Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dnsunlocker help


  • This topic is locked This topic is locked
34 replies to this topic

#1 helpmepls123

helpmepls123

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 03 October 2015 - 04:47 PM

The problem:
About a month ago, malwarebytes detected an .exe file in %temp% which contained dnsunlocker. It deleted it. In the last week i keep getting random pop-ups which redirect to 4 sites then land on a poker or game or other random weird site. The pop-up appears when i click the search box on usual sites like steam. Or simply when i click text on a site. (i can include a few of these redirect links if needed, some of the links still contain "dnsunlocker").
Attempts:
Installed&scanned with bitdefender internet security, kaspersky internet security, avast free. Ads keep popping and NO warning from any antivirus, nothing. Did a complete scan with each.
Also tried scanning with malwarebytes free, adwcleaner, hitman pro, gmer. Nothing found.
Last resort was a format of c: drive today and reinstall windows. Everything fine for about 4 hours, then suddenly ads come back. (d: and e: drives still remained from previous windows)
I noticed that after i reset firefox(or chrome) the ads take a while to start popping up again.
Help!
 
Attached frst and addition logs
 
update: scanned with EmsisoftEmergencyKit, norton power eraser, RogueKiller, junkwareremoval tool. Nothing found.
 
Upgraded to malwarebytes premium(15 day trial period) and it seems to detect and block the hijacks but it can't find or resolve the problem. The logs are filled with messages like these:
Malicious Website Protection, Domain, 199.203.131.130, m51.dnsqa.me, 49600, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Malicious Website Protection, Domain, 199.203.131.130, m51.dnsqa.me, 49601, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Malicious Website Protection, Domain, 199.203.131.130, m51.dnsqa.me, 49605, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Malicious Website Protection, Domain, 199.203.131.130, m51.dnsqa.me, 49638, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:03-10-2015
Ran by Geo (administrator) on GEO-PC (04-10-2015 00:03:44)
Running from C:\Users\Geo\Downloads
Loaded Profiles: Geo (Available Profiles: Geo)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\ProgramData\DataCardService\HWDeviceService64.exe
(Huawei Technologies Co., Ltd.) C:\ProgramData\DataCardService\DCSHelper.exe
() C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(Huawei Technologies Co., Ltd.) C:\ProgramData\DataCardService\DCSHelper.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
() C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\DeviceDisplayObjectProvider.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Coffee Stain Studios AB) E:\Steam\steamapps\common\Sanctum\Binaries\Win32\SanctumGame-Win32-Shipping.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2777840 2013-08-14] (Synaptics Incorporated)
HKU\S-1-5-21-182115211-4121069281-1506031015-1000\...\MountPoints2: {255c72e9-69de-11e5-8708-ff5875b57519} - G:\AutoRun.exe
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [176904 2015-09-14] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [155792 2015-09-14] (NVIDIA Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{F7A32E57-2F7F-4F58-BEDA-E32292F2E3A8}: [NameServer] 93.122.135.198 62.217.213.71

Internet Explorer:
==================
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default
FF NewTab:
FF Homepage: www.google.ro
FF Session Restore: -> is enabled.
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-03] (Google Inc.)
FF Extension: Adblock Plus - C:\Users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-10-03]
FF Extension: Tab Mix Plus - C:\Users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2015-10-03]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR Profile: C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-03]
CHR Extension: (Google Drive) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-03]
CHR Extension: (YouTube) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-03]
CHR Extension: (Adblock Plus) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-10-03]
CHR Extension: (Google Search) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-03]
CHR Extension: (Google Docs Offline) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-10-03]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-10-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-03]
CHR Extension: (Gmail) - C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-03]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [339456 2010-11-16] () [File not signed]
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [344168 2015-08-15] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S2 Mobile Partner. RunOuc; C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [218624 2015-10-03] () [File not signed]
S4 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [12465344 2015-08-14] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [256000 2015-10-03] (Huawei Technologies Co., Ltd.)
U5 ew_hwusbdev; C:\Windows\System32\Drivers\ew_hwusbdev.sys [117248 2015-10-03] (Huawei Technologies Co., Ltd.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
S3 RTWlanE; C:\Windows\System32\DRIVERS\rtwlane.sys [2974424 2013-08-02] (Realtek Semiconductor Corporation )
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [34544 2013-08-14] (Synaptics Incorporated)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [75512 2015-08-04] (VMware, Inc.)
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [34520 2015-07-09] (VMware, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-04 03:17 - 2015-10-04 03:17 - 00008192 __RSH C:\BOOTSECT.BAK
2015-10-04 03:17 - 2015-10-03 16:40 - 00000000 ____D C:\Windows\Panther
2015-10-04 03:17 - 2010-11-21 06:23 - 00383786 __RSH C:\bootmgr
2015-10-04 02:20 - 2015-10-04 02:20 - 00001355 _____ C:\Windows\TSSysprep.log
2015-10-04 02:20 - 2015-10-04 02:20 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2015-10-04 02:20 - 2015-10-04 02:20 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2015-10-04 02:19 - 2015-10-04 02:19 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2015-10-04 00:03 - 2015-10-04 00:04 - 00008703 _____ C:\Users\Geo\Downloads\FRST.txt
2015-10-04 00:03 - 2015-10-04 00:03 - 02193408 _____ (Farbar) C:\Users\Geo\Downloads\FRST64.exe
2015-10-04 00:03 - 2015-10-04 00:03 - 00000000 ____D C:\FRST
2015-10-03 21:05 - 2015-10-03 21:05 - 00000000 ____D C:\Users\Geo\AppData\Roaming\TeamViewer
2015-10-03 20:07 - 2015-10-03 20:07 - 00000196 _____ C:\Windows\DirectX.log
2015-10-03 20:07 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
2015-10-03 20:07 - 2010-06-02 04:55 - 00518488 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2015-10-03 20:07 - 2010-06-02 04:55 - 00077656 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2015-10-03 20:07 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
2015-10-03 20:07 - 2010-05-26 11:41 - 02526056 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2015-10-03 20:07 - 2010-05-26 11:41 - 02401112 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2015-10-03 20:07 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
2015-10-03 20:07 - 2010-05-26 11:41 - 01998168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
2015-10-03 20:07 - 2010-05-26 11:41 - 00276832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2015-10-03 20:07 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2015-10-03 20:07 - 2010-02-04 10:01 - 00024920 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_7.dll
2015-10-03 20:07 - 2010-02-04 10:01 - 00022360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
2015-10-03 20:07 - 2007-04-04 18:54 - 00107368 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2015-10-03 20:07 - 2007-04-04 18:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_3.dll
2015-10-03 19:11 - 2015-10-03 19:20 - 00000000 ____D C:\Users\Geo\AppData\Roaming\vlc
2015-10-03 19:11 - 2015-10-03 19:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-10-03 19:11 - 2015-10-03 19:11 - 00000000 ____D C:\Program Files (x86)\VideoLAN
2015-10-03 19:07 - 2015-10-03 19:07 - 00000000 ____D C:\Users\Geo\Documents\Shortcuts
2015-10-03 19:07 - 2015-10-03 19:07 - 00000000 ____D C:\Users\Geo\Documents\BioWare
2015-10-03 19:07 - 2015-10-03 19:07 - 00000000 ____D C:\Users\Geo\Documents\Amnesia
2015-10-03 19:06 - 2015-10-03 19:06 - 00001187 _____ C:\Users\Geo\Desktop\Saints Row The Third.lnk
2015-10-03 19:05 - 2015-10-03 19:05 - 00001310 _____ C:\Users\Geo\Desktop\MassEffect 3.lnk
2015-10-03 19:05 - 2015-10-03 19:05 - 00001192 _____ C:\Users\Geo\Desktop\MassEffect 2.lnk
2015-10-03 19:04 - 2015-10-03 19:04 - 00000222 _____ C:\Users\Geo\Desktop\Saints Row IV.url
2015-10-03 19:04 - 2015-10-03 19:04 - 00000221 _____ C:\Users\Geo\Desktop\Borderlands 2.url
2015-10-03 19:04 - 2015-10-03 19:04 - 00000219 _____ C:\Users\Geo\Desktop\Dota 2.url
2015-10-03 19:04 - 2015-10-03 19:04 - 00000000 ____D C:\Users\Geo\Desktop\diverse
2015-10-03 19:04 - 2014-10-10 21:04 - 00435004 _____ C:\Users\Geo\Desktop\music.aimppl
2015-10-03 18:59 - 2015-10-03 19:00 - 28849904 _____ C:\Users\Geo\Downloads\vlc-2.2.1-win32.exe
2015-10-03 18:54 - 2015-10-03 20:07 - 00000000 ____D C:\Users\Geo\Documents\My games
2015-10-03 18:42 - 2015-10-03 18:42 - 00000000 ____D C:\Users\Geo\AppData\Local\Steam
2015-10-03 18:42 - 2015-10-03 18:42 - 00000000 ____D C:\Users\Geo\AppData\Local\CEF
2015-10-03 18:21 - 2015-10-03 20:22 - 00000000 ____D C:\Program Files (x86)\Steam
2015-10-03 18:21 - 2015-10-03 18:21 - 00000963 _____ C:\Users\Public\Desktop\Steam.lnk
2015-10-03 18:21 - 2015-10-03 18:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
2015-10-03 18:16 - 2015-10-03 18:16 - 00000000 ____D C:\Users\Geo\AppData\Roaming\Yahoo!
2015-10-03 18:15 - 2015-10-04 00:04 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-03 18:15 - 2015-10-03 18:15 - 00419488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-10-03 18:15 - 2015-10-03 18:15 - 00070304 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-03 18:15 - 2015-10-03 18:15 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-10-03 18:15 - 2015-10-03 18:15 - 00001137 _____ C:\Users\Public\Desktop\Yahoo! Messenger.lnk
2015-10-03 18:15 - 2015-10-03 18:15 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2015-10-03 18:15 - 2015-10-03 18:15 - 00000000 ____D C:\Users\Geo\AppData\Roaming\Macromedia
2015-10-03 18:15 - 2015-10-03 18:15 - 00000000 ____D C:\Users\Geo\AppData\Roaming\Adobe
2015-10-03 18:15 - 2015-10-03 18:15 - 00000000 ____D C:\ProgramData\Yahoo!
2015-10-03 18:15 - 2015-10-03 18:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
2015-10-03 18:13 - 2015-10-03 18:15 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2015-10-03 18:11 - 2015-10-03 18:11 - 01476720 _____ C:\Users\Geo\Downloads\SteamSetup.exe
2015-10-03 18:03 - 2015-10-03 18:03 - 00691576 _____ (Yahoo! Inc.) C:\Users\Geo\Downloads\msgr11us.exe
2015-10-03 17:43 - 2015-10-03 17:45 - 00000000 ____D C:\Users\Geo\AppData\Roaming\VMware
2015-10-03 17:43 - 2015-10-03 17:45 - 00000000 ____D C:\Users\Geo\AppData\Local\VMware
2015-10-03 17:39 - 2015-10-03 17:39 - 00000000 ____D C:\Users\Geo\AppData\Local\Apps\2.0
2015-10-03 17:33 - 2015-10-03 17:33 - 00000000 ____D C:\ProgramData\Synaptics
2015-10-03 17:32 - 2015-10-03 17:33 - 00000000 ____D C:\ProgramData\DataCardService
2015-10-03 17:32 - 2015-10-03 17:32 - 01490656 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01007.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 01490656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdfCoInstaller01007.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00999936 _____ (DiBcom SA) C:\Windows\system32\Drivers\mod7700.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00256000 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ewusbnet.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00196608 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_juwwanecm.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00121600 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ewusbmdm.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00117248 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_hwusbdev.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00093696 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_jucdcacm.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00085504 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_jubusenum.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00055296 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_jucdcecm.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00032768 _____ (Huawei Tech. Co., Ltd.) C:\Windows\system32\Drivers\ewdcsc.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00029184 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_juextctrl.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00013952 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_usbenumfilter.sys
2015-10-03 17:32 - 2015-10-03 17:32 - 00001079 _____ C:\Users\Public\Desktop\Mobile Partner.lnk
2015-10-03 17:32 - 2015-10-03 17:32 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_ew_jubusenum_01007.Wdf
2015-10-03 17:32 - 2015-10-03 17:32 - 00000000 ____D C:\ProgramData\Mobile Partner
2015-10-03 17:32 - 2015-10-03 17:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mobile Partner
2015-10-03 17:32 - 2015-10-03 17:32 - 00000000 ____D C:\Program Files (x86)\Mobile Partner
2015-10-03 17:29 - 2015-10-03 17:57 - 00000000 ____D C:\Users\Geo\AppData\Local\Mozilla
2015-10-03 17:29 - 2015-10-03 17:29 - 00000000 ____D C:\Users\Geo\AppData\Roaming\Mozilla
2015-10-03 17:26 - 2015-10-03 17:26 - 00057560 _____ C:\Users\Geo\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-03 17:19 - 2015-10-03 23:24 - 00001102 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-03 17:19 - 2015-10-03 17:51 - 00001098 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-03 17:19 - 2015-10-03 17:19 - 00004098 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-10-03 17:19 - 2015-10-03 17:19 - 00003846 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-10-03 17:19 - 2015-10-03 17:19 - 00000000 ____D C:\Users\Geo\AppData\Local\Google
2015-10-03 17:19 - 2015-10-03 17:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-10-03 17:19 - 2015-10-03 17:19 - 00000000 ____D C:\Program Files (x86)\Google
2015-10-03 17:18 - 2015-10-03 17:18 - 00001159 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-10-03 17:17 - 2015-10-03 17:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-03 17:16 - 2015-10-03 17:16 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-03 17:16 - 2015-10-03 17:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-03 17:16 - 2015-10-03 17:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-10-03 17:16 - 2015-10-03 17:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-03 17:16 - 2015-04-14 10:39 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-03 17:16 - 2015-04-14 10:38 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-03 17:16 - 2015-04-14 10:38 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-10-03 17:15 - 2015-10-03 17:50 - 00000000 ____D C:\Users\Geo\AppData\Roaming\AIMP3
2015-10-03 17:15 - 2015-10-03 17:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AIMP3
2015-10-03 17:15 - 2015-10-03 17:15 - 00000000 ____D C:\Program Files (x86)\AIMP3
2015-10-03 17:14 - 2015-10-03 17:14 - 00000000 ____D C:\Users\Geo\AppData\Roaming\Notepad++
2015-10-03 17:14 - 2015-10-03 17:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
2015-10-03 17:14 - 2015-10-03 17:14 - 00000000 ____D C:\Program Files (x86)\Notepad++
2015-10-03 17:12 - 2015-08-14 14:03 - 00066752 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vmx86.sys
2015-10-03 17:12 - 2015-08-04 01:10 - 00075512 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vsock.sys
2015-10-03 17:12 - 2015-08-04 01:10 - 00068288 _____ (VMware, Inc.) C:\Windows\system32\vsocklib.dll
2015-10-03 17:12 - 2015-08-04 01:10 - 00064192 _____ (VMware, Inc.) C:\Windows\SysWOW64\vsocklib.dll
2015-10-03 17:11 - 2015-10-03 17:11 - 00731106 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-10-03 17:11 - 2015-10-03 17:11 - 00001203 _____ C:\Users\Public\Desktop\VMware Workstation Pro.lnk
2015-10-03 17:11 - 2015-10-03 17:11 - 00001024 _____ C:\Windows\SysWOW64\%TMP%
2015-10-03 17:11 - 2015-10-03 17:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware
2015-10-03 17:11 - 2015-10-03 17:11 - 00000000 ____D C:\Program Files\Common Files\VMware
2015-10-03 17:11 - 2015-08-14 14:03 - 00934080 _____ (VMware, Inc.) C:\Windows\system32\vnetlib64.dll
2015-10-03 17:11 - 2015-08-14 14:03 - 00391872 _____ (VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
2015-10-03 17:11 - 2015-08-14 14:03 - 00358080 _____ (VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
2015-10-03 17:11 - 2015-08-14 13:43 - 00026816 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vmnetuserif.sys
2015-10-03 17:11 - 2015-08-11 19:27 - 00057536 _____ (VMware, Inc.) C:\Windows\system32\Drivers\hcmon.sys
2015-10-03 17:10 - 2015-10-03 17:51 - 00000000 ____D C:\ProgramData\VMware
2015-10-03 17:10 - 2015-10-03 17:10 - 00000000 ____D C:\Users\Public\Documents\Shared Virtual Machines
2015-10-03 17:10 - 2015-10-03 17:10 - 00000000 ____D C:\Program Files (x86)\VMware
2015-10-03 17:00 - 2015-10-03 17:00 - 00000000 ____D C:\Windows\SysWOW64\NV
2015-10-03 17:00 - 2015-10-03 17:00 - 00000000 ____D C:\Windows\system32\NV
2015-10-03 17:00 - 2015-10-03 17:00 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-03 16:59 - 2015-09-14 01:09 - 06884984 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 03496056 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 02558584 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 01062192 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshext.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 00937776 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2015-10-03 16:59 - 2015-09-14 01:09 - 00581752 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\oemdspif.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 00385144 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 00074872 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshextr.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 00062584 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2015-10-03 16:59 - 2015-09-11 15:17 - 05231082 _____ C:\Windows\system32\nvcoproc.bin
2015-10-03 16:58 - 2015-10-03 16:59 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2015-10-03 16:58 - 2015-10-03 16:58 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2015-10-03 16:58 - 2015-09-14 03:29 - 42840368 _____ C:\Windows\system32\nvcompiler.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 37819000 _____ C:\Windows\SysWOW64\nvcompiler.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 22525560 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 18543736 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 17082928 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 16637528 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 15513208 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 14936264 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 14635600 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 13660648 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 12514824 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 12185344 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 11096696 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2015-10-03 16:58 - 2015-09-14 03:29 - 03530608 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 03116160 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 02940024 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 02627192 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 01898288 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6435598.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 01558832 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6435598.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 01105976 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 01074808 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 01064056 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00986232 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00944760 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00943712 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00512904 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00421544 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00408184 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00364152 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00176904 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00155792 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00150832 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00128512 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2015-10-03 16:58 - 2015-09-14 03:29 - 00033079 _____ C:\Windows\system32\nvinfo.pb
2015-10-03 16:58 - 2015-09-14 03:29 - 00031352 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvpciflt.sys
2015-10-03 16:56 - 2015-10-03 16:59 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2015-10-03 16:55 - 2015-10-03 16:55 - 00000000 ____D C:\NVIDIA
2015-10-03 16:54 - 2015-10-03 16:54 - 00015348 _____ C:\Windows\system32\results.xml
2015-10-03 16:54 - 2015-10-03 16:54 - 00000401 _____ C:\Windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2015-10-03 16:54 - 2015-10-03 16:54 - 00000000 ____D C:\Users\Geo\AppData\Roaming\Synaptics
2015-10-03 16:50 - 2015-10-03 16:54 - 00000000 ____D C:\Intel
2015-10-03 16:50 - 2015-10-03 16:50 - 00000000 ____D C:\Program Files\Intel
2015-10-03 16:50 - 2015-10-03 16:50 - 00000000 ____D C:\Program Files (x86)\Intel
2015-10-03 16:50 - 2015-08-04 21:48 - 00086528 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
2015-10-03 16:50 - 2015-08-04 21:48 - 00082432 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2015-10-03 16:47 - 2015-10-03 16:49 - 00006896 _____ C:\Windows\DPINST.LOG
2015-10-03 16:47 - 2015-10-03 16:49 - 00001360 _____ C:\Windows\Synaptics.log
2015-10-03 16:47 - 2015-10-03 16:47 - 00000000 ____H C:\Windows\system32\Drivers\MsftWdf_Kernel_01011_Coinstaller_Critical.Wdf
2015-10-03 16:47 - 2015-10-03 16:47 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_SynTP_01011.Wdf
2015-10-03 16:47 - 2015-10-03 16:47 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_Smb_driver_Intel_01011.Wdf
2015-10-03 16:47 - 2015-10-03 16:47 - 00000000 ____D C:\Program Files\Synaptics
2015-10-03 16:47 - 2012-07-26 07:55 - 00785512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2015-10-03 16:47 - 2012-07-26 07:55 - 00054376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdfLdr.sys
2015-10-03 16:47 - 2012-07-26 05:36 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\Wdfres.dll
2015-10-03 16:47 - 2012-06-02 17:35 - 00000003 _____ C:\Windows\system32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2015-10-03 16:45 - 2015-10-03 16:45 - 00000000 ____D C:\Program Files (x86)\Cisco
2015-10-03 16:45 - 2013-08-02 16:59 - 02974424 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\rtwlane.sys
2015-10-03 16:45 - 2012-02-14 19:37 - 00594432 _____ (Realtek Semiconductor Corp. ) C:\Windows\system32\Rtlihvs.dll
2015-10-03 16:44 - 2015-10-03 16:45 - 00000000 ____D C:\Program Files (x86)\REALTEK PCIE Wireless LAN Driver
2015-10-03 16:44 - 2013-07-04 11:14 - 00446168 _____ (Realtek) C:\Windows\SwUSB.exe
2015-10-03 16:44 - 2013-05-23 15:33 - 00044104 _____ () C:\Windows\runSW.exe
2015-10-03 16:44 - 2010-12-01 09:31 - 00451072 _____ C:\Windows\SysWOW64\ISSRemoveSP.exe
2015-10-03 16:43 - 2015-10-03 16:43 - 00000000 ____D C:\Program Files (x86)\Realtek
2015-10-03 16:43 - 2013-04-10 11:09 - 00849992 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
2015-10-03 16:43 - 2013-04-10 11:09 - 00108104 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
2015-10-03 16:43 - 2013-04-10 11:09 - 00073800 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RtNicProp64.dll
2015-10-03 16:42 - 2015-10-03 16:44 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-10-03 16:40 - 2015-10-03 17:50 - 00057011 _____ C:\Windows\WindowsUpdate.log
2015-10-03 16:40 - 2015-10-03 16:54 - 00000000 ____D C:\Users\Geo
2015-10-03 16:40 - 2015-10-03 16:40 - 00001443 _____ C:\Users\Geo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-10-03 16:40 - 2015-10-03 16:40 - 00001409 _____ C:\Users\Geo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-10-03 16:40 - 2015-10-03 16:40 - 00000020 ___SH C:\Users\Geo\ntuser.ini
2015-10-03 16:40 - 2015-10-03 16:40 - 00000000 __SHD C:\Recovery
2015-10-03 16:40 - 2015-10-03 16:40 - 00000000 ____D C:\Users\Geo\AppData\Local\VirtualStore
2015-10-03 16:40 - 2009-07-14 07:54 - 00000000 ___RD C:\Users\Geo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-10-03 16:40 - 2009-07-14 07:49 - 00000000 ___RD C:\Users\Geo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-04 03:17 - 2009-07-14 08:38 - 00025600 ___SH C:\Windows\system32\config\BCD-Template.LOG
2015-10-04 03:17 - 2009-07-14 08:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2015-10-04 02:39 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\rescache
2015-10-04 02:21 - 2009-07-14 07:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
2015-10-04 02:20 - 2009-07-14 07:46 - 00002790 _____ C:\Windows\DtcInstall.log
2015-10-04 02:20 - 2009-07-14 06:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-10-04 02:20 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\system32\sysprep
2015-10-04 02:18 - 2011-04-12 11:28 - 00000000 ____D C:\Windows\CSC
2015-10-03 23:53 - 2009-07-14 07:45 - 00016656 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-03 23:53 - 2009-07-14 07:45 - 00016656 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-03 17:55 - 2009-07-14 08:13 - 00718036 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-03 17:52 - 2009-07-14 07:51 - 00028932 _____ C:\Windows\setupact.log
2015-10-03 17:51 - 2010-11-21 06:47 - 00005152 _____ C:\Windows\PFRO.log
2015-10-03 17:51 - 2009-07-14 08:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-03 17:33 - 2009-07-14 06:20 - 00000000 __RHD C:\Users\Public\Libraries
2015-10-03 17:06 - 2009-07-14 06:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-10-03 16:59 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\Help
2015-10-03 16:42 - 2009-07-14 08:32 - 00000000 ____D C:\Windows\system32\restore

Some files in TEMP:
====================
C:\Users\Geo\AppData\Local\Temp\xmlUpdater.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-03 19:54

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:03-10-2015
Ran by Geo (2015-10-04 00:04:46)
Running from C:\Users\Geo\Downloads
Windows 7 Professional Service Pack 1 (X64) (2015-10-03 13:40:11)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-182115211-4121069281-1506031015-500 - Administrator - Disabled)
Geo (S-1-5-21-182115211-4121069281-1506031015-1000 - Administrator - Enabled) => C:\Users\Geo
Guest (S-1-5-21-182115211-4121069281-1506031015-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.2.202.235 - Adobe Systems Incorporated)
AIMP3 (HKLM-x32\...\AIMP3) (Version: v3.60.1503, 26.09.2015 - AIMP DevTeam)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 45.0.2454.101 - Google Inc.)
Google Update Helper (x32 Version: 1.3.28.15 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4264 - Intel Corporation)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mobile Partner (HKLM-x32\...\Mobile Partner) (Version: 21.003.27.00.141 - Huawei Technologies Co.,Ltd)
Mozilla Firefox 41.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 41.0.1 (x86 en-US)) (Version: 41.0.1 - Mozilla)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.8.3 - Notepad++ Team)
NVIDIA Graphics Driver 355.98 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 355.98 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{8A809006-C25A-4A3A-9DAB-94659BCDB107}) (Version: 9.10.0224 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.72.410.2013 - Realtek)
REALTEK Wireless LAN Driver (HKLM-x32\...\{9DAABC60-A5EF-41FF-B2B9-17329590CD5}) (Version: 1.00.0225 - REALTEK Semiconductor Corp.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.9.1 - Synaptics Incorporated)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
VMware Workstation (HKLM\...\{132E3257-14F1-411A-BC6C-0CA32D3A9BC6}) (Version: 12.0.0 - VMware, Inc.)
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-182115211-4121069281-1506031015-1000_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 05:34 - 2009-06-11 00:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {525FB20F-A716-421B-98E2-B755223207FE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-03] (Google Inc.)
Task: {98AA30F0-A37D-4ECE-AF06-1576F14DDE4D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-03] (Google Inc.)
Task: {A930B289-6E6F-448A-A424-E8844422F583} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-10-03] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-10-03 16:58 - 2015-09-14 03:29 - 00011896 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2015-10-03 16:59 - 2015-09-14 01:09 - 00116344 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-04-15 23:13 - 2015-04-15 23:13 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2010-11-16 16:38 - 2010-11-16 16:38 - 00339456 _____ () C:\ProgramData\DatacardService\HWDeviceService64.exe
2015-10-03 17:32 - 2015-10-03 17:32 - 00218624 _____ () C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
2015-10-03 17:32 - 2015-10-03 17:32 - 00514048 _____ () C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe
2015-10-03 16:58 - 2015-09-14 03:29 - 00012080 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00011362 _____ () C:\ProgramData\Mobile Partner\OnlineUpdate\mingwm10.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00043008 _____ () C:\ProgramData\Mobile Partner\OnlineUpdate\libgcc_s_dw2-1.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 02415104 _____ () C:\ProgramData\Mobile Partner\OnlineUpdate\QtCore4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 01148416 _____ () C:\ProgramData\Mobile Partner\OnlineUpdate\QtNetwork4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00352768 _____ () C:\Program Files (x86)\Mobile Partner\core.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00258560 _____ () C:\Program Files (x86)\Mobile Partner\sdk.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00011362 _____ () C:\Program Files (x86)\Mobile Partner\mingwm10.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00043008 _____ () C:\Program Files (x86)\Mobile Partner\libgcc_s_dw2-1.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 02415104 _____ () C:\Program Files (x86)\Mobile Partner\QtCore4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 09515520 _____ () C:\Program Files (x86)\Mobile Partner\QtGui4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00379392 _____ () C:\Program Files (x86)\Mobile Partner\Proxy.DLL
2015-10-03 17:32 - 2015-10-03 17:32 - 00218112 _____ () C:\Program Files (x86)\Mobile Partner\Common.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00135168 _____ () C:\Program Files (x86)\Mobile Partner\Trace.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00545280 _____ () C:\Program Files (x86)\Mobile Partner\PluginContainer.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00238592 _____ () C:\Program Files (x86)\Mobile Partner\AtCodec.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00300544 _____ () C:\Program Files (x86)\Mobile Partner\DeviceSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00225280 _____ () C:\Program Files (x86)\Mobile Partner\NetSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00133120 _____ () C:\Program Files (x86)\Mobile Partner\OSDialup.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00159232 _____ () C:\Program Files (x86)\Mobile Partner\XCodec.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00157184 _____ () C:\Program Files (x86)\Mobile Partner\DataServicePlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00175104 _____ () C:\Program Files (x86)\Mobile Partner\CallSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00264704 _____ () C:\Program Files (x86)\Mobile Partner\AddrBookSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00217600 _____ () C:\Program Files (x86)\Mobile Partner\SmsSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00142336 _____ () C:\Program Files (x86)\Mobile Partner\USSDSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00156672 _____ () C:\Program Files (x86)\Mobile Partner\STKSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00337408 _____ () C:\Program Files (x86)\Mobile Partner\DeviceAppPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00065536 _____ () C:\Program Files (x86)\Mobile Partner\OSPowerMgr.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00106496 _____ () C:\Program Files (x86)\Mobile Partner\Win7Support.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 01077248 _____ () C:\Program Files (x86)\Mobile Partner\AddrBookPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00670720 _____ () C:\Program Files (x86)\Mobile Partner\SmsAppPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00550400 _____ () C:\Program Files (x86)\Mobile Partner\CallAppPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00547840 _____ () C:\Program Files (x86)\Mobile Partner\CallLogSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00158720 _____ () C:\Program Files (x86)\Mobile Partner\NetConnectSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00211456 _____ () C:\Program Files (x86)\Mobile Partner\DialUpPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00101376 _____ () C:\Program Files (x86)\Mobile Partner\OSAdapt.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00179712 _____ () C:\Program Files (x86)\Mobile Partner\NDISPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00131072 _____ () C:\Program Files (x86)\Mobile Partner\OSNDIS.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 01101824 _____ () C:\Program Files (x86)\Mobile Partner\NDISAPI.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00275456 _____ () C:\Program Files (x86)\Mobile Partner\NetInfoSrvPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00062976 _____ () C:\Program Files (x86)\Mobile Partner\OSCall.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00082944 _____ () C:\Program Files (x86)\Mobile Partner\plugins\imageformats\qgif4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00081920 _____ () C:\Program Files (x86)\Mobile Partner\plugins\imageformats\qico4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00192000 _____ () C:\Program Files (x86)\Mobile Partner\plugins\imageformats\qjpeg4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00350720 _____ () C:\Program Files (x86)\Mobile Partner\plugins\imageformats\qmng4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00370176 _____ () C:\Program Files (x86)\Mobile Partner\plugins\imageformats\qtiff4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00495104 _____ () C:\Program Files (x86)\Mobile Partner\DeviceMgrUIPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00123392 _____ () C:\Program Files (x86)\Mobile Partner\ATR2SMgr.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00185856 _____ () C:\Program Files (x86)\Mobile Partner\XFramePlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00314368 _____ () C:\Program Files (x86)\Mobile Partner\StatusBarMgrPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00117760 _____ () C:\Program Files (x86)\Mobile Partner\LayoutPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00414720 _____ () C:\Program Files (x86)\Mobile Partner\DialupUIPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00093184 _____ () C:\Program Files (x86)\Mobile Partner\NotifyServicePlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00331776 _____ () C:\Program Files (x86)\Mobile Partner\NetConnectPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00245760 _____ () C:\Program Files (x86)\Mobile Partner\MenuMgrPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00449536 _____ () C:\Program Files (x86)\Mobile Partner\NetInfoUIExPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00777728 _____ () C:\Program Files (x86)\Mobile Partner\SMSUIPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00739840 _____ () C:\Program Files (x86)\Mobile Partner\AddrBookUIPlugin.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00239104 _____ () C:\Program Files (x86)\Mobile Partner\LiveUpdateInterface.DLL
2015-10-03 17:32 - 2015-10-03 17:32 - 01148416 _____ () C:\Program Files (x86)\Mobile Partner\QtNetwork4.dll
2015-10-03 17:32 - 2015-10-03 17:32 - 00229376 _____ () C:\Program Files (x86)\Mobile Partner\ToolBarMgrPlugin.dll
2015-10-03 18:15 - 2012-05-25 04:25 - 00921600 _____ () C:\Program Files (x86)\Yahoo!\Messenger\yui.dll
2015-10-03 18:15 - 2012-05-25 04:25 - 00078336 _____ () C:\Program Files (x86)\Yahoo!\Messenger\pcre.dll
2015-10-03 18:42 - 2015-07-03 19:12 - 00778240 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2015-10-03 18:42 - 2015-07-03 19:12 - 04962816 _____ () C:\Program Files (x86)\Steam\v8.dll
2015-10-03 18:42 - 2015-07-03 19:12 - 01556992 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2015-10-03 18:42 - 2015-07-03 19:12 - 01187840 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2015-10-03 18:42 - 2015-08-19 23:39 - 02413248 _____ () C:\Program Files (x86)\Steam\video.dll
2015-10-03 18:42 - 2014-12-02 00:31 - 02396672 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll
2015-10-03 18:42 - 2014-12-02 00:31 - 00442880 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll
2015-10-03 18:42 - 2014-12-02 00:31 - 00479744 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll
2015-10-03 18:42 - 2014-12-02 00:31 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll
2015-10-03 18:42 - 2014-12-02 00:31 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll
2015-10-03 18:42 - 2015-08-19 23:39 - 00704192 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2015-10-03 18:42 - 2015-07-27 04:13 - 00171008 _____ () C:\Program Files (x86)\Steam\bin\openvr_api.dll
2015-10-03 18:42 - 2015-07-03 19:12 - 39553928 _____ () C:\Program Files (x86)\Steam\bin\libcef.dll
2015-09-29 00:25 - 2015-09-29 00:26 - 03141912 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_core_vc_custom.dll
2015-09-29 00:25 - 2015-09-29 00:26 - 01329944 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_vc_custom.dll
2015-09-29 00:25 - 2015-09-29 00:26 - 00338200 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_aui_vc_custom.dll
2015-09-29 00:25 - 2015-09-29 00:26 - 00597784 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_xrc_vc_custom.dll
2015-09-29 00:25 - 2015-09-29 00:26 - 00792344 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_richtext_vc_custom.dll
2015-09-29 00:25 - 2015-09-29 00:26 - 00733464 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_adv_vc_custom.dll
2015-09-29 00:25 - 2015-09-29 00:26 - 00515864 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_html_vc_custom.dll
2015-09-29 00:26 - 2015-09-29 00:26 - 00131864 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\wxmsw28u_xml_vc_custom.dll
2015-09-29 00:25 - 2015-09-29 00:25 - 00084760 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\EasyHook32.dll
2015-10-03 18:42 - 2015-08-19 23:39 - 00373440 _____ () C:\Program Files (x86)\Steam\steam.dll
2015-09-29 00:25 - 2015-09-29 00:25 - 00472344 _____ () E:\Steam\steamapps\common\Sanctum\Binaries\Win32\FonixTtsDtSimpleus.dll
2015-06-08 22:06 - 2015-06-08 22:06 - 00014336 _____ () C:\Program Files (x86)\Notepad++\plugins\NppExport.dll
2015-05-15 17:24 - 2015-05-15 17:24 - 02873856 _____ () C:\Program Files (x86)\Notepad++\plugins\NppFTP.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-182115211-4121069281-1506031015-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Geo\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 93.122.135.198 - 62.217.213.71
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: vmware-tray.exe => "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{1B09C16A-A2AC-4F4F-AD69-DC00F390A451}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
FirewallRules: [{4DCAC1E9-2AC2-4B53-B722-B41D31F6E14D}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
FirewallRules: [{06CCCBCA-FE76-45B6-B8B5-A11F96676D7A}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
FirewallRules: [{5440148E-9DFF-418E-90D9-775CD6DC1D54}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
FirewallRules: [{929C34DE-08AE-4FA5-8F1B-B404CE0FECBD}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{195536DC-EA5A-414B-B412-64A6A6EABAB5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5AD8EADF-6D64-448E-978E-2B250282BE5B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{88030EFE-2E0D-42C6-901F-853791CE3A90}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{DDBFA4D4-AD42-45F7-A625-19E62770A242}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{10B6D906-67C1-4790-AC56-B86B08BDD96E}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{7D2A2871-D44C-49B4-A112-D8BB082274F6}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{FA2E1D37-6324-4B96-8E10-5D8A7EE9A83F}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{2DAB93CD-034F-4456-BE71-382B47C35BA3}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [TCP Query User{1B53FC1E-1F51-4D85-915D-3A0903D71D50}E:\steam\steamapps\common\sanctum\binaries\win32\sanctumgame-win32-shipping.exe] => (Allow) E:\steam\steamapps\common\sanctum\binaries\win32\sanctumgame-win32-shipping.exe
FirewallRules: [UDP Query User{95E36ABB-03F0-44D1-88F9-7846793C245F}E:\steam\steamapps\common\sanctum\binaries\win32\sanctumgame-win32-shipping.exe] => (Allow) E:\steam\steamapps\common\sanctum\binaries\win32\sanctumgame-win32-shipping.exe

==================== Faulty Device Manager Devices =============

Name: Realtek PCIe GBE Family Controller
Description: Realtek PCIe GBE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: RTL8167
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Realtek RTL8723BE Wireless LAN 802.11n PCI-E NIC
Description: Realtek RTL8723BE Wireless LAN 802.11n PCI-E NIC
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek Semiconductor Corp.
Service: RTWlanE
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: VMware Virtual Ethernet Adapter for VMnet1
Description: VMware Virtual Ethernet Adapter for VMnet1
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: VMware, Inc.
Service: VMnetAdapter
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: VMware Virtual Ethernet Adapter for VMnet8
Description: VMware Virtual Ethernet Adapter for VMnet8
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: VMware, Inc.
Service: VMnetAdapter
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Bluetooth Device (Personal Area Network)
Description: Bluetooth Device (Personal Area Network)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: BthPan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (10/03/2015 05:51:41 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/03/2015 05:00:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/03/2015 04:54:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/03/2015 04:48:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/04/2015 02:39:29 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (10/03/2015 08:07:22 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Steam Client Service service failed to start due to the following error:
%%1053

Error: (10/03/2015 08:07:22 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

Error: (10/03/2015 05:51:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Mobile Partner. OUC service failed to start due to the following error:
%%1053

Error: (10/03/2015 05:51:31 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Mobile Partner. OUC service to connect.

Error: (10/03/2015 05:39:27 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the VMware Workstation Server service, but this action failed with the following error:
%%1058

Error: (10/03/2015 05:38:27 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The VMware Workstation Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (10/03/2015 05:32:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Mobile Partner. OUC service failed to start due to the following error:
%%1053

Error: (10/03/2015 05:32:35 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Mobile Partner. OUC service to connect.

Error: (10/03/2015 05:32:35 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The Mobile Partner. OUC service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (10/03/2015 05:32:25 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The HWDeviceService64.exe service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.


==================== Memory info ===========================

Processor: Intel® Core™ i5-4200M CPU @ 2.50GHz
Percentage of memory in use: 67%
Total physical RAM: 3844.56 MB
Available physical RAM: 1239.64 MB
Total Virtual: 7687.32 MB
Available Virtual: 4196.28 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:100 GB) (Free:82.34 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:182 GB) (Free:28.28 GB) NTFS
Drive e: () (Fixed) (Total:183.66 GB) (Free:70.62 GB) NTFS
Drive g: (Mobile Partner) (CDROM) (Total:0.03 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 53544B34)
Partition 1: (Active) - (Size=100 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=182 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=183.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================
etc.

Attached Files


Edited by Oh My!, 05 October 2015 - 03:49 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 05 October 2015 - 04:14 PM

Greetings helpmepls123 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

When you reset Firefox and Chrome did you disable the Sync function on either one of the browsers?

Please run the following for me.

===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Sync?
  • MiniToolBox log
  • System Summary report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 helpmepls123

helpmepls123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 06 October 2015 - 12:51 AM

Hi Oh My!, nice to meet you!

 

  • I never used sync on firefox, and i've tried logging out of my google acount from chrome. Over the last days i've noticed that i don't have to reset them to make the ads go away. If i hard refresh the page(shift+f5) the ads will go away for a while. So, they appear again randomly and rarely, like 1 in 50 requests(for the same exact URL) is answered by a malicious server(?) and i get the blocked domain message from malwarebytes. Once i get the blocked domain message, if i use just f5 to refresh it will always pop up(gets cached i think).

 

  • MiniToolBox by Farbar  Version: 25-07-2015 01
    Ran by Geo (administrator) on 06-10-2015 at 19:11:24
    Running from "C:\Users\Geo\Downloads"
    Microsoft Windows 7 Professional  Service Pack 1 (X64)
    Model: 20281 Manufacturer: LENOVO
    Boot Mode: Normal
    ***************************************************************************

    ========================= Flush DNS: ===================================

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    "Reset IE Proxy Settings": IE Proxy Settings were reset.

    ========================= FF Proxy Settings: ==============================


    "Reset FF Proxy Settings": Firefox Proxy settings were reset.

    ========================= Hosts content: =================================



    ========================= IP Configuration: ================================

    Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Disconnected)
    Realtek PCIe GBE Family Controller = Local Area Connection (Disconnected)
    Realtek RTL8723BE Wireless LAN 802.11n PCI-E NIC = Wireless Network Connection (Disconnected)
    VMware Virtual Ethernet Adapter for VMnet1 = VMware Network Adapter VMnet1 (Disconnected)
    VMware Virtual Ethernet Adapter for VMnet8 = VMware Network Adapter VMnet8 (Disconnected)
    HUAWEI Mobile Connect - 3G Network Card = Mobile Broadband Connection (Connected)


    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4

    reset
    set global icmpredirects=enabled
    add address name="VMware Network Adapter VMnet1" address=192.168.31.1 mask=255.255.255.0
    add address name="VMware Network Adapter VMnet8" address=192.168.239.1 mask=255.255.255.0


    popd
    # End of IPv4 configuration



    Windows IP Configuration

       Host Name . . . . . . . . . . . . : Geo-PC
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No

    Mobile Broadband adapter Mobile Broadband Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HUAWEI Mobile Connect - 3G Network Card
       Physical Address. . . . . . . . . : 00-1E-10-1F-9D-8C
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.130.3.70(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.252
       Default Gateway . . . . . . . . . : 10.130.3.69
       DNS Servers . . . . . . . . . . . : 62.217.213.70
                                           93.122.135.199
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{F7A32E57-2F7F-4F58-BEDA-E32292F2E3A8}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Server:  nsc1.orangero.net
    Address:  62.217.213.70

    Name:    google.com
    Addresses:  2a00:1450:401b:800::200e
          80.96.255.103
          80.96.255.110
          80.96.255.117
          80.96.255.123
          80.96.255.116
          80.96.255.102
          80.96.255.96
          80.96.255.95
          80.96.255.88
          80.96.255.82
          80.96.255.109
          80.96.255.89


    Pinging google.com [80.96.255.103] with 32 bytes of data:
    Reply from 80.96.255.103: bytes=32 time=42ms TTL=58
    Reply from 80.96.255.103: bytes=32 time=41ms TTL=58

    Ping statistics for 80.96.255.103:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 41ms, Maximum = 42ms, Average = 41ms
    Server:  nsc1.orangero.net
    Address:  62.217.213.70

    Name:    yahoo.com
    Addresses:  2001:4998:c:a06::2:4008
          2001:4998:58:c02::a9
          2001:4998:44:204::a7
          98.138.253.109
          206.190.36.45
          98.139.183.24


    Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
    Reply from 98.138.253.109: bytes=32 time=194ms TTL=47
    Reply from 98.138.253.109: bytes=32 time=214ms TTL=47

    Ping statistics for 98.138.253.109:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 194ms, Maximum = 214ms, Average = 204ms

    Pinging 127.0.0.1 with 32 bytes of data:
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms
    ===========================================================================
    Interface List
     22...00 1e 10 1f 9d 8c ......HUAWEI Mobile Connect - 3G Network Card
      1...........................Software Loopback Interface 1
     32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      10.130.3.69      10.130.3.70    286
          10.130.3.68  255.255.255.252         On-link       10.130.3.70    286
          10.130.3.70  255.255.255.255         On-link       10.130.3.70    286
          10.130.3.71  255.255.255.255         On-link       10.130.3.70    286
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       10.130.3.70    286
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       10.130.3.70    286
    ===========================================================================
    Persistent Routes:
      None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
      1    306 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    ========================= Winsock entries =====================================

    Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
    Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
    Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
    Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
    Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
    Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
    Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 12 C:\Windows\SysWOW64\vsocklib.dll [64192] (VMware, Inc.)
    Catalog9 13 C:\Windows\SysWOW64\vsocklib.dll [64192] (VMware, Inc.)
    x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
    x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
    x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
    x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
    x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
    x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
    x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
    x64-Catalog9 12 C:\Windows\System32\vsocklib.dll [68288] (VMware, Inc.)
    x64-Catalog9 13 C:\Windows\System32\vsocklib.dll [68288] (VMware, Inc.)

    **** End of log ****
     

Right now i'm getting

Malicious Website Protection, Domain, 82.163.143.88, m53.dnsqa.me, 51324, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe

while accesing this page :crazy:

Attached Files


Edited by helpmepls123, 06 October 2015 - 11:12 AM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 06 October 2015 - 12:09 PM

That doesn't appear to be a full MiniToolBox report. Please rerun it and make sure the following is checked.

List IP configuration


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 helpmepls123

helpmepls123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 06 October 2015 - 01:32 PM

Already edited my post a few hours ago to include that. Sorry about that.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 06 October 2015 - 02:52 PM

Thank you for the information.

Please do this.

===================================================

Zoek by Smeenk

--------------------
  • Download Zoek and save it to your Desktop
  • Right click the icon, select Run as Admistrator, and wait for the Program to appear on your Desktop (may take 15 seconds or so)
  • Copy and paste the following into the main box

createsrpoint;
autoclean;

  • Verify Scan All Users is selected then click Run Script
  • Do not use your computer while the scan is running
  • Copy and paste C:\zoek-results.txt in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Zoek report
  • Update on pop ups

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 helpmepls123

helpmepls123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 07 October 2015 - 03:18 PM

Hey again, ran this tool this morning before i left. When i got home it asked for an restart. I proceeded with the restart then connected to the internet. Visited the usual sites(youtube, escapist, steam). Unfortunately, on steam i got this http://i.imgur.com/qfovUsU.jpg

If i refresh the page (f5) i will always get this pop-up, if i hard refresh the page(shift+f5) it won't pop-up again(for a while...). Is it possible that some dns server is compromised and i can't do anything about it?

I did some digging and found some people that encountered this while using linux and mac, besides those using windows and not finding any detection.

http://jasmanseblog.blogspot.ro/2015/09/dns-unlocker-ads.html

https://productforums.google.com/forum/#!msg/chrome/PtmD_OAUPDk/huoSNw3DAwAJ

http://www.tomsguide.com/answers/id-2779788/remove-dns-unlocker-malware-virus-suggestions-read.html#16670781

http://security.stackexchange.com/questions/99957/malware-adware-infection-on-linux

https://thecomputerperson.wordpress.com/2015/08/19/the-mystery-of-82-163-143-172-and-82-163-142-174/

(hope i'm allowed to post these links, if not please check them before removing)

But from what i understand it's an iranian compromised dns server, how can it randomly affect me while loading the steam/bleeping computer/escapist pages? it doesn't make much sense :rolleyes: . How can i be sure it's a bug in my pc or some other dns problem?

By the way, it seems this tool completely removed my yahoo messenger folders, but still left it in control panel-programs, plus its registry entries. Is this normal?

 

 

Zoek.exe v5.0.0.1 Updated 06-October-2015
Tool run by Geo on Wed 10/07/2015 at  9:50:22.61.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Geo\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

10/7/2015 9:52:39 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\HitmanPro deleted successfully
C:\Users\Geo\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default

user.js not found
---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 3);
---- FireFox user.js and prefs.js backups ----

prefs_20151007_1021_.backup

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Yahoo! deleted
C:\Users\Geo\AppData\Roaming\Yahoo! deleted
C:\PROGRA~3\Yahoo! deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\GPT.INI deleted
C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted
C:\Users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default\jetpack deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default
user_pref("browser.startup.homepage", "www.google.ro");
user_pref("browser.newtab.url", "");

==== Firefox Extensions ======================

ProfilePath: C:\Users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default
- Video DownloadHelper - %ProfilePath%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- Tab Mix Plus - %ProfilePath%\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================


==== Chromium Look ======================

Chrome Hotword Shared Module - Geo\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Geo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Geo\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Geo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Geo\AppData\Local\Mozilla\Firefox\Profiles\918jmg2c.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Geo\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=6 folders=5 23799 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Geo\AppData\Local\Temp will be emptied at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Geo\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Geo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found

==== EOF on Wed 10/07/2015 at 22:48:22.19 ======================

 

edit: censored image
 


Edited by helpmepls123, 07 October 2015 - 03:22 PM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 07 October 2015 - 06:50 PM

Apparently it did delete your Yahoo folders and I will take note of that since I am assuming it is normal for the Program.

We are still working on figuring out what is going on.

Please do this.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Note: If after disabling Combofix warns you an Antivirus program is still running ignore the warning and run Combofix.
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Listing Trusted Root Certificate Authorities Certificates

--------------------
  • Click Start, type certmgr.msc and press Enter
  • Expand the Trusted Root Certificate Authorities section by clicking the arrow to the left
  • Right click on Certificates and select Export List...
  • Save the file to your Desktop as Certificates.txt
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • RogueKiller log
  • Certificates.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 helpmepls123

helpmepls123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 08 October 2015 - 01:09 AM

I had to reinstall yahoo messenger, as i use it daily for communication, and have been doing so for many years...

 

Combofix log

ComboFix 15-10-06.01 - Geo 10/08/2015   8:37.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3845.2164 [GMT 3:00]
Running from: c:\users\Geo\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
.
.
(((((((((((((((((((((((((   Files Created from 2015-09-08 to 2015-10-08  )))))))))))))))))))))))))))))))
.
.
2015-10-08 05:42 . 2015-10-08 05:42    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-10-07 21:11 . 2015-10-07 21:11    --------    d-----w-    c:\programdata\Yahoo!
2015-10-07 21:09 . 2015-10-07 21:11    --------    d-----w-    c:\program files (x86)\Yahoo!
2015-10-07 07:27 . 2015-10-07 06:49    24064    ----a-w-    c:\windows\zoek-delete.exe
2015-10-07 06:49 . 2015-10-07 07:21    --------    d-----w-    C:\zoek_backup
2015-10-04 15:56 . 2015-10-04 15:57    --------    d-----w-    c:\program files\WinRAR
2015-10-04 11:09 . 2015-10-04 11:09    --------    d-----w-    c:\program files (x86)\ESET
2015-10-04 08:03 . 2015-10-04 08:03    --------    d-----w-    c:\programdata\Office Genuine Advantage
2015-10-04 07:04 . 2015-10-04 07:04    --------    d-----w-    C:\NPE
2015-10-04 07:01 . 2015-10-04 07:01    --------    d-----w-    c:\programdata\Norton
2015-10-04 00:17 . 2015-10-03 13:40    --------    d-----w-    c:\windows\Panther
2015-10-04 00:17 . 2015-10-04 00:17    --------    d-----w-    C:\Boot
2015-10-03 22:10 . 2015-10-03 22:10    35064    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2015-10-03 22:10 . 2015-10-03 22:41    --------    d-----w-    c:\programdata\RogueKiller
2015-10-03 21:34 . 2015-10-03 21:54    --------    d-----w-    C:\EEK
2015-10-03 21:24 . 2015-10-03 21:24    --------    d-----w-    C:\AdwCleaner
2015-10-03 21:13 . 2015-10-03 21:34    --------    d-----w-    c:\programdata\HitmanPro
2015-10-03 21:03 . 2015-10-04 08:20    --------    d-----w-    C:\FRST
2015-10-03 16:11 . 2015-10-03 16:11    --------    d-----w-    c:\program files (x86)\VideoLAN
2015-10-03 15:21 . 2015-10-03 17:07    --------    d-----w-    c:\program files (x86)\Common Files\Steam
2015-10-03 15:21 . 2015-10-06 20:47    --------    d-----w-    c:\program files (x86)\Steam
2015-10-03 15:15 . 2015-10-03 15:15    70304    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-10-03 15:15 . 2015-10-03 15:15    419488    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-10-03 15:15 . 2015-10-03 15:15    --------    d-----w-    c:\windows\SysWow64\Macromed
2015-10-03 14:33 . 2015-10-03 14:33    --------    d-----w-    c:\programdata\Synaptics
2015-10-03 14:19 . 2015-10-03 14:19    --------    d-----w-    c:\program files (x86)\Google
2015-10-03 14:16 . 2015-10-07 19:48    113880    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-10-03 14:16 . 2015-10-03 22:52    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2015-10-03 14:16 . 2015-10-03 14:16    --------    d-----w-    c:\programdata\Malwarebytes
2015-10-03 14:16 . 2015-06-18 06:48    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-10-03 14:16 . 2015-06-18 06:47    109272    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-10-03 14:16 . 2015-06-18 06:47    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-10-03 14:15 . 2015-10-03 14:15    --------    d-----w-    c:\program files (x86)\AIMP3
2015-10-03 14:14 . 2015-10-03 14:14    --------    d-----w-    c:\program files (x86)\Notepad++
2015-10-03 14:12 . 2015-08-03 22:10    75512    ----a-w-    c:\windows\system32\drivers\vsock.sys
2015-10-03 14:12 . 2015-08-03 22:10    68288    ----a-w-    c:\windows\system32\vsocklib.dll
2015-10-03 14:12 . 2015-08-03 22:10    64192    ----a-w-    c:\windows\SysWow64\vsocklib.dll
2015-10-03 14:12 . 2015-08-14 11:03    66752    ----a-w-    c:\windows\system32\drivers\vmx86.sys
2015-10-03 14:11 . 2015-08-14 11:03    358080    ----a-w-    c:\windows\SysWow64\vmnetdhcp.exe
2015-10-03 14:11 . 2015-08-14 11:03    391872    ----a-w-    c:\windows\SysWow64\vmnat.exe
2015-10-03 14:11 . 2015-08-14 10:43    26816    ----a-w-    c:\windows\system32\drivers\vmnetuserif.sys
2015-10-03 14:11 . 2015-08-14 11:03    934080    ----a-w-    c:\windows\system32\vnetlib64.dll
2015-10-03 14:11 . 2015-08-11 16:27    57536    ----a-w-    c:\windows\system32\drivers\hcmon.sys
2015-10-03 14:11 . 2015-10-03 14:11    --------    d-----w-    c:\program files\Common Files\VMware
2015-10-03 14:11 . 2015-10-03 14:11    --------    d-----w-    c:\program files (x86)\Common Files\ThinPrint
2015-10-03 14:10 . 2015-10-07 19:48    --------    d-----w-    c:\programdata\VMware
2015-10-03 14:10 . 2015-10-03 14:10    --------    d-----w-    c:\program files (x86)\VMware
2015-10-03 14:07 . 2015-10-03 14:10    --------    d-----w-    c:\program files (x86)\Common Files\VMware
2015-10-03 14:00 . 2015-10-03 14:00    --------    d-----w-    c:\windows\SysWow64\NV
2015-10-03 14:00 . 2015-10-03 14:00    --------    d-----w-    c:\windows\system32\NV
2015-10-03 14:00 . 2015-10-03 14:00    --------    d-----w-    c:\programdata\NVIDIA
2015-10-03 13:59 . 2015-09-13 22:09    937776    ----a-w-    c:\windows\system32\nvvsvc.exe
2015-10-03 13:59 . 2015-09-13 22:09    74872    ----a-w-    c:\windows\system32\nv3dappshextr.dll
2015-10-03 13:59 . 2015-09-13 22:09    62584    ----a-w-    c:\windows\system32\nvshext.dll
2015-10-03 13:59 . 2015-09-13 22:09    581752    ----a-w-    c:\windows\SysWow64\oemdspif.dll
2015-10-03 13:59 . 2015-09-13 22:09    385144    ----a-w-    c:\windows\system32\nvmctray.dll
2015-10-03 13:59 . 2015-09-13 22:09    2558584    ----a-w-    c:\windows\system32\nvsvcr.dll
2015-10-03 13:59 . 2015-09-13 22:09    1062192    ----a-w-    c:\windows\system32\nv3dappshext.dll
2015-10-03 13:59 . 2015-09-13 22:09    6884984    ----a-w-    c:\windows\system32\nvcpl.dll
2015-10-03 13:59 . 2015-09-13 22:09    3496056    ----a-w-    c:\windows\system32\nvsvc64.dll
2015-10-03 13:59 . 2015-09-11 12:17    5231082    ----a-w-    c:\windows\system32\nvcoproc.bin
2015-10-03 13:56 . 2015-10-03 13:59    --------    d-----w-    c:\program files\NVIDIA Corporation
2015-10-03 13:55 . 2015-10-03 13:55    --------    d-----w-    C:\NVIDIA
2015-10-03 13:54 . 2015-10-03 13:54    401    ----a-w-    c:\windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2015-10-03 13:50 . 2015-10-03 13:50    --------    d-----w-    c:\program files (x86)\Intel
2015-10-03 13:50 . 2015-08-04 18:48    86528    ----a-w-    c:\windows\SysWow64\OpenCL.DLL
2015-10-03 13:50 . 2015-08-04 18:48    82432    ----a-w-    c:\windows\system32\OpenCL.DLL
2015-10-03 13:50 . 2015-10-03 13:50    --------    d-----w-    c:\program files\Intel
2015-10-03 13:50 . 2015-10-03 13:50    --------    d-----w-    c:\program files (x86)\Common Files\Intel
2015-10-03 13:50 . 2015-10-03 13:54    --------    d-----w-    C:\Intel
2015-10-03 13:47 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2015-10-03 13:47 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2015-10-03 13:47 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2015-10-03 13:47 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2015-10-03 13:47 . 2015-10-03 13:47    --------    d-----w-    c:\program files\Synaptics
2015-10-03 13:45 . 2015-10-03 13:45    --------    d-----w-    c:\program files (x86)\Cisco
2015-10-03 13:45 . 2015-10-07 21:10    --------    d-sh--w-    c:\windows\Installer
2015-10-03 13:45 . 2013-08-02 13:59    2974424    ----a-w-    c:\windows\system32\drivers\rtwlane.sys
2015-10-03 13:45 . 2012-02-14 16:37    594432    ----a-w-    c:\windows\system32\Rtlihvs.dll
2015-10-03 13:44 . 2015-10-03 13:45    --------    d-----w-    c:\program files (x86)\REALTEK PCIE Wireless LAN Driver
2015-10-03 13:44 . 2013-07-04 08:14    446168    ----a-w-    c:\windows\SwUSB.exe
2015-10-03 13:44 . 2013-05-23 12:33    44104    ----a-w-    c:\windows\runSW.exe
2015-10-03 13:44 . 2010-12-01 06:31    451072    ----a-w-    c:\windows\SysWow64\ISSRemoveSP.exe
2015-10-03 13:43 . 2013-04-10 08:09    849992    ----a-w-    c:\windows\system32\drivers\Rt64win7.sys
2015-10-03 13:43 . 2013-04-10 08:09    73800    ----a-w-    c:\windows\system32\RtNicProp64.dll
2015-10-03 13:43 . 2013-04-10 08:09    108104    ----a-w-    c:\windows\system32\RTNUninst64.dll
2015-10-03 13:43 . 2015-10-03 13:43    --------    d-----w-    c:\program files (x86)\Realtek
2015-10-03 13:42 . 2015-10-03 13:44    --------    d--h--w-    c:\program files (x86)\InstallShield Installation Information
2015-10-03 13:40 . 2015-10-03 22:57    --------    d-----w-    c:\users\Geo
2015-10-03 13:40 . 2015-10-03 13:40    --------    d-----w-    C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-08-15 15:13 . 2015-08-15 15:13    393320    ----a-w-    c:\windows\system32\igfxTray.exe
2015-08-15 15:13 . 2015-08-15 15:13    313448    ----a-w-    c:\windows\system32\igfxEM.exe
2015-08-15 15:13 . 2015-08-15 15:13    248424    ----a-w-    c:\windows\system32\igfxHK.exe
2015-08-15 15:13 . 2015-08-15 15:13    218728    ----a-w-    c:\windows\system32\igfxext.exe
2015-08-15 15:13 . 2015-08-15 15:13    344168    ----a-w-    c:\windows\system32\igfxCUIService.exe
2015-08-15 15:13 . 2015-08-15 15:13    156264    ----a-w-    c:\windows\system32\difx64.exe
2015-08-15 15:13 . 2015-08-15 15:13    448104    ----a-w-    c:\windows\system32\GfxUIEx.exe
2015-08-15 15:13 . 2015-08-15 15:13    279144    ----a-w-    c:\windows\SysWow64\IntelCpHeciSvc.exe
2015-08-15 15:13 . 2015-08-15 15:13    1036904    ----a-w-    c:\windows\system32\Gfxv4_0.exe
2015-08-15 15:13 . 2015-08-15 15:13    1033832    ----a-w-    c:\windows\system32\Gfxv2_0.exe
2015-08-15 15:13 . 2015-08-15 15:13    339048    ----a-w-    c:\windows\system32\DPTopologyApp.exe
2015-08-15 15:13 . 2015-08-15 15:13    338536    ----a-w-    c:\windows\system32\DPTopologyAppv2_0.exe
2015-08-15 15:13 . 2015-08-15 15:13    183296    ----a-w-    c:\windows\system32\igfxCoIn_v4264.dll
2015-08-14 10:43 . 2015-08-14 10:43    49856    ----a-w-    c:\windows\system32\vnetinst.dll
2015-08-14 10:43 . 2015-08-14 10:43    81088    ----a-w-    c:\windows\system32\vmnetbridge.dll
2015-08-14 10:43 . 2015-08-14 10:43    48832    ----a-w-    c:\windows\system32\drivers\vmnetbridge.sys
2015-08-14 10:43 . 2015-08-14 10:43    28864    ----a-w-    c:\windows\system32\drivers\vmnetadapter.sys
2015-08-14 10:43 . 2015-08-14 10:43    27328    ----a-w-    c:\windows\system32\drivers\vmnet.sys
2015-08-07 11:12 . 2015-08-07 11:12    4918008    ----a-w-    c:\windows\system32\drivers\igdkmd64.sys
2015-08-04 19:06 . 2015-08-04 19:06    9426536    ----a-w-    c:\windows\system32\igd10iumd64.dll
2015-08-04 19:06 . 2015-08-04 19:06    8637056    ----a-w-    c:\windows\SysWow64\igd10iumd32.dll
2015-08-04 19:06 . 2015-08-04 19:06    6189288    ----a-w-    c:\windows\system32\igdusc64.dll
2015-08-04 19:06 . 2015-08-04 19:06    4876008    ----a-w-    c:\windows\SysWow64\igdusc32.dll
2015-08-04 19:06 . 2015-08-04 19:06    36616    ----a-w-    c:\windows\system32\igfxexps.dll
2015-08-04 19:06 . 2015-08-04 19:06    282696    ----a-w-    c:\windows\system32\igd10idpp64.dll
2015-08-04 19:06 . 2015-08-04 19:06    263120    ----a-w-    c:\windows\SysWow64\igd10idpp32.dll
2015-08-04 19:06 . 2015-08-04 19:06    24849272    ----a-w-    c:\windows\system32\igdumdim64.dll
2015-08-04 19:06 . 2015-08-04 19:06    24049992    ----a-w-    c:\windows\SysWow64\igdumdim32.dll
2015-08-04 19:06 . 2015-08-04 19:06    220432    ----a-w-    c:\windows\system32\iglhcp64.dll
2015-08-04 19:06 . 2015-08-04 19:06    213192    ----a-w-    c:\windows\system32\igfxcmrt64.dll
2015-08-04 19:06 . 2015-08-04 19:06    184352    ----a-w-    c:\windows\SysWow64\iglhcp32.dll
2015-08-04 19:06 . 2015-08-04 19:06    178672    ----a-w-    c:\windows\SysWow64\igfxcmrt32.dll
2015-08-04 19:06 . 2015-08-04 19:06    17807680    ----a-w-    c:\windows\system32\igd11dxva64.dll
2015-08-04 19:06 . 2015-08-04 19:06    17331296    ----a-w-    c:\windows\SysWow64\igd11dxva32.dll
2015-08-04 19:06 . 2015-08-04 19:06    1402336    ----a-w-    c:\windows\system32\iglhsip64.dll
2015-08-04 19:06 . 2015-08-04 19:06    1399240    ----a-w-    c:\windows\SysWow64\iglhsip32.dll
2015-08-04 19:06 . 2015-08-04 19:06    1277736    ----a-w-    c:\windows\system32\igdmd64.dll
2015-08-04 19:06 . 2015-08-04 19:06    1020176    ----a-w-    c:\windows\SysWow64\igdmd32.dll
2015-08-04 19:03 . 2015-08-04 19:03    9551872    ----a-w-    c:\windows\system32\ig75icd64.dll
2015-08-04 19:03 . 2015-08-04 19:03    192000    ----a-w-    c:\windows\system32\igdde64.dll
2015-08-04 19:03 . 2015-08-04 19:03    169984    ----a-w-    c:\windows\system32\igdail64.dll
2015-08-04 19:03 . 2015-08-04 19:03    86528    ----a-w-    c:\windows\system32\igfxCUIServicePS.dll
2015-08-04 19:03 . 2015-08-04 19:03    73728    ----a-w-    c:\windows\system32\igfxDHLibv2_0.dll
2015-08-04 19:03 . 2015-08-04 19:03    698880    ----a-w-    c:\windows\system32\igfxDH.dll
2015-08-04 19:03 . 2015-08-04 19:03    624128    ----a-w-    c:\windows\system32\MetroIntelGenericUIFramework.dll
2015-08-04 19:03 . 2015-08-04 19:03    60928    ----a-w-    c:\windows\system32\igfxDHLib.dll
2015-08-04 19:03 . 2015-08-04 19:03    5120    ----a-w-    c:\windows\system32\igfxLHMLibv2_0.dll
2015-08-04 19:03 . 2015-08-04 19:03    5120    ----a-w-    c:\windows\system32\igfxLHMLib.dll
2015-08-04 19:03 . 2015-08-04 19:03    385024    ----a-w-    c:\windows\system32\igfxOSP.dll
2015-08-04 19:03 . 2015-08-04 19:03    286208    ----a-w-    c:\windows\system32\igfxDI.dll
2015-08-04 19:03 . 2015-08-04 19:03    256000    ----a-w-    c:\windows\system32\igfxCPL.cpl
2015-08-04 19:03 . 2015-08-04 19:03    231424    ----a-w-    c:\windows\system32\igfxDTCM.dll
2015-08-04 19:03 . 2015-08-04 19:03    2039808    ----a-w-    c:\windows\system32\igfxLHM.dll
2015-08-04 19:03 . 2015-08-04 19:03    1131008    ----a-w-    c:\windows\system32\GfxResources.dll
2015-08-04 19:03 . 2015-08-04 19:03    11264    ----a-w-    c:\windows\system32\igfxDILib.dll
2015-08-04 19:03 . 2015-08-04 19:03    10752    ----a-w-    c:\windows\system32\igfxDILibv2_0.dll
2015-08-04 19:03 . 2015-08-04 19:03    10240    ----a-w-    c:\windows\system32\igfxEMLibv2_0.dll
2015-08-04 19:03 . 2015-08-04 19:03    10240    ----a-w-    c:\windows\system32\igfxEMLib.dll
2015-08-04 19:00 . 2015-08-04 19:00    7519744    ----a-w-    c:\windows\SysWow64\ig75icd32.dll
2015-08-04 19:00 . 2015-08-04 19:00    153088    ----a-w-    c:\windows\SysWow64\igdde32.dll
2015-08-04 19:00 . 2015-08-04 19:00    152064    ----a-w-    c:\windows\SysWow64\igdail32.dll
2015-08-04 19:00 . 2015-08-04 19:00    35328    ----a-w-    c:\windows\SysWow64\igfxexps32.dll
2015-08-04 18:56 . 2015-08-04 18:56    374272    ----a-w-    c:\windows\SysWow64\igdbcl32.dll
2015-08-04 18:56 . 2015-08-04 18:56    3325440    ----a-w-    c:\windows\SysWow64\igdrcl32.dll
2015-08-04 18:56 . 2015-08-04 18:56    304128    ----a-w-    c:\windows\SysWow64\IntelOpenCL32.dll
2015-08-04 18:56 . 2015-08-04 18:56    10851840    ----a-w-    c:\windows\SysWow64\igdfcl32.dll
2015-08-04 18:55 . 2015-08-04 18:55    425472    ----a-w-    c:\windows\system32\igdbcl64.dll
2015-08-04 18:55 . 2015-08-04 18:55    372224    ----a-w-    c:\windows\system32\IntelOpenCL64.dll
2015-08-04 18:55 . 2015-08-04 18:55    3590656    ----a-w-    c:\windows\system32\igdrcl64.dll
2015-08-04 18:55 . 2015-08-04 18:55    15981056    ----a-w-    c:\windows\system32\igdfcl64.dll
2015-08-04 18:55 . 2015-08-04 18:55    6725162    ----a-w-    c:\windows\system32\igdclbif.bin
2015-08-04 18:48 . 2015-08-04 18:48    86528    ----a-w-    c:\windows\SysWow64\Intel_OpenCL_ICD32.dll
2015-08-04 18:48 . 2015-08-04 18:48    82432    ----a-w-    c:\windows\system32\Intel_OpenCL_ICD64.dll
2015-08-04 18:48 . 2015-08-04 18:48    94208    ----a-w-    c:\windows\system32\IccLibDll_x64.dll
2015-08-04 18:48 . 2015-08-04 18:48    214016    ----a-w-    c:\windows\system32\igfx11cmrt64.dll
2015-08-04 18:48 . 2015-08-04 18:48    179200    ----a-w-    c:\windows\SysWow64\igfx11cmrt32.dll
2015-08-04 18:48 . 2015-08-04 18:48    1370624    ----a-w-    c:\windows\system32\igfxcmjit64.dll
2015-08-04 18:48 . 2015-08-04 18:48    1064448    ----a-w-    c:\windows\SysWow64\igfxcmjit32.dll
2015-08-03 22:10 . 2015-08-03 22:10    90816    ----a-w-    c:\windows\system32\drivers\vmci.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 RTWlanE;Realtek Wireless LAN 802.11n PCI-E Network Adapter;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [x]
R4 Mobile Partner. RunOuc;Mobile Partner. OUC;c:\program files (x86)\Mobile Partner\UpdateDog\ouc.exe;c:\program files (x86)\Mobile Partner\UpdateDog\ouc.exe [x]
R4 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]
R4 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\windows\SYSNATIVE\drivers\vsock.sys [x]
S2 igfxCUIService1.0.0.0;Intel® HD Graphics Control Panel Service;c:\windows\system32\igfxCUIService.exe;c:\windows\SYSNATIVE\igfxCUIService.exe [x]
S2 vstor2-mntapi20-shared;Vstor2 MntApi 2.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi20-shared.sys;SysWOW64\drivers\vstor2-mntapi20-shared.sys [x]
S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys;c:\windows\SYSNATIVE\DRIVERS\ew_usbenumfilter.sys [x]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbnet.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-03 14:19    997704    ----a-w-    c:\program files (x86)\Google\Chrome\Application\45.0.2454.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-10-03 15:15]
.
2015-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-10-03 14:19]
.
2015-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-10-03 14:19]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: %windir%\system32\vsocklib.dll
TCP: DhcpNameServer = 62.217.213.70 93.122.135.199
TCP: Interfaces\{F7A32E57-2F7F-4F58-BEDA-E32292F2E3A8}: NameServer = 62.217.213.70,93.122.135.199
FF - ProfilePath - c:\users\Geo\AppData\Roaming\Mozilla\Firefox\Profiles\918jmg2c.default\
FF - prefs.js: browser.startup.homepage - www.google.ro
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-10-08  08:44:37
ComboFix-quarantined-files.txt  2015-10-08 05:44
.
Pre-Run: 83,859,968,000 bytes free
Post-Run: 83,738,918,912 bytes free
.
- - End Of File - - 99C62FB917718B4AF1E69D353FCADAA5
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

RogueKiller log

RogueKiller V10.10.9.0 [Oct  5 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Geo [Administrator]
Started from : C:\Users\Geo\Downloads\RogueKiller(1).exe
Mode : Scan -- Date : 10/08/2015 09:00:33

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 15 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BridgeMP (system32\DRIVERS\bridge.sys) -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\ComboFix\catchme.sys) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 62.217.213.70 93.122.135.199 ([ROMANIA (RO)][ROMANIA (RO)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 62.217.213.70 93.122.135.199 ([ROMANIA (RO)][ROMANIA (RO)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 62.217.213.70 93.122.135.199 ([ROMANIA (RO)][ROMANIA (RO)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F7A32E57-2F7F-4F58-BEDA-E32292F2E3A8} | DhcpNameServer : 62.217.213.70 93.122.135.199 ([ROMANIA (RO)][ROMANIA (RO)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F7A32E57-2F7F-4F58-BEDA-E32292F2E3A8} | DhcpNameServer : 62.217.213.70 93.122.135.199 ([ROMANIA (RO)][ROMANIA (RO)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F7A32E57-2F7F-4F58-BEDA-E32292F2E3A8} | NameServer : 62.217.213.70 93.122.135.199 ([ROMANIA (RO)][ROMANIA (RO)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F7A32E57-2F7F-4F58-BEDA-E32292F2E3A8} | DhcpNameServer : 62.217.213.70 93.122.135.199 ([ROMANIA (RO)][ROMANIA (RO)])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-182115211-4121069281-1506031015-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-182115211-4121069281-1506031015-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-182115211-4121069281-1506031015-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-182115211-4121069281-1506031015-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LM000-SSHD-8GB ATA Device +++++
--- User ---
[MBR] 2c6fe5191100307140a9cf2dc0cb1172
[BSP] d988cc2f3c4585d1be62a061326ffa67 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 102400 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 209922048 | Size: 186368 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 591603712 | Size: 188070 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HUAWEI TF CARD Storage USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 

 

 

Certificates.txt

Issued To    Issued By    Expiration Date    Intended Purposes    Friendly Name    Status    Certificate Template
AddTrust External CA Root    AddTrust External CA Root    5/30/2020    Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping, Encrypting File System, IP security tunnel termination, IP security user    USERTrust            
Baltimore CyberTrust Root    Baltimore CyberTrust Root    5/13/2025    Server Authentication, Secure Email, Client Authentication, Code Signing    Baltimore CyberTrust Root            
Class 3 Public Primary Certification Authority    Class 3 Public Primary Certification Authority    8/2/2028    Secure Email, Client Authentication, Code Signing, Server Authentication    VeriSign Class 3 Public Primary CA            
Copyright © 1997 Microsoft Corp.    Copyright © 1997 Microsoft Corp.    12/31/1999    Time Stamping    Microsoft Timestamp Root            
DigiCert Assured ID Root CA    DigiCert Assured ID Root CA    11/10/2031    Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping    DigiCert            
DigiCert Global Root CA    DigiCert Global Root CA    11/10/2031    Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping    DigiCert            
DigiCert High Assurance EV Root CA    DigiCert High Assurance EV Root CA    11/10/2031    Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping    DigiCert            
Equifax Secure Certificate Authority    Equifax Secure Certificate Authority    8/22/2018    Secure Email, Server Authentication, Code Signing    GeoTrust            
GeoTrust Global CA    GeoTrust Global CA    5/21/2022    Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping    GeoTrust Global CA            
GlobalSign Root CA    GlobalSign Root CA    1/28/2028    Server Authentication, Client Authentication, Code Signing, Secure Email, Time Stamping, OCSP Signing, Encrypting File System, IP security tunnel termination, IP security user, IP security IKE intermediate    GlobalSign            
Go Daddy Class 2 Certification Authority    Go Daddy Class 2 Certification Authority    6/29/2034    Server Authentication, Client Authentication, Secure Email, Code Signing    Go Daddy Class 2 Certification Authority            
GTE CyberTrust Global Root    GTE CyberTrust Global Root    8/14/2018    Secure Email, Client Authentication, Server Authentication, Code Signing    GTE CyberTrust Global Root            
Microsoft Authenticode™ Root Authority    Microsoft Authenticode™ Root Authority    1/1/2000    Secure Email, Code Signing    Microsoft Authenticode™ Root            
Microsoft Root Authority    Microsoft Root Authority    12/31/2020    <All>    Microsoft Root Authority            
Microsoft Root Certificate Authority    Microsoft Root Certificate Authority    5/10/2021    <All>    Microsoft Root Certificate Authority            
NO LIABILITY ACCEPTED, ©97 VeriSign, Inc.    NO LIABILITY ACCEPTED, ©97 VeriSign, Inc.    1/8/2004    Time Stamping    VeriSign Time Stamping CA            
QuoVadis Root Certification Authority    QuoVadis Root Certification Authority    3/17/2021    Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping    QuoVadis Root Certification Authority            
Starfield Services Root Certificate Authority    Starfield Services Root Certificate Authority    1/1/2030    Server Authentication, Client Authentication, Code Signing, Secure Email, Time Stamping, OCSP Signing, Encrypting File System, IP security tunnel termination, IP security user, IP security IKE intermediate    Starfield Technologies Inc.            
StartCom Certification Authority    StartCom Certification Authority    9/17/2036    Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping, Encrypting File System, IP security tunnel termination, IP security user    StartCom Certification Authority            
Thawte Premium Server CA    Thawte Premium Server CA    1/1/2021    Server Authentication, Code Signing    thawte            
thawte Primary Root CA    thawte Primary Root CA    7/17/2036    Server Authentication, Client Authentication, Secure Email, Code Signing    thawte            
Thawte Timestamping CA    Thawte Timestamping CA    1/1/2021    Time Stamping    Thawte Timestamping CA            
UTN-USERFirst-Object    UTN-USERFirst-Object    7/9/2019    Encrypting File System, Time Stamping, Code Signing    USERTrust            
VeriSign Class 3 Public Primary Certification Authority - G5    VeriSign Class 3 Public Primary Certification Authority - G5    7/17/2036    Server Authentication, Client Authentication, Secure Email, Code Signing    VeriSign            
 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 08 October 2015 - 02:18 PM

Thanks, please do this.

===================================================

SystemLook by jpshortstuff

--------------------

  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind
*Unlocker*
*DNS*
:regfind
*Unlocker*
*DNS*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply or, if necessary zip and attach the file.

===================================================

Farbar's MiniRegTool

--------------------

  • Please download MiniRegTool.zip (for 32 bit systems) or MiniRegTool64.zip (for 64 bit systems) and save it to your desktop
  • Unzip the folder and double click the icon
  • Copy and paste the following into the white box:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions

  • Check the Export keys radio button.
  • Press the Go button and post the result.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

  • SystemLook report
  • MiniRegTool report

Edited by Oh My!, 08 October 2015 - 03:23 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 helpmepls123

helpmepls123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 08 October 2015 - 03:05 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 23:03 on 08/10/2015 by Geo
Administrator - Elevation successful

========== filefind ==========

Searching for "*Unlocker*"
No files found.

Searching for "*DNS*"
C:\Windows\PolicyDefinitions\DnsClient.admx    --a---- 10290 bytes    [20:30 10/06/2009]    [20:30 10/06/2009] 8EB9E09CE08C041C19174D44EF99DC57
C:\Windows\PolicyDefinitions\en-US\DnsClient.adml    --a---- 25942 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] BA9BE5EFEC0F443FA0633883BE278E93
C:\Windows\System32\dnsapi.dll    --a---- 357888 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] A52B6CC24063CC83C78C0E6F24DEEC01
C:\Windows\System32\dnscacheugc.exe    --a---- 30208 bytes    [23:54 13/07/2009]    [01:39 14/07/2009] C57F690D1DAF26963805A3FF4E1DDC9E
C:\Windows\System32\dnscmmc.dll    --a---- 118272 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] 7881A5557CD9A9D40D994A57D24001AB
C:\Windows\System32\dnsext.dll    --a---- 8192 bytes    [00:12 14/07/2009]    [01:40 14/07/2009] 885D0942E0F28DB90919BE3129ECF279
C:\Windows\System32\dnshc.dll    --a---- 104960 bytes    [00:08 14/07/2009]    [01:40 14/07/2009] D898B9C3B9181D6B43E8C64D943BCD33
C:\Windows\System32\dnsrslvr.dll    --a---- 183296 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] CD55F5355D8F55D44C9F4ED875705BD6
C:\Windows\System32\KBDNSO.DLL    --a---- 8192 bytes    [23:37 13/07/2009]    [01:28 14/07/2009] 4AAA45F795D23C7E959CA8FFC7E7996D
C:\Windows\System32\en-US\dnsapi.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 403D6557D10BF26AE3514A0F468F8C26
C:\Windows\System32\en-US\dnscmmc.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] BC591A423A4CBD2BA9C741A8DD98DA73
C:\Windows\System32\en-US\dnshc.dll.mui    --a---- 7680 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] DA8BF31B1F0E9764C73D540288FE195B
C:\Windows\System32\en-US\dnsrslvr.dll.mui    --a---- 3072 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 7D90931C3D98B74D42C346DD4E53E17A
C:\Windows\System32\migwiz\dlmanifests\DNS-Client-DL.man    --a---- 3754 bytes    [20:30 10/06/2009]    [20:30 10/06/2009] 8F1A813A4EDB4E8A9A19C8E98A6CA00B
C:\Windows\System32\migwiz\dlmanifests\DNS-Server-Service-DL.man    --a---- 2305 bytes    [20:31 10/06/2009]    [20:31 10/06/2009] 256181677E4DABD8F6B0111F1269FA0B
C:\Windows\System32\spp\tokens\ppdlic\DNS-Client-license-ppdlic.xrm-ms    --a---- 3010 bytes    [01:53 14/07/2009]    [01:53 14/07/2009] 7756BB922ADA3F52D1F50E8988246CB4
C:\Windows\SysWOW64\dnsapi.dll    --a---- 270336 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] 59DF156711A76BCB993253EC6C9BBF41
C:\Windows\SysWOW64\dnscacheugc.exe    --a---- 28672 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] AD61F7AFE913B2642650504DF283AA63
C:\Windows\SysWOW64\dnscmmc.dll    --a---- 109056 bytes    [03:23 21/11/2010]    [03:23 21/11/2010] 7DC1FABD139B6AE5743C5DF75EEC5958
C:\Windows\SysWOW64\KBDNSO.DLL    --a---- 7680 bytes    [23:24 13/07/2009]    [01:11 14/07/2009] EE12E67C0A3B4B596CF9C4463D696A86
C:\Windows\SysWOW64\en-US\dnsapi.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] DA4F4927E92DC21B14A42EE59F7038D4
C:\Windows\SysWOW64\en-US\dnscmmc.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 2B03956DF1A7B9DA78DF44A968EE4C0F
C:\Windows\SysWOW64\migwiz\dlmanifests\DNS-Client-DL.man    --a---- 3754 bytes    [21:13 10/06/2009]    [21:13 10/06/2009] 8F1A813A4EDB4E8A9A19C8E98A6CA00B
C:\Windows\SysWOW64\migwiz\dlmanifests\DNS-Server-Service-DL.man    --a---- 2305 bytes    [21:15 10/06/2009]    [21:15 10/06/2009] 256181677E4DABD8F6B0111F1269FA0B
C:\Windows\winsxs\amd64_microsoft-windows-d..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d8dff7475dd4c0c8\dnscmmc.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] BC591A423A4CBD2BA9C741A8DD98DA73
C:\Windows\winsxs\amd64_microsoft-windows-d..lient-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_936c40cbff4a0ef1\DnsClient.adml    --a---- 25942 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] BA9BE5EFEC0F443FA0633883BE278E93
C:\Windows\winsxs\amd64_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ec73c27891718e69\dnshc.dll.mui    --a---- 7680 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] DA8BF31B1F0E9764C73D540288FE195B
C:\Windows\winsxs\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1\dnsapi.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 403D6557D10BF26AE3514A0F468F8C26
C:\Windows\winsxs\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1\dnsrslvr.dll.mui    --a---- 3072 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 7D90931C3D98B74D42C346DD4E53E17A
C:\Windows\winsxs\amd64_microsoft-windows-dns-clientextension_31bf3856ad364e35_6.1.7600.16385_none_cc3ad957479ac337\dnsext.dll    --a---- 8192 bytes    [00:12 14/07/2009]    [01:40 14/07/2009] 885D0942E0F28DB90919BE3129ECF279
C:\Windows\winsxs\amd64_microsoft-windows-dns-clientsnapin_31bf3856ad364e35_6.1.7601.17514_none_d87694fddc641eab\dnscmmc.dll    --a---- 118272 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] 7881A5557CD9A9D40D994A57D24001AB
C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\dnsapi.dll    --a---- 357888 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] A52B6CC24063CC83C78C0E6F24DEEC01
C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\dnscacheugc.exe    --a---- 30208 bytes    [23:54 13/07/2009]    [01:39 14/07/2009] C57F690D1DAF26963805A3FF4E1DDC9E
C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\dnsrslvr.dll    --a---- 183296 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] CD55F5355D8F55D44C9F4ED875705BD6
C:\Windows\winsxs\amd64_microsoft-windows-dns-license_31bf3856ad364e35_6.1.7600.16385_none_d2be1fbf49aa63fc\DNS-Client-license-ppdlic.xrm-ms    --a---- 3010 bytes    [01:53 14/07/2009]    [01:53 14/07/2009] 7756BB922ADA3F52D1F50E8988246CB4
C:\Windows\winsxs\amd64_microsoft-windows-dnsclient-adm_31bf3856ad364e35_6.1.7600.16385_none_b2f438302bf9f4aa\DnsClient.admx    --a---- 10290 bytes    [20:30 10/06/2009]    [20:30 10/06/2009] 8EB9E09CE08C041C19174D44EF99DC57
C:\Windows\winsxs\amd64_microsoft-windows-dnshelperclass_31bf3856ad364e35_6.1.7600.16385_none_d434913eaa35e4bc\dnshc.dll    --a---- 104960 bytes    [00:08 14/07/2009]    [01:40 14/07/2009] D898B9C3B9181D6B43E8C64D943BCD33
C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000046c_31bf3856ad364e35_6.1.7600.16385_none_5962f43e6fa83c55\KBDNSO.DLL    --a---- 8192 bytes    [23:37 13/07/2009]    [01:28 14/07/2009] 4AAA45F795D23C7E959CA8FFC7E7996D
C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\DNS-Client-DL.man    --a---- 3754 bytes    [20:30 10/06/2009]    [20:30 10/06/2009] 8F1A813A4EDB4E8A9A19C8E98A6CA00B
C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\DNS-Server-Service-DL.man    --a---- 2305 bytes    [20:31 10/06/2009]    [20:31 10/06/2009] 256181677E4DABD8F6B0111F1269FA0B
C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1.manifest    --a---- 3129 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] C9BA01FE39468253DD2978AD9CAFAE33
C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1_dnsapi.dll.mui_97465f8a    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 403D6557D10BF26AE3514A0F468F8C26
C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1_dnsrslvr.dll.mui_1e1a1ed1    --a---- 3072 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 7D90931C3D98B74D42C346DD4E53E17A
C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac.manifest    --a---- 55857 bytes    [03:32 21/11/2010]    [03:27 21/11/2010] 1F18FB820EBC29FD859B154583194570
C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnsapi.dll_c81f5791    --a---- 357888 bytes    [03:32 21/11/2010]    [03:27 21/11/2010] A52B6CC24063CC83C78C0E6F24DEEC01
C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnscacheugc.exe_aa32623e    --a---- 30208 bytes    [03:32 21/11/2010]    [03:27 21/11/2010] C57F690D1DAF26963805A3FF4E1DDC9E
C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnsrslvr.dll_faf65b7a    --a---- 183296 bytes    [03:32 21/11/2010]    [03:27 21/11/2010] CD55F5355D8F55D44C9F4ED875705BD6
C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_234809c32cf5e8cc.manifest    --a---- 2356 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 8B9968B61A1E2D5C7E8E26BC5CBB8110
C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_234809c32cf5e8cc_dnsapi.dll.mui_97465f8a    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] DA4F4927E92DC21B14A42EE59F7038D4
C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7.manifest    --a---- 51900 bytes    [03:31 21/11/2010]    [03:26 21/11/2010] F33370EA238D6BA1CB24FA1DC5375A05
C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7_dnsapi.dll_c81f5791    --a---- 270336 bytes    [03:31 21/11/2010]    [03:26 21/11/2010] 59DF156711A76BCB993253EC6C9BBF41
C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7_dnscacheugc.exe_aa32623e    --a---- 28672 bytes    [03:31 21/11/2010]    [03:26 21/11/2010] AD61F7AFE913B2642650504DF283AA63
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_b543449669c73e11.manifest    --a---- 2217 bytes    [02:33 14/07/2009]    [02:19 14/07/2009] 4F706D710B1DF559FA01A433FCD7D781
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1.manifest    --a---- 3129 bytes    [08:16 12/04/2011]    [08:16 12/04/2011] C9BA01FE39468253DD2978AD9CAFAE33
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dns-clientextension_31bf3856ad364e35_6.1.7600.16385_none_cc3ad957479ac337.manifest    --a---- 2113 bytes    [02:34 14/07/2009]    [02:21 14/07/2009] F65EC5F7CD2C3BA3E45AF9DBB4B6951F
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dns-clientsnapin_31bf3856ad364e35_6.1.7601.17514_none_d87694fddc641eab.manifest    --a---- 7621 bytes    [03:15 21/11/2010]    [03:15 21/11/2010] 1F767EA097793E30E700CCBD439E78A7
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac.manifest    --a---- 55857 bytes    [03:15 21/11/2010]    [03:15 21/11/2010] 1F18FB820EBC29FD859B154583194570
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dns-license_31bf3856ad364e35_6.1.7600.16385_none_d2be1fbf49aa63fc.manifest    --a---- 2078 bytes    [02:33 14/07/2009]    [02:13 14/07/2009] B7FAB7B99FF7D28B4A20A9DBB637EA70
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dnsclient-adm_31bf3856ad364e35_6.1.7600.16385_none_b2f438302bf9f4aa.manifest    --a---- 2761 bytes    [02:12 14/07/2009]    [02:12 14/07/2009] 642FF637E877A263D516FCAA74FEBEDA
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dnshelperclass_31bf3856ad364e35_6.1.7600.16385_none_d434913eaa35e4bc.manifest    --a---- 18052 bytes    [02:33 14/07/2009]    [02:14 14/07/2009] 25C2071D7A9F3E75D69EB9A2B2D4B270
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_234809c32cf5e8cc.manifest    --a---- 2356 bytes    [08:16 12/04/2011]    [08:16 12/04/2011] 8B9968B61A1E2D5C7E8E26BC5CBB8110
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7.manifest    --a---- 51900 bytes    [03:17 21/11/2010]    [03:17 21/11/2010] F33370EA238D6BA1CB24FA1DC5375A05
C:\Windows\winsxs\Manifests\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_5924a912b169ccdb.manifest    --a---- 2215 bytes    [02:33 14/07/2009]    [01:53 14/07/2009] 7F56D2F8D8BE9469AD48FA42D990144D
C:\Windows\winsxs\Manifests\x86_microsoft-windows-dns-clientsnapin_31bf3856ad364e35_6.1.7601.17514_none_7c57f97a2406ad75.manifest    --a---- 7617 bytes    [03:17 21/11/2010]    [03:17 21/11/2010] 403AC583CA65938F55CFEEF2D6E0C817
C:\Windows\winsxs\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_234809c32cf5e8cc\dnsapi.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] DA4F4927E92DC21B14A42EE59F7038D4
C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7\dnsapi.dll    --a---- 270336 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] 59DF156711A76BCB993253EC6C9BBF41
C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7\dnscacheugc.exe    --a---- 28672 bytes    [03:24 21/11/2010]    [03:24 21/11/2010] AD61F7AFE913B2642650504DF283AA63
C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-0000046c_31bf3856ad364e35_6.1.7600.16385_none_63b79e90a408fe50\KBDNSO.DLL    --a---- 7680 bytes    [23:24 13/07/2009]    [01:11 14/07/2009] EE12E67C0A3B4B596CF9C4463D696A86
C:\Windows\winsxs\x86_microsoft-windows-d..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7cc15bc3a5774f92\dnscmmc.dll.mui    --a---- 13312 bytes    [08:17 12/04/2011]    [08:17 12/04/2011] 2B03956DF1A7B9DA78DF44A968EE4C0F
C:\Windows\winsxs\x86_microsoft-windows-dns-clientsnapin_31bf3856ad364e35_6.1.7601.17514_none_7c57f97a2406ad75\dnscmmc.dll    --a---- 109056 bytes    [03:23 21/11/2010]    [03:23 21/11/2010] 7DC1FABD139B6AE5743C5DF75EEC5958
C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\DNS-Client-DL.man    --a---- 3754 bytes    [21:13 10/06/2009]    [21:13 10/06/2009] 8F1A813A4EDB4E8A9A19C8E98A6CA00B
C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\DNS-Server-Service-DL.man    --a---- 2305 bytes    [21:15 10/06/2009]    [21:15 10/06/2009] 256181677E4DABD8F6B0111F1269FA0B

========== regfind ==========

Searching for "*Unlocker*"
No data found.

Searching for "*DNS*"
No data found.

-= EOF =-

 

 

Farbar's MiniRegTool

Windows Registry Editor Version 5.00
 

*empty*

Should it have outputted something?



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 08 October 2015 - 03:23 PM

Yes it should. The quotation marks may be the problem. I modified the post so please try the new version.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 helpmepls123

helpmepls123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 08 October 2015 - 03:41 PM

Now it outputs this

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions]
 

*empty* :huh:

Uploaded a pic, maybe i'm missing something http://i.imgur.com/deZMQpf.jpg

 

I manually navigated to these keys, and "Uninstall" and hklu "Restrictions" don't exist. hklm "Restrictions" is empty(no values). So i think it outputs correctly?



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 08 October 2015 - 03:58 PM

Thank you for the extra effort. It does appear the output is correct.

 

I will be away from my computer for a bit and I know it is late for you. You might be logging off before I have a chance to respond.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:15 PM

Posted 08 October 2015 - 08:22 PM

Thanks. We are going to temporarily modify Chrome but it will be reversible.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Reboot your computer
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
cmd: rename %USERPROFILE%\AppData\Local\Google\Chrome Chrome.old
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Launch Chrome and you will be presented with the initial Getting Started page
  • Test Chrome to see if you receive Malwarebytes warnings
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users