - 2015-09-03 10:17 - 00000000 ____D C:\Users\CPUOA User\Documents\MBT Navigator
2015-09-03 10:11 - 2015-09-03 10:11 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\MBTrading
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\Users\Admin 18 Aug 2015\Documents\MBT Navigator
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MBT Desktop Pro
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\MBTrading
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBT Desktop Pro
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\ProgramData\MBTrading
2015-09-03 10:07 - 2015-09-03 10:07 - 00000000 ____D C:\Program Files (x86)\MBTrading
2015-09-03 10:07 - 2011-04-08 17:28 - 00040960 _____ (OLSOFT) C:\windows\SysWOW64\PLC.ocx
2015-09-03 10:07 - 2005-04-15 19:58 - 01351392 _____ (Microsoft Corporation) C:\windows\SysWOW64\comctl32.ocx
2015-09-03 10:07 - 2005-04-15 19:58 - 01071088 _____ (Microsoft Corporation) C:\windows\SysWOW64\mscomctl.ocx
2015-09-03 10:07 - 2004-03-09 03:00 - 00167968 _____ (Microsoft Corporation) C:\windows\SysWOW64\msmask32.ocx
2015-09-03 10:07 - 2004-03-09 02:00 - 00212240 _____ (Microsoft Corporation) C:\windows\SysWOW64\Richtx32.ocx
2015-09-03 10:07 - 2004-03-09 01:00 - 00662288 _____ (Microsoft Corporation) C:\windows\SysWOW64\Mscomct2.ocx
2015-09-03 10:07 - 2003-04-01 06:36 - 00094208 _____ (vbAccelerator) C:\windows\SysWOW64\vbalIml6.ocx
2015-09-03 10:07 - 2003-01-18 16:30 - 00200704 _____ (OLSOFT) C:\windows\SysWOW64\axlsbcls.dll
2015-09-03 10:07 - 1999-02-19 08:54 - 00040960 _____ (<none>) C:\windows\SysWOW64\SSubTmr6.dll
2015-09-03 10:07 - 1998-06-18 02:00 - 00032768 _____ (Microsoft Corporation) C:\windows\SysWOW64\Regtool5.dll
2015-09-03 09:31 - 2015-09-03 09:32 - 24838656 _____ C:\Users\CPUOA User\Downloads\MbtWebMbtDesktopPro_2.2.0.72_12.0.0.72_20150116_release.exe
2015-09-03 09:15 - 2015-09-03 09:15 - 00001975 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WordWeb.lnk
2015-09-03 09:15 - 2015-09-03 09:15 - 00000000 ____D C:\Program Files (x86)\WordWeb
2015-09-03 09:15 - 2015-08-02 16:32 - 02940032 ____N (WordWeb Software) C:\windows\wweb32.dll
2015-09-03 09:10 - 2015-09-03 09:11 - 22159800 _____ C:\Users\CPUOA User\Downloads\wordweb7.exe
2015-09-03 02:14 - 2015-09-04 00:37 - 00010752 ___SH C:\Users\CPUOA User\Documents\Thumbs.db
2015-09-03 02:13 - 2015-09-03 02:13 - 00001229 _____ C:\Users\CPUOA User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\i_view32.lnk
2015-09-03 02:12 - 2015-09-03 02:12 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\IrfanView
2015-09-03 02:02 - 2015-09-03 02:02 - 00011776 ___SH C:\Users\Admin 18 Aug 2015\Documents\Thumbs.db
2015-09-03 01:48 - 2015-09-03 01:48 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView
2015-09-03 01:48 - 2015-09-03 01:48 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Roaming\IrfanView
2015-09-03 01:48 - 2015-09-03 01:48 - 00000000 ____D C:\Program Files (x86)\IrfanView
2015-09-03 01:44 - 2015-09-03 01:44 - 02126264 _____ (Irfan Skiljan) C:\Users\CPUOA User\Downloads\iview440_setup.exe
2015-09-03 00:46 - 2015-09-03 00:46 - 00000000 __SHD C:\windows\SysWOW64\AI_RecycleBin
2015-08-29 14:24 - 2015-08-29 14:24 - 00000118 _____ C:\windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2015-08-29 13:00 - 2015-09-21 15:00 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-29 12:59 - 2015-08-29 12:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-29 12:58 - 2015-08-29 12:59 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-08-29 12:58 - 2015-08-29 12:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-08-29 12:58 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-08-29 12:58 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-08-29 12:58 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2015-08-29 12:56 - 2015-08-29 12:56 - 00000401 _____ C:\windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2015-08-29 12:47 - 2015-08-29 12:47 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\CPUOA User\Downloads\mbam-setup-2.1.8.1057 (4).exe
2015-08-29 12:14 - 2015-08-29 12:15 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\CPUOA User\Downloads\mbam-setup-2.1.8.1057 (3).exe
2015-08-23 23:16 - 2015-08-23 23:16 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\CPUOA User\Downloads\mbam-setup-2.1.8.1057 (2).exe
2015-08-22 22:38 - 2015-08-22 22:38 - 09815040 _____ C:\Users\CPUOA User\Downloads\openofficeorg31.msi
2015-08-22 20:39 - 2015-09-19 15:36 - 00046592 ___SH C:\Users\CPUOA User\Downloads\Thumbs.db
2015-08-22 11:10 - 2015-08-22 11:10 - 02173952 _____ (Farbar) C:\Users\CPUOA User\Downloads\FRST64.exe
2015-08-22 08:02 - 2015-08-22 08:02 - 00257024 _____ (Intel® Corporation) C:\Users\Admin 18 Aug 2015\Downloads\ChipUtil.exe
2015-08-22 07:54 - 2015-08-22 08:09 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Local\CrashDumps
2015-08-22 07:49 - 2015-08-22 07:49 - 00257024 _____ (Intel® Corporation) C:\Users\CPUOA User\Downloads\ChipUtil.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-21 15:00 - 2013-08-22 10:36 - 00000000 ____D C:\windows\system32\sru
2015-09-21 14:55 - 2015-07-10 17:27 - 00003958 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{E54C9DA1-E8F3-498B-B82B-D0DB8C4F39E1}
2015-09-21 14:26 - 2015-08-15 09:36 - 01867972 _____ C:\windows\WindowsUpdate.log
2015-09-21 14:13 - 2015-08-18 13:20 - 00003598 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3330058123-2019430083-2832955609-1004
2015-09-21 14:08 - 2013-08-22 10:36 - 00000000 ____D C:\windows\AppReadiness
2015-09-21 14:05 - 2015-02-23 13:51 - 00000000 ____D C:\windows\System32\Tasks\Lenovo
2015-09-21 14:01 - 2015-08-18 13:14 - 00000000 ____D C:\Users\Admin 18 Aug 2015\AppData\Local\Packages
2015-09-21 13:57 - 2015-08-13 17:26 - 00000926 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-21 13:56 - 2015-08-18 13:14 - 00000000 ____D C:\Users\Admin 18 Aug 2015
2015-09-21 13:56 - 2015-06-01 11:37 - 00000000 ____D C:\Users\CPUOA User\Documents\Bluetooth Folder
2015-09-21 13:52 - 2014-03-18 04:53 - 00865408 _____ C:\windows\system32\PerfStringBackup.INI
2015-09-21 13:51 - 2015-08-18 20:54 - 00004694 _____ C:\windows\setupact.log
2015-09-21 13:50 - 2015-06-01 11:41 - 00003598 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3330058123-2019430083-2832955609-1001
2015-09-21 13:44 - 2015-08-13 17:26 - 00000930 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-21 13:01 - 2015-08-21 16:32 - 00000000 ____D C:\Program Files (x86)\ESET
2015-09-21 11:00 - 2015-08-09 13:50 - 00000000 ____D C:\Users\CPUOA User\AppData\Roaming\Nitro PDF
2015-09-21 10:59 - 2015-08-21 12:00 - 00000000 ____D C:\Users\CPUOA User\Desktop\bleeping cleaning sweep
2015-09-17 10:39 - 2015-07-27 01:53 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\CrashDumps
2015-09-16 21:38 - 2015-08-13 17:26 - 00003902 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-16 21:38 - 2015-08-13 17:26 - 00003666 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-13 11:58 - 2015-08-13 17:25 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\Google
2015-09-10 15:38 - 2013-08-22 10:36 - 00000000 ____D C:\windows\rescache
2015-09-10 15:24 - 2015-08-18 11:49 - 00000000 ____D C:\Users\CPUOA User\Documents\Vipre Security
2015-09-10 00:45 - 2013-08-22 09:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-09-10 00:45 - 2013-08-22 09:44 - 00346744 _____ C:\windows\system32\FNTCACHE.DAT
2015-09-10 00:44 - 2015-02-23 13:58 - 00002560 _____ C:\windows\system32\VfService.trf
2015-09-10 00:43 - 2014-03-18 04:38 - 00000000 ____D C:\Program Files\Windows Journal
2015-09-10 00:43 - 2013-08-22 10:36 - 00000000 ____D C:\windows\PolicyDefinitions
2015-09-10 00:43 - 2013-08-22 10:20 - 00000000 ____D C:\windows\CbsTemp
2015-09-10 00:40 - 2015-06-01 12:37 - 00000000 ____D C:\windows\system32\MRT
2015-09-05 10:48 - 2015-08-18 19:21 - 00001164 _____ C:\Users\CPUOA User\Desktop\U.S. & World Econ.txt
2015-09-03 08:39 - 2015-08-18 20:54 - 00012034 _____ C:\windows\PFRO.log
2015-08-29 12:59 - 2015-08-18 17:03 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\4B773B73.sys
2015-08-29 12:56 - 2015-02-23 13:19 - 00000000 ___HD C:\Intel
2015-08-29 12:54 - 2013-08-22 08:25 - 00262144 ___SH C:\windows\system32\config\BBI
2015-08-26 18:37 - 2015-06-01 12:37 - 134753440 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-08-22 19:35 - 2015-06-01 11:36 - 00000000 ____D C:\Users\CPUOA User\AppData\Local\Packages
2015-08-22 08:00 - 2015-08-18 13:14 - 00002290 _____ C:\Users\Admin 18 Aug 2015\Desktop\Google Chrome.lnk
 
==================== Files in the root of some directories =======
 
2015-02-23 13:23 - 2015-02-23 13:23 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\Admin 18 Aug 2015\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-09-19 06:49
 
==================== End of FRST.txt ============================

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 22 September 2015 - 07:23 AM





Nothing suspicious was found on your logs. This is just a cleanup of empty entries.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\igfxcui: igfxdev.dll [X]
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll [No File]
S2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

diagonal line over the https in the browser's address window after being logged into the email account.

Some explanation will be found on this page.

https://askleo.com/why_is_there_a_slash_through_the_https_in_my_browsers_address_bar/

I hope it helps.

====

If this failed to clear the isues I suggest you remove and reinstall Chrome. Instructions below.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.

<<<>>>

Keep me posted.

#7 auklet

auklet
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:washington state and Ecuador
  • Local time:08:10 PM

Posted 23 September 2015 - 04:25 PM

1.  Thank you for checking the FRST and Addition scans above.
2.  I have not been on this laptop computer for a few days and I still have to check if that bar still exists (with facebook and twitter icons and a few other icons on it that shows on web pages.)  
3.  Thank you for the lengthy article about the cross out of the the https.  I have glanced over it yesterday but will read it now.  
4.  I just want to get the following Farbar Recovery Scan result, below, to you now.  I will comment on #2 and #3 as a follow up to this post. 
 
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version:23-09-2015
Ran by Admin 18 Aug 2015 (2015-09-23 14:28:36) Run:1
Running from C:\Users\Admin 18 Aug 2015\Desktop
Loaded Profiles: CPUOA User & Admin 18 Aug 2015 (Available Profiles: CPUOA User & Admin 18 Aug 2015)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Winlogon\Notify\igfxcui: igfxdev.dll [X]
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll [No File]
S2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [X]
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@nitropdf.com/NitroPDF" => key removed successfully
ymc => service removed successfully
EmptyTemp: => 96.3 MB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 14:28:56 ====


#8 auklet

auklet
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:washington state and Ecuador
  • Local time:08:10 PM

Posted 23 September 2015 - 11:37 PM

In compliance  with your request to run  the Farbar Recovery Scan Tool, it was completed.  

 

Re. #2 in my last post:  The bar continues to exist.  I did come across a web site that which leads one thru a procedure for removing it, and I will try that I suppose.

 

Re. #3 in my last post:  I read the site at the link you provided as relates to the crossed out https.  A blogger has exactly what I am experiencing in email account with the https crossed out using Chrome.  A reply to that blogger indicated having the same experience and shared a solution that worked.  It did not work for me.  And clicking on it as indicated by the author and some bloggers wherein some info will occur did not get a reaction with me on this affected computer. As you suggested, I removed Chrome and replaced it with a new Chrome but no change.  I have tried successfully using IE on the same computer and the cross out of https is not there; neither is it there using Firefox browser from a different computer.  I will hunt on a Chrome blog if it has one for a solution.  In the meantime, I will probably switch to Firefox where I had an irritable problem before that caused me to leave it.  I am not interested in IE.  

 

So Chrome is a show stopper until I find a solution for crossed out https.  BTW...I went to my bank's site that has https in its address window at the site before logging on, and there is no cross out of https there.   But with other browsers unaffected at the email account, I will switch.  Thank your for having me do a scan and reviewing it.  



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 24 September 2015 - 07:04 AM


When you have time please run this tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
chromelook;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#10 auklet

auklet
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:washington state and Ecuador
  • Local time:08:10 PM

Posted 24 September 2015 - 11:51 PM

Thank you for staying with me.  Attached is the zoek-results-log.

 

Nothing has changed in the status of this computer with the https cross out with red diagonal line at the Earthlink web site or log-on to its web mail. 

 

Nothing has changed with the facebook / twitter icons appearing more profusely in namely three financial web sites....CNBC, Bloomberg, and Fox Business.  They appear with accompanying other icons either on a bar stretching across the page or much more frequently and more discretely lumped together elsewhere on a page. On Bloomberg, I had a bar with 13 icons including facebook and twitter. This phenomenon occurs on our other laptop, too.  

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 25 September 2015 - 07:54 AM

Check with your Internet Provider is this is required?
Tcpip\Parameters: [DhcpNameServer] 200.107.10.105

It belongs to Corporacion Nacional De Telecomunicaciones - Cnt E
http://whatismyipaddress.com/ip/200.107.10.105

===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

p.s.
Since both of your computer are compromised it may just be that your router has beeh hacked.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html


Keep me posted.

#12 auklet

auklet
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:washington state and Ecuador
  • Local time:08:10 PM

Posted 26 September 2015 - 11:37 AM

RogueKiller V10.10.6.0 [Sep 21 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Admin 18 Aug 2015 [Administrator]
Started from : C:\Users\Admin 18 Aug 2015\AppData\Local\Microsoft\Windows\INetCache\IE\O9GG9O4L\RogueKiller.exe
Mode : Scan -- Date : 09/26/2015 11:22:03

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo13.msn.com/?pc=LCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo13.msn.com/?pc=LCJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3330058123-2019430083-2832955609-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo13.msn.com/?pc=LCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3330058123-2019430083-2832955609-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo13.msn.com/?pc=LCJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo13.msn.com/?pc=LCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3330058123-2019430083-2832955609-1004\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo13.msn.com/?pc=LCJB  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 200.107.10.105 ([ECUADOR (EC)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 200.107.10.105 ([ECUADOR (EC)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25A23817-B02E-4630-8797-6C81A1049349} | DhcpNameServer : 200.107.10.105 ([ECUADOR (EC)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E54BD572-122C-4282-AAC6-153B261DA584} | DhcpNameServer : 200.107.10.105 ([ECUADOR (EC)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{25A23817-B02E-4630-8797-6C81A1049349} | DhcpNameServer : 200.107.10.105 ([ECUADOR (EC)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E54BD572-122C-4282-AAC6-153B261DA584} | DhcpNameServer : 200.107.10.105 ([ECUADOR (EC)])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10S21X-24R1BT0-SSHD-8GB +++++
--- User ---
[MBR] ce501db36f5601ab75dbd641d0355188
[BSP] 56eb4e546cf7f3e3323b7b42a1331557 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1000 MB
1 - [SYSTEM][MAN-MOUNT] EFI system partition | Offset (sectors): 2050048 | Size: 260 MB
2 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2582528 | Size: 1000 MB
3 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 4630528 | Size: 128 MB
4 - Basic data partition | Offset (sectors): 4892672 | Size: 911699 MB
5 - Basic data partition | Offset (sectors): 1872052224 | Size: 25600 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1924481024 | Size: 14181 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

 

 



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 26 September 2015 - 12:34 PM

Run the RogueKiller TOOL AND FIX ALL of the items found.

Restart the computer normally.

Run the RogueKiller tool and post a fresh log.

Let me know if any issues.

#14 auklet

auklet
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:washington state and Ecuador
  • Local time:08:10 PM

Posted 27 September 2015 - 05:16 PM

I ran roguekiller again as prescribed.  I "fixed" entries resulting from the search.  (It was a DELETE button.)  I restarted the computer as prescribed and did another search with roguekiller and had negative findings..... all cleaned.  Report is below.

 

However (copy and pasted from earlier post because of same results):

Nothing has changed in the status of this computer with the https cross out with red diagonal line at the Earthlink web site or log-on to its web mail. 

 

Nothing has changed with the facebook / twitter icons appearing more profusely in namely three financial web sites....CNBC, Bloomberg, and Fox Business.  They appear with accompanying other icons either on a bar stretching across the page or much more frequently and more discretely lumped together elsewhere on a page.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 PM

Posted 28 September 2015 - 07:25 AM

The problem is with the Domain servers you are viewing.

http://www.itcs.umich.edu/web/chrome41.php

http://www.itcs.umich.edu/web/sha2.php

===

quoted from this page. http://security.stackexchange.com/questions/85698/https-icon-red-and-crossed-out-chrome-browser

If you see the "https" scored out in your browser, then you have about the same level of security as a regular "http" website, so you should only use it if you're happy with no guarantee of privacy or authenticity.


Hope that helps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users