Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I suspect my computer got the COM Surrogate


  • This topic is locked This topic is locked
30 replies to this topic

#1 LemonTea

LemonTea

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gothenburg, Sweden
  • Local time:03:41 PM

Posted 15 October 2015 - 11:30 AM

Hi guys!

 

I think my bleeping computer has been infected with COM Surrogate/Poweliks.

 

Anyway…I first noted it when McAffee firewall wanted me to approve COM Surrogate’s access to internet. COM Surrogate has never required this access before so I googled it and got to learn about what It could be.

I denied the request and blocked its access to internet.

 

I checked my Task Manager to see if I hade any Surrogate COM started and I hade two, they were not really allocating any resources. Funny thing was that after a while the two instances disappeared. If I closed the Task Manager and opened it again, they showed up again – only to disappear again after some 3 to 4 seconds.

 

I then noticed that my monitor was on all the time when not used, it never went to sleep mode and became black. Didn’t think so much about that at the time.

At the end of the day I turned of my computer.

The day after I turned it on again and before getting the page where to give password (or pin in my case) and when screen is still black, but still with the blue Window logo, there was a text saying “Scanning and repairing C:” and the Window dots going around in the circle. There was also a percentage that was going from 0 to 100.

 

After that it seemed to be normal.

 

When opening File Explorer I now notice that some folders can’t be accessed on my C: drive, like Document and Settings, in Program Files folder the Shared Files folder, in the Users folder All users and Default User and in the Documents folder My music, My pictures and My video clips and maybe more.

 

This is what I have found out so far.

 

I humbly request for your assistance in sorting out if my computer is infected and how this can be fixed.

Thank you in advance and hoping to hear from you.

 

 

Cheers,

 LemonTea

 

 

FRST.txt

=======

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:14-10-2015 01
Ran by Arvid (administrator) on JEEZ (15-10-2015 17:26:10)
Running from C:\Users\Arvid\Desktop\FRST
Loaded Profiles: Arvid (Available Profiles: Arvid)
Platform: Windows 8.1 (X64) Language: Swedish (Sweden)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
() C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Juniper Networks, Inc.) C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
(Malwarebytes) E:\Programs\Malwarebytes Anti-Malware\mbamscheduler.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
() C:\ProgramData\MobileBrServ\mbbService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
() C:\Windows\System32\PnkBstrA.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler64.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.6.1008.0\McCSPServiceHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Pixart Imaging Inc) C:\Windows\System32\TiltWheelMouse.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
() C:\Program Files (x86)\NVIDIA Corporation\LED Visualizer\NvLedServiceHost.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Logitech Inc.) E:\Logitech\LWS\Webcam Software\LWS.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
() E:\Logitech\LWS\Webcam Software\CameraHelperShell.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.Reader_6.3.9654.17044_x64__8wekyb3d8bbwe\glcnd.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe
(Malwarebytes) E:\Programs\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20573_x64__8wekyb3d8bbwe\livecomm.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2634872 2015-08-27] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7575768 2014-05-14] (Realtek Semiconductor)
HKLM\...\Run: [MouseDriver] => C:\Windows\system32\TiltWheelMouse.exe [241152 2013-04-09] (Pixart Imaging Inc)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM-x32\...\Run: [LWS] => E:\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
HKLM-x32\...\RunOnce: [InstallShieldSetup] => C:\Program Files (x86)\InstallShield Installation Information\{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}\setup.exe [715136 2015-09-23] (Sony)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\Run: [NvLedServiceHost] => C:\Program Files (x86)\NVIDIA Corporation\LED Visualizer\NvLedServiceHost.exe [87160 2015-08-27] ()
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\Run: [Sony PC Companion] => C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe [457088 2015-09-23] (Sony)
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {3e383715-516d-11e4-825e-7824af335af4} - "G:\Startme.exe"
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {4c28eb52-2edb-11e5-82ca-00190e16e66f} - "G:\AutoRun.exe"
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {78b27b25-6bd1-11e4-8268-7824af335af4} - "G:\startme.exe"
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {b2105178-03cd-11e5-82b6-00190e16e66f} - "G:\Startme.exe"
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-07-29] (Google)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Arvid\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-05-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-09-12] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-09-12] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-09-12] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2015-04-18]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{3C1CF401-BBA9-4110-8C89-8CC045B05BE1}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{57D24E3D-1280-40CC-A95C-5CCC5B07D8DF}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://se.yahoo.com/?fr=hp-avast&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://t.se.msn.com/?rd=1&ucc=SE&dcc=SE&opt=0
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.se/?gws_rd=ssl
SearchScopes: HKLM-x32 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-08-04] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-09-11] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2015-08-04] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-10-14] (Oracle Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-09-12] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-10-14] (Oracle Corporation)
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://gateway5.logica.com/dana-cached/sc/JuniperSetupClient.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-09-22] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-09-22] (McAfee, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-09-22] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-09-22] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll [2015-08-21] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2015-08-21] (McAfee, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Arvid\AppData\Roaming\Mozilla\Firefox\Profiles\5inwjo70.default-1429550989535
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll [2014-09-01] (EA Digital Illusions CE AB)
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2015-08-21] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-16] (VideoLAN)
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll [2014-09-01] (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-10-14] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-10-14] (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2015-08-21] ()
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-05-20] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-10-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-07] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-07] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-23] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-23] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Extension: McAfee WebAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2015-10-13]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Extension: No Name - C:\Users\Arvid\AppData\Roaming\Mozilla\Firefox\Profiles\5inwjo70.default-1429550989535\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}.xpi [not found]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://myhome.vi-view.com/?type=hp&ts=1418042198&from=cor&uid=SamsungXSSDX850XPROX256GB_S1SUNSAF803955P"
CHR Profile: C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Cast) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2015-04-21]
CHR Extension: (Adblock Plus) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-04-21]
CHR Extension: (Videostream for Google Chromecast™) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnciopoikihiagdjbjpnocolokfelagl [2015-04-21]
CHR Extension: (SiteAdvisor) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2015-04-25]
CHR Extension: (Hola Bättre Internet) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-04-20]
CHR Extension: (Ghostery) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2015-04-21]
CHR Extension: (LocalChromecast Player) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmladpigjlinmngadjgfogblnmddndcp [2015-04-21]
CHR Extension: (Betalning via Chrome Web Store) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-20]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-10-13]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-10-13]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-07-04] ()
S2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2251992 2015-04-18] (Broadcom Corporation.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2774104 2015-09-11] (Microsoft Corporation)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1155192 2015-08-27] (NVIDIA Corporation)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-10-12] (SurfRight B.V.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R2 HPSLPSVC; C:\Users\Arvid\AppData\Local\Temp\7zS29B5\hpslpsvc64.dll [1039360 2013-07-19] (Hewlett-Packard Co.) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89352 2014-09-15] (Hewlett-Packard Company)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [345864 2015-03-19] (Intel Corporation)
R2 MBAMScheduler; E:\Programs\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
S2 MBAMService; E:\Programs\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [157928 2015-09-22] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [782608 2015-08-21] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.6.1008.0\McCSPServiceHost.exe [1694152 2015-07-23] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [639456 2015-07-17] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368048 2015-07-21] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-06-29] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [373704 2015-07-06] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [254792 2015-06-29] (McAfee, Inc.)
R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [242256 2014-08-20] ()
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-08-27] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [5544568 2015-08-27] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1900400 2014-11-05] (Electronic Arts)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2014-11-15] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-11-01] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2013-07-04] ()
R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [170712 2015-04-18] (Broadcom Corporation.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [77536 2015-07-02] (McAfee, Inc.)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
R3 e1dexpress; C:\Windows\system32\DRIVERS\e1d64x64.sys [457496 2014-03-14] (Intel Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207208 2015-05-19] (McAfee, Inc.)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-03-14] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-10-15] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [412440 2015-07-02] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [347800 2015-07-02] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80920 2015-07-02] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [496888 2015-07-02] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [875928 2015-07-02] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [529080 2015-06-28] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109728 2015-06-28] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [37960 2015-09-22] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344704 2015-07-02] (McAfee, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-08-27] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [50472 2015-08-11] (NVIDIA Corporation)
R3 t_mouse.sys; C:\Windows\system32\DRIVERS\t_mouse.sys [6144 2013-04-09] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-15 17:25 - 2015-10-15 17:26 - 00000000 ____D C:\FRST
2015-10-15 17:23 - 2015-10-15 17:26 - 00000000 ____D C:\Users\Arvid\Desktop\FRST
2015-10-14 08:10 - 2015-09-29 14:31 - 07457624 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-14 08:10 - 2015-09-29 14:31 - 01658536 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-10-14 08:10 - 2015-09-29 14:31 - 01519592 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-10-14 08:10 - 2015-09-29 14:31 - 01487008 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-10-14 08:10 - 2015-09-29 14:31 - 01355848 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-10-14 08:10 - 2015-09-29 14:29 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-14 08:10 - 2015-09-28 20:45 - 03705344 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-14 08:10 - 2015-09-28 20:26 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2015-10-14 08:10 - 2015-09-28 20:25 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-14 08:10 - 2015-09-28 20:25 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-14 08:10 - 2015-09-28 20:25 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-14 08:10 - 2015-09-28 20:22 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-10-14 08:10 - 2015-09-28 20:22 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-10-14 08:10 - 2015-09-28 20:22 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-10-14 08:10 - 2015-09-28 20:15 - 02243072 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-14 08:10 - 2015-09-28 20:13 - 00891904 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-14 08:10 - 2015-09-28 20:12 - 00721920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-10-14 08:10 - 2015-09-24 18:42 - 00348672 _____ (Microsoft Corporation) C:\Windows\system32\bdesvc.dll
2015-10-14 08:10 - 2015-09-24 18:40 - 00737280 _____ (Microsoft Corporation) C:\Windows\system32\fveapi.dll
2015-10-14 08:10 - 2015-09-10 20:02 - 25851392 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-14 08:10 - 2015-09-10 19:19 - 00585728 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-14 08:10 - 2015-09-10 19:18 - 02886656 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-14 08:10 - 2015-09-10 19:18 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-14 08:10 - 2015-09-10 19:14 - 05990400 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-14 08:10 - 2015-09-10 19:09 - 20358144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-10-14 08:10 - 2015-09-10 19:06 - 00616960 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-14 08:10 - 2015-09-10 19:04 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-14 08:10 - 2015-09-10 18:51 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-14 08:10 - 2015-09-10 18:39 - 00504832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-10-14 08:10 - 2015-09-10 18:37 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-14 08:10 - 2015-09-10 18:37 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-10-14 08:10 - 2015-09-10 18:35 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-14 08:10 - 2015-09-10 18:33 - 02279936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-10-14 08:10 - 2015-09-10 18:28 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-10-14 08:10 - 2015-09-10 18:28 - 00480256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-10-14 08:10 - 2015-09-10 18:27 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-10-14 08:10 - 2015-09-10 18:24 - 14456832 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-14 08:10 - 2015-09-10 18:21 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-14 08:10 - 2015-09-10 18:19 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-14 08:10 - 2015-09-10 18:19 - 00720896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-14 08:10 - 2015-09-10 18:19 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-14 08:10 - 2015-09-10 18:17 - 02126336 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-14 08:10 - 2015-09-10 18:17 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-10-14 08:10 - 2015-09-10 18:07 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-10-14 08:10 - 2015-09-10 18:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-10-14 08:10 - 2015-09-10 18:02 - 04527616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-10-14 08:10 - 2015-09-10 18:01 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-10-14 08:10 - 2015-09-10 18:00 - 12853760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-10-14 08:10 - 2015-09-10 17:57 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-14 08:10 - 2015-09-10 17:57 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-10-14 08:10 - 2015-09-10 17:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-10-14 08:10 - 2015-09-10 17:55 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-10-14 08:10 - 2015-09-10 17:55 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-10-14 08:10 - 2015-09-10 17:45 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-14 08:10 - 2015-09-10 17:34 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-14 08:10 - 2015-09-10 17:31 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-10-14 08:10 - 2015-09-10 17:27 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-10-14 08:10 - 2015-09-10 17:26 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-10-14 08:10 - 2015-08-27 04:43 - 22372152 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-14 08:10 - 2015-08-27 04:42 - 19795904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00901264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00066400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00022368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00019808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00016224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00015712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00013664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:42 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00984448 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00063840 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00020832 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2015-10-14 08:10 - 2015-08-22 15:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2015-10-14 08:10 - 2015-08-07 23:40 - 01736520 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-14 08:10 - 2015-08-07 23:40 - 01499920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-10-14 08:10 - 2015-08-07 23:40 - 01134752 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-10-14 08:10 - 2015-08-07 23:40 - 00686960 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-10-14 08:10 - 2015-08-07 23:40 - 00507176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2015-10-14 08:10 - 2015-08-07 16:13 - 00862720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-10-14 08:10 - 2015-08-06 19:05 - 00669184 _____ (Microsoft Corporation) C:\Windows\system32\hhctrl.ocx
2015-10-14 08:10 - 2015-08-06 18:47 - 04710400 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2015-10-14 08:10 - 2015-08-06 18:37 - 00536576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\hhctrl.ocx
2015-10-14 08:10 - 2015-08-06 18:18 - 04068352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2015-10-14 08:10 - 2015-07-16 20:58 - 00074752 _____ (Microsoft Corporation) C:\Windows\system32\NcdAutoSetup.dll
2015-10-14 08:07 - 2015-10-14 08:07 - 00000000 ____D C:\Users\Arvid\AppData\Roaming\Sun
2015-10-14 08:07 - 2015-10-14 08:07 - 00000000 ____D C:\Users\Arvid\.oracle_jre_usage
2015-10-14 08:06 - 2015-10-14 08:06 - 00000000 ____D C:\Users\Arvid\AppData\LocalLow\Oracle
2015-09-17 21:01 - 2015-10-14 08:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-09-16 16:40 - 2015-09-03 04:18 - 02531400 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-09-16 16:40 - 2015-09-03 04:17 - 01903848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2015-09-16 16:40 - 2015-09-02 20:48 - 02345472 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-09-16 16:40 - 2015-09-02 19:09 - 01556992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2015-09-16 16:40 - 2015-09-02 04:56 - 04175872 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-09-16 16:40 - 2015-09-02 04:55 - 00358912 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-09-16 16:40 - 2015-09-02 04:50 - 00044032 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-09-16 16:40 - 2015-09-02 04:17 - 00301568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-09-16 16:40 - 2015-09-02 04:13 - 00035840 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-09-16 16:40 - 2015-08-03 23:15 - 00074928 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-09-16 16:40 - 2015-08-03 23:15 - 00065600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-09-16 16:40 - 2015-08-01 16:22 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-09-16 16:40 - 2015-08-01 05:47 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\schtasks.exe
2015-09-16 16:40 - 2015-08-01 05:45 - 00182784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schtasks.exe
2015-09-16 16:40 - 2015-08-01 05:38 - 01265152 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2015-09-16 16:40 - 2015-08-01 05:37 - 00468992 _____ (Microsoft Corporation) C:\Windows\system32\taskeng.exe
2015-09-16 16:40 - 2015-08-01 05:37 - 00359936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\taskeng.exe
2015-09-16 16:40 - 2015-07-30 19:18 - 00268288 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-09-16 16:40 - 2015-07-30 18:22 - 00230912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2015-09-16 16:40 - 2015-07-22 16:34 - 02775552 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-09-16 16:40 - 2015-07-22 16:33 - 01728000 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Immersive.dll
2015-09-16 16:40 - 2015-07-22 16:25 - 02461184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2015-09-16 16:40 - 2015-07-22 16:25 - 01546752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Immersive.dll
2015-09-16 16:40 - 2015-07-22 16:19 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-09-16 16:40 - 2015-07-22 15:52 - 01633792 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-09-16 16:40 - 2015-07-18 20:31 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\shacct.dll
2015-09-16 16:40 - 2015-07-18 20:29 - 00655872 _____ (Microsoft Corporation) C:\Windows\system32\SettingSync.dll
2015-09-16 16:40 - 2015-07-18 20:29 - 00148480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shacct.dll
2015-09-16 16:40 - 2015-07-18 20:27 - 00520192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSync.dll
2015-09-16 16:40 - 2015-07-17 16:15 - 00951296 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-09-16 16:40 - 2015-07-17 16:10 - 00749568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2015-09-16 16:40 - 2015-07-14 05:27 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\tzsync.exe
2015-09-16 16:40 - 2015-07-13 21:10 - 00411455 _____ C:\Windows\system32\ApnDatabase.xml
2015-09-16 16:40 - 2015-07-10 21:06 - 00118272 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\bthpan.sys
2015-09-16 16:40 - 2015-07-09 18:14 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-09-16 16:40 - 2015-07-03 23:51 - 01380056 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-09-16 16:40 - 2015-07-03 16:00 - 01097216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2015-09-16 16:40 - 2015-06-27 13:47 - 00118616 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2015-09-16 16:40 - 2015-06-19 19:07 - 02819072 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-15 17:00 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\sru
2015-10-15 16:58 - 2014-04-10 15:48 - 00732608 _____ C:\Windows\system32\perfh01D.dat
2015-10-15 16:58 - 2014-04-10 15:48 - 00151960 _____ C:\Windows\system32\perfc01D.dat
2015-10-15 16:58 - 2014-03-18 12:03 - 01740478 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-15 16:50 - 2014-12-08 16:18 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-15 16:50 - 2014-09-20 18:39 - 00000906 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-15 16:48 - 2014-09-17 10:29 - 01081421 _____ C:\Windows\WindowsUpdate.log
2015-10-15 16:40 - 2013-08-22 16:46 - 00103446 _____ C:\Windows\setupact.log
2015-10-15 16:28 - 2014-10-11 09:45 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cfe5275f19cb39.job
2015-10-15 16:19 - 2014-09-20 18:06 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3077866842-893399285-3411573189-1001
2015-10-15 16:15 - 2015-05-27 10:48 - 00002049 _____ C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk
2015-10-15 16:15 - 2015-05-27 10:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sony
2015-10-15 16:15 - 2015-04-18 15:32 - 00159356 _____ C:\Windows\DPINST.LOG
2015-10-15 16:15 - 2014-09-17 13:21 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-10-15 16:14 - 2014-11-15 18:50 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d000f43ecd375d.job
2015-10-15 16:14 - 2014-09-20 22:27 - 00000000 __RDO C:\Users\Arvid\OneDrive
2015-10-15 16:14 - 2014-09-20 18:39 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-15 16:12 - 2014-09-17 12:52 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-15 16:12 - 2013-08-22 16:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-14 09:17 - 2015-04-06 10:19 - 00000000 ___SD C:\Windows\system32\GWX
2015-10-14 08:51 - 2014-09-27 21:40 - 00000000 ____D C:\Program Files (x86)\McAfee
2015-10-14 08:50 - 2014-09-20 18:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-10-14 08:50 - 2014-03-18 11:54 - 00054726 _____ C:\Windows\PFRO.log
2015-10-14 08:50 - 2013-08-22 15:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-10-14 08:49 - 2013-08-22 17:36 - 00000000 ___RD C:\Windows\ToastData
2015-10-14 08:13 - 2013-08-22 17:20 - 00000000 ____D C:\Windows\CbsTemp
2015-10-14 08:12 - 2015-04-06 10:19 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-10-14 08:12 - 2014-10-08 19:27 - 00000000 ____D C:\Windows\system32\MRT
2015-10-14 08:11 - 2014-10-08 19:27 - 143481208 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-14 08:08 - 2014-09-21 09:32 - 00000000 ____D C:\ProgramData\Oracle
2015-10-14 08:07 - 2014-10-30 20:08 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-10-14 08:07 - 2014-10-30 20:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-10-14 08:07 - 2014-10-30 20:08 - 00000000 ____D C:\Program Files (x86)\Java
2015-10-14 08:07 - 2014-09-20 18:01 - 00000000 ____D C:\Users\Arvid
2015-10-14 08:02 - 2014-12-08 16:18 - 00000754 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-14 08:02 - 2014-12-08 16:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-13 22:15 - 2015-07-31 20:55 - 00000000 ____D C:\Users\Arvid\AppData\Roaming\vlc
2015-10-13 17:01 - 2015-08-18 16:45 - 00000000 ____D C:\Windows\System32\Tasks\McAfee
2015-10-13 14:48 - 2014-09-20 18:01 - 00000000 ____D C:\Users\Arvid\AppData\Local\Packages
2015-10-12 13:27 - 2015-04-15 21:03 - 00000000 ____D C:\Temp (do not delete)
2015-10-12 10:34 - 2014-10-04 11:21 - 00100917 _____ C:\Windows\system32\lvcoinst.log
2015-10-12 09:28 - 2015-06-27 08:56 - 00002206 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-12 08:58 - 2013-08-22 15:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2015-10-05 09:50 - 2014-12-08 16:18 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-05 09:50 - 2014-12-08 16:18 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 09:50 - 2014-12-08 16:18 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-10-02 16:24 - 2013-08-22 17:38 - 00810488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-10-02 16:24 - 2013-08-22 17:38 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-09-24 08:37 - 2014-10-02 19:41 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-09-23 07:28 - 2015-05-20 17:23 - 00003888 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA1d09310dbb71e5a
2015-09-23 07:28 - 2015-05-20 17:23 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA1d09310dbb71e5a.job
2015-09-23 07:28 - 2014-11-15 18:50 - 00003652 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore1d000f43ecd375d
2015-09-17 20:31 - 2014-09-20 18:39 - 00000000 ____D C:\Users\Arvid\AppData\Local\Google
2015-09-16 17:03 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-09-16 17:03 - 2013-08-22 16:44 - 00486816 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-16 16:44 - 2014-03-18 11:45 - 00000000 ____D C:\Program Files\Windows Journal

==================== Files in the root of some directories =======

2015-07-31 20:54 - 2015-07-31 20:54 - 0000031 _____ () C:\Program Files\plugins.dat
2014-11-21 22:01 - 2014-11-21 22:01 - 0001468 _____ () C:\Users\Arvid\AppData\Local\recently-used.xbel
2014-09-21 14:25 - 2015-08-07 15:29 - 0007658 _____ () C:\Users\Arvid\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
C:\Users\Arvid\AppData\Local\Temp\CleanSchedule.exe
C:\Users\Arvid\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpw5uacr.dll
C:\Users\Arvid\AppData\Local\Temp\dsHostCheckerSetup.exe
C:\Users\Arvid\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Arvid\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Arvid\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\Arvid\AppData\Local\Temp\JuniperSetupClientInstaller.exe
C:\Users\Arvid\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Arvid\AppData\Local\Temp\nvStInst.exe
C:\Users\Arvid\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Arvid\AppData\Local\Temp\sonarinst.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-12 17:20

==================== End of FRST.txt ============================

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 15 October 2015 - 11:54 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 3 days will result in this thread being closed.


Hello LemonTea,

My name is mAL_rEm018, but feel free to call me mAL.  I'm an undergraduate trainee and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.
 

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.


Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:

  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing you logs and will return as soon as possible, with additional instructions.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#3 LemonTea

LemonTea
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gothenburg, Sweden
  • Local time:03:41 PM

Posted 15 October 2015 - 02:45 PM

Pleased to meet you, mAL!

 

Thanks for attending to my post!

Backup was taken care of already before posting, hehe, awaiting further instructions.

 

 

Cheers



#4 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 16 October 2015 - 12:41 AM

Hello LemonTea,

Please answer the following questions..

  • Did you create the following policies?

    HKLM\...\Policies\Explorer: [NoFolderOptions] 0
    HKLM\...\Policies\Explorer: [NoControlPanel] 0

  • Did you set your Internet Explorer start page to "about:blank"?

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

  • Did you set your Chrome Browser's start pages to the following:

    "hxxp://www.google.com/"
    "hxxp://myhome.vi-view.com/?type=hp&ts=1418042198&from=cor&uid=SamsungXSSDX850XPROX256GB_S1SUNSAF803955P"

  • Did you create the following folder?

    2015-10-12 13:27 - 2015-04-15 21:03 - 00000000 ____D C:\Temp (do not delete)


I don't see any signs of "Poweliks" in your logs.  There are some minor issues we have to deal with, but nothing of real concern.  I would like to run further scans to see if anything comes up and we will go from there :)


Before we contine any further, it is necessary that you backup your registry..


  • Download TCRB from the following link TCRB
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.


Please do the following


  • Click the Star Menu and select Control Panel.
  • Click Programs, then Programs and Features.
  • Select the following programs:

    µTorrent

  • Select Uninstall.
  • When prompted select Yes.
  • Answer any questions attentively.
  • When the process is finished, please restart your computer.

Note: you can only remove one program at a time.


Please run the following scans..

RogueKiller


  • Please download RogueKiller and save it to your desktop.
  • Right-click on RogueKiller.exe and select Run as administrator
  • The tool will now start to run a Prescan, wait until it is finished.
  • When the Prescan is over, select Scan.
  • Once the Scan has finished, click on Report.
  • A window entitled Rogue Killer will open, please post the contents in your next reply.

Next..

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:



  • Launch Malwarebytes then click Update Now.
  • Press the Scan Settings icon on the top bar of the MBAM interface, make sure Threat Scan is checked.
  • Press the Scan Now >> button.
  • When the scan is finished:
  • If clean, a message will be displayed "The scan completed successfully! No malicious items were detected!"
  • If infections were found, click the Quarantine all button.
  • Press the View detailed log >> link to display the results log.
  • Press the Copy to Clipboard button.
  • Copy and paste the scan results in your next reply and exit MBAM.


-----------------------------------------
In your next reply, I would like to see..

  • Did you have trouble performing any of the steps?
  • Answer to my questions.
  • RogueKiller log.
  • Malwarebytes' Anti-Malware log
    Please post everything in the order given.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#5 LemonTea

LemonTea
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gothenburg, Sweden
  • Local time:03:41 PM

Posted 16 October 2015 - 07:07 AM

Hi mAL,

 

I’ve been performing the tasks and have encountered no problems doing so.

 

 

Did you create the following policies?

 - HKLM\...\Policies\Explorer: [NoFolderOptions] 0

 - HKLM\...\Policies\Explorer: [NoControlPanel] 0

 

I have no recollection of explicitly or deliberately creating any policies like this, so my answer has to be no.

 

 

Did you set your Internet Explorer start page to "about:blank"?

 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

 

No, my Internet Explorer start page is set to:

https://www.google.se/?gws_rd=ssl

since like a year back. I might have set it to blank for a very short time before assigning to the present start page.

 

 

Did you set your Chrome Browser's start pages to the following:

 - "hxxp://www.google.com/"

 - "hxxp://myhome.vi-view.com/?type=hp&ts=1418042198&from=cor&uid=SamsungXSSDX850XPROX256GB_S1SUNSAF803955P"

 

No, neither of these.

My Chrome start page is the same as for my Internet Explorer:

https://www.google.se/?gws_rd=ssl

 

 

Did you create the following folder?

 - 2015-10-12 13:27 - 2015-04-15 21:03 - 00000000 ____D C:\Temp (do not delete)

 

Yes, on my C: drive I have created the folder C:\Temp (do not delete)

 

 

Registry backup

Tweaking.com Registry Backup has been used to backup my registry

 

 

Uninstall

µTorrent has been uninstalled and computer restarted

 

 

RougueKiller scan report

 

RogueKiller V10.11.0.0 [Oct 12 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Arvid [Administrator]
Started from : C:\Users\Arvid\Desktop\RogueKiller.exe
Mode : Scan -- Date : 10/16/2015 12:23:37

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) KERNEL32!GetProcAddress : Unknown @ 0x2160741 (jmp 0x8b4b8bf1|call 0xfffff89e|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ KERNEL32.DLL) ntdll!LdrGetProcedureAddress : Unknown @ 0x2160994 (jmp 0x8ae82a34|call 0xfffff64b|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ KERNEL32.DLL) ntdll!LdrLoadDll : Unknown @ 0x2160400 (jmp 0x8ae89a00|call 0xfffffbdf|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ apphelp.dll) KERNEL32!LoadLibraryW : Unknown @ 0x216082f (jmp 0x8b4b600f|call 0xfffff7b0|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ iertutil.dll) KERNEL32!LoadLibraryA : Unknown @ 0x2500341 (jmp 0x8b8573c1|call 0xffc5fc9e|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ IEFRAME.dll) KERNEL32!WinExec : Unknown @ 0x2160a82 (jmp 0x8b48b6f2|call 0xfffff55d|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ saPlugin.dll) KERNEL32!CreateRemoteThread : Unknown @ 0x2500000 (jmp 0x8b82a470|call 0xffc5ffdf|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ nvspcap.dll) KERNEL32!GetStartupInfoA : Unknown @ 0x21606ca (jmp 0x8b4b76ea|call 0xfffff915|jmp 0x1eb)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ Flash.ocx) WININET!InternetOpenA : Unknown @ 0x25004a6 (jmp 0x8e389066|call 0xffc5fb39|jmp 0x1eb)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 PRO 256GB +++++
--- User ---
[MBR] 4d522c9244dc4161f800d7b10b222d16
[BSP] 2fd5283fa169bb5bc019ffa5627633fb : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 2048 | Size: 400 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 821248 | Size: 231796 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 475539456 | Size: 12000 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST3000VX000-1CU166 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 2861459 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

RougueKiller also gave me this:

RogueKiller has detected an IAT/EAT hook. Don’t panic. Most of the time, they are made by legit modules (even

some system DLLs) to add filtering features, or by antiviruses.

 

However, most of these DLLs are whitelisted in RogueKiller, so either the DLL is not known (please verify by

typing it on Google, or the module is a real malware (if you didn’t find anything on it on Google, or worst, you

found bad things), or because the module has not been identified (shellcoded outside of any module), the

module is named “Unknown”. In this last case, If nothing else has been found by RogueKiller, just skip it.

 

Another thing to know is it’s USELESS in most of the cases to remove a hook, because if you’re able to do it, it

will be back at reboot, or at process restart. You have to target the persistence item instead (registry key,

patched file, …). In RogueKiller, IAT hooks are just listed for diagnostic and will not be restored.

 

 

 

Malwarebyte Anti-Malware scan:

 

This was run ok, no threats reported

 

MW1_zpstyv4zxvu.jpg

 

MW2_zpsdwnwl2nk.jpg

 

MW4_zpsjkuis5x7.jpg



#6 LemonTea

LemonTea
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gothenburg, Sweden
  • Local time:03:41 PM

Posted 17 October 2015 - 11:56 AM

Hi mAL,

 

I just came to think about this…It’s connected to what RogueKiller gave when scanning.

Reason for posting this is I don’t want to hold back any information that you might find important. I’d rather have you discarding this if it’s not, sorry if I clutter things up.

 

 

Regarding RogueKiller, last time I posted this that I got when scanning:

RogueKiller has detected an IAT/EAT hook. Don’t panic. Most of the time, they are made by legit modules (even some system DLLs) to add filtering features, or by antiviruses.

 

However, most of these DLLs are whitelisted in RogueKiller, so either the DLL is not known (please verify by typing it on Google, or the module is a real malware (if you didn’t find anything on it on Google, or worst, you found bad things), or because the module has not been identified (shellcoded outside of any module), the module is named “Unknown”. In this last case, If nothing else has been found by RogueKiller, just skip it.

 

Another thing to know is it’s USELESS in most of the cases to remove a hook, because if you’re able to do it, it will be back at reboot, or at process restart. You have to target the persistence item instead (registry key, patched file, …). In RogueKiller, IAT hooks are just listed for diagnostic and will not be restored.”

 

Also, in my first post in this forum I tried to describe my problem I mentioned:

“When opening File Explorer I now notice that some folders can’t be accessed on my C: drive, like Document and Settings, in Program Files folder the Shared Files folder, in the Users folder All users and Default User and in the Documents folder My music, My pictures and My video clips and maybe more.

 

 

Also, in my first post regarding this topic when I tried to describe my problem I mentioned:

When opening File Explorer I now notice that some folders can’t be accessed on my C: drive, like Document and Settings, in Program Files folder the Shared Files folder, in the Users folder All users and Default User and in the Documents folder My music, My pictures and My video clips and maybe more.

 

 

 

When I try to open any of these folders I get Access denied

AccessDenied_zpstkdviv46.jpg

 

 

When I right click on the folder “Min musik” (My music), select Properties and then selecting the Security tab I see this for Account Unknown(S-1-5-21-3077866842-893399285-3411573189-1002)

Properties%20My%20music_zpsb9zur1sz.jpg

 

 

When trying to change permissions I get Access denied.

 

When going to Advanced and there try to remove the permission entry I get

WindowsSecurity_zpszc4utpbj.jpg

 

 

When inheritance is removed in Advanced and again trying to remove. Removal actually works, however when selecting Ok/Apply I get

ErrorApplyingSecurity_zps3n3hfmhi.jpg

 

 

After selecting Continue, the same once more

ErrorApplyingSecurity_zps3n3hfmhi.jpg

 

 

When closing Properties I get the same Error Applying Security twice as above and then (WindowsSecurityUnable)

WindowsSecurityUnableSave_zpscfok0hxn.jp

 

 

 

And there is a second thing I must add...When I start Chrome, at first it acts normal but if I open a new browser window, open a new tab or perform a search it just goes so slow, really slow.

 

 

And there is a third thing I must add...vi-view most likely ended up on my pc after downloading the Burnout Paradise game from the Softonic site *wearing a paper bag on my head* :blush:

 

Appreciating all the time and effort you are putting into this, mAL, thanks a lot.

 

 

Cheers,

 LemonTea

 

 

 

 

 


Edited by LemonTea, 17 October 2015 - 12:23 PM.


#7 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 18 October 2015 - 01:04 AM

Hello LemonTea,
 

Reason for posting this is I don’t want to hold back any information that you might find important. I’d rather have you discarding this if it’s not, sorry if I clutter things up.

That's not a problem.  Every bit of information helps :)  For now I would like you to follow the steps below and we will do our best to deal with any remaining issue afterwards.


Please do the following..
 

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {3e383715-516d-11e4-825e-7824af335af4} - "G:\Startme.exe"
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {4c28eb52-2edb-11e5-82ca-00190e16e66f} - "G:\AutoRun.exe"
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {78b27b25-6bd1-11e4-8268-7824af335af4} - "G:\startme.exe"
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {b2105178-03cd-11e5-82b6-00190e16e66f} - "G:\Startme.exe"
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://se.yahoo.com/?fr=hp-avast&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: No Name - C:\Users\Arvid\AppData\Roaming\Mozilla\Firefox\Profiles\5inwjo70.default-1429550989535\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}.xpi [not found]
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://myhome.vi-view.com/?type=hp&ts=1418042198&from=cor&uid=SamsungXSSDX850XPROX256GB_S1SUNSAF803955P"
CHR Extension: (Hola Bättre Internet) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-04-20]
C:\Users\Arvid\AppData\Local\Temp\CleanSchedule.exe
C:\Users\Arvid\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpw5uacr.dll
C:\Users\Arvid\AppData\Local\Temp\dsHostCheckerSetup.exe
C:\Users\Arvid\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Arvid\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Arvid\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\Arvid\AppData\Local\Temp\JuniperSetupClientInstaller.exe
C:\Users\Arvid\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Arvid\AppData\Local\Temp\nvStInst.exe
C:\Users\Arvid\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Arvid\AppData\Local\Temp\sonarinst.exe
Task: {78BC839B-CA81-4C14-869B-139666B9E7CB} - System32\Tasks\{4B991DE0-50FF-402E-8EBD-EC2A412531BD} => pcalua.exe -a C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -c -uninstall
FirewallRules: [{F65D1445-CBED-41BF-A4E5-72A7ACA8F127}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{1B0BFE5A-23F8-4689-BDAA-9EC796C5EB67}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{63288E12-7712-497B-B070-DCF38CB5B45A}] => (Allow) C:\Users\Arvid\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{CBCBD888-470C-4876-B4AB-FBD65390CD33}] => (Allow) C:\Users\Arvid\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{99A4FED8-04FD-4690-AC37-9B29C35E0E17}] => (Allow) C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
FirewallRules: [{52A23F6E-4AC4-4322-9785-2DCB7908369D}] => (Allow) C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe

Hosts:
EmptyTemp:
CreateRestorePoint:
  •  
  • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Adwcleaner


  • Please download AdwCleaner to your Desktop from here.
  • Close all your programs and right-click AdwCleaner.exe and select Run as administrator.
  • Click on Scan.
  • After the scan is over, select Logfile.
  • A notepad window will open.  Please copy/paste the contents in your next reply.
    Note: do not select Cleaning at this point

I need you to run a search using FRST..



  • Double click Frst.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste or Type the following line into the Search: box.

babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer

  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.


How is your computer behaving?

-----------------------------------------
In your next reply, I would like to see..


  • fixlog.txt
  • AdwCleaner log
  • Search.txt
  • Answer to my question?
    Please post everything in the order given.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#8 LemonTea

LemonTea
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gothenburg, Sweden
  • Local time:03:41 PM

Posted 19 October 2015 - 10:01 AM

Hi mAL,

 

No problems performing these tasks.

 

 

 

fixlist

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:14-10-2015 01

Ran by Arvid (2015-10-19 16:22:21) Run:1

Running from C:\Users\Arvid\Desktop\FRST

Loaded Profiles: Arvid (Available Profiles: Arvid)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

HKLM\...\Policies\Explorer: [NoFolderOptions] 0

HKLM\...\Policies\Explorer: [NoControlPanel] 0

HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {3e383715-516d-11e4-825e-7824af335af4} - "G:\Startme.exe"

HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {4c28eb52-2edb-11e5-82ca-00190e16e66f} - "G:\AutoRun.exe"

HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {78b27b25-6bd1-11e4-8268-7824af335af4} - "G:\startme.exe"

HKU\S-1-5-21-3077866842-893399285-3411573189-1001\...\MountPoints2: {b2105178-03cd-11e5-82b6-00190e16e66f} - "G:\Startme.exe"

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://se.yahoo.com/?fr=hp-avast&type=avastbcl

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =

HKU\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}

SearchScopes: HKLM-x32 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}

SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://se.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

FF Extension: No Name - C:\Users\Arvid\AppData\Roaming\Mozilla\Firefox\Profiles\5inwjo70.default-1429550989535\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}.xpi [not found]

CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://myhome.vi-view.com/?type=hp&ts=1418042198&from=cor&uid=SamsungXSSDX850XPROX256GB_S1SUNSAF803955P"

CHR Extension: (Hola Bättre Internet) - C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-04-20]

C:\Users\Arvid\AppData\Local\Temp\CleanSchedule.exe

C:\Users\Arvid\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpw5uacr.dll

C:\Users\Arvid\AppData\Local\Temp\dsHostCheckerSetup.exe

C:\Users\Arvid\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe

C:\Users\Arvid\AppData\Local\Temp\jre-8u31-windows-au.exe

C:\Users\Arvid\AppData\Local\Temp\jre-8u60-windows-au.exe

C:\Users\Arvid\AppData\Local\Temp\JuniperSetupClientInstaller.exe

C:\Users\Arvid\AppData\Local\Temp\neoNCSetup64.exe

C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI.dll

C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI64.dll

C:\Users\Arvid\AppData\Local\Temp\nvStInst.exe

C:\Users\Arvid\AppData\Local\Temp\SkypeSetup.exe

C:\Users\Arvid\AppData\Local\Temp\sonarinst.exe

Task: {78BC839B-CA81-4C14-869B-139666B9E7CB} - System32\Tasks\{4B991DE0-50FF-402E-8EBD-EC2A412531BD} => pcalua.exe -a C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -c -uninstall

FirewallRules: [{F65D1445-CBED-41BF-A4E5-72A7ACA8F127}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe

FirewallRules: [{1B0BFE5A-23F8-4689-BDAA-9EC796C5EB67}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe

FirewallRules: [{63288E12-7712-497B-B070-DCF38CB5B45A}] => (Allow) C:\Users\Arvid\AppData\Roaming\uTorrent\uTorrent.exe

FirewallRules: [{CBCBD888-470C-4876-B4AB-FBD65390CD33}] => (Allow) C:\Users\Arvid\AppData\Roaming\uTorrent\uTorrent.exe

FirewallRules: [{99A4FED8-04FD-4690-AC37-9B29C35E0E17}] => (Allow) C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe

FirewallRules: [{52A23F6E-4AC4-4322-9785-2DCB7908369D}] => (Allow) C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe

 

Hosts:

EmptyTemp:

CreateRestorePoint:

*****************

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFolderOptions => value removed successfully

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoControlPanel => value removed successfully

"HKU\S-1-5-21-3077866842-893399285-3411573189-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e383715-516d-11e4-825e-7824af335af4}" => key removed successfully

HKCR\CLSID\{3e383715-516d-11e4-825e-7824af335af4} => key not found.

"HKU\S-1-5-21-3077866842-893399285-3411573189-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4c28eb52-2edb-11e5-82ca-00190e16e66f}" => key removed successfully

HKCR\CLSID\{4c28eb52-2edb-11e5-82ca-00190e16e66f} => key not found.

"HKU\S-1-5-21-3077866842-893399285-3411573189-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{78b27b25-6bd1-11e4-8268-7824af335af4}" => key removed successfully

HKCR\CLSID\{78b27b25-6bd1-11e4-8268-7824af335af4} => key not found.

"HKU\S-1-5-21-3077866842-893399285-3411573189-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2105178-03cd-11e5-82b6-00190e16e66f}" => key removed successfully

HKCR\CLSID\{b2105178-03cd-11e5-82b6-00190e16e66f} => key not found.

HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully

HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully

HKU\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}" => key removed successfully

HKCR\Wow6432Node\CLSID\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} => key not found.

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully

HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully

C:\Users\Arvid\AppData\Roaming\Mozilla\Firefox\Profiles\5inwjo70.default-1429550989535\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}.xpi => not found.

Chrome StartupUrls => removed successfully

C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio => moved successfully

C:\Users\Arvid\AppData\Local\Temp\CleanSchedule.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpw5uacr.dll => moved successfully

C:\Users\Arvid\AppData\Local\Temp\dsHostCheckerSetup.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\jre-8u31-windows-au.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\jre-8u60-windows-au.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\JuniperSetupClientInstaller.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\neoNCSetup64.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI.dll => moved successfully

C:\Users\Arvid\AppData\Local\Temp\nvSCPAPI64.dll => moved successfully

C:\Users\Arvid\AppData\Local\Temp\nvStInst.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\SkypeSetup.exe => moved successfully

C:\Users\Arvid\AppData\Local\Temp\sonarinst.exe => moved successfully

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{78BC839B-CA81-4C14-869B-139666B9E7CB}" => key removed successfully

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78BC839B-CA81-4C14-869B-139666B9E7CB}" => key removed successfully

C:\Windows\System32\Tasks\{4B991DE0-50FF-402E-8EBD-EC2A412531BD} => moved successfully

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{4B991DE0-50FF-402E-8EBD-EC2A412531BD}" => key removed successfully

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F65D1445-CBED-41BF-A4E5-72A7ACA8F127} => value removed successfully

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1B0BFE5A-23F8-4689-BDAA-9EC796C5EB67} => value removed successfully

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{63288E12-7712-497B-B070-DCF38CB5B45A} => value not found.

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CBCBD888-470C-4876-B4AB-FBD65390CD33} => value not found.

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{99A4FED8-04FD-4690-AC37-9B29C35E0E17} => value removed successfully

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{52A23F6E-4AC4-4322-9785-2DCB7908369D} => value removed successfully

C:\Windows\System32\Drivers\etc\hosts => moved successfully

Hosts restored successfully.

Restore point was successfully created.

EmptyTemp: => 9.1 GB temporary data Removed.

 

 

The system needed a reboot.

 

==== End of Fixlog 16:26:35 ====

 

 

 

 

 

 

 AdwCleaner

 

# AdwCleaner v5.014 - Logfile created 19/10/2015 at 16:35:54

# Updated 18/10/2015 by Xplode

# Database : 2015-10-18.5 [Server]

# Operating system : Windows 8.1  (x64)

# Username : Arvid - JEEZ

# Running from : C:\Users\Arvid\Desktop\AdwCleaner\AdwCleaner.exe

# Option : Scan

# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

 

***** [ Files ] *****

 

 

***** [ DLLs ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKU\.DEFAULT\Software\Avg Secure Update

Key Found : HKCU\Software\Avg Secure Update

Key Found : [x64] HKCU\Software\Avg Secure Update

 

***** [ Web browsers ] *****

 

[C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : myhome.vi-view.com

[C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : vi-view

[C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : burnout-paradise.en.softonic.com

 

*************************

 

C:\AdwCleanerDebug.txt - [55 bytes] - [08/12/2014 16:13:48]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1159 bytes] ##########

 

 

 

 

FRST search

 

 

Farbar Recovery Scan Tool (x64) Version:14-10-2015 01

Ran by Arvid (2015-10-19 16:40:28)

Running from C:\Users\Arvid\Desktop\FRST

Boot Mode: Normal

 

================== Search Registry: "babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer" ===========

 

 

===================== Search result for "babylon" ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]

"DllName"="BabylonToolbar.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]

"DllName"="BabylonToolbarTlbr.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]

"DllName"="BabylonToolbar.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]

"DllName"="BabylonToolbarTlbr.dll"

 

 

===================== Search result for "Searchqu" ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9f41624-2083-45cd-ac36-af8119a22a41}]

""="CLocationSearchQuery"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{69563521-C154-4B45-B884-035872E3F96A}]

""="ISearchQueryCondition"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAC6C3B8-3C64-4DFD-AD9F-479E4D4065A4}]

""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetailsFactory"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69563521-C154-4B45-B884-035872E3F96A}]

""="ISearchQueryCondition"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAC6C3B8-3C64-4DFD-AD9F-479E4D4065A4}]

""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetailsFactory"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{5072148C-DE7A-4826-965C-812AB676E0A4}]

""="IUccUserSearchQuery"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{94F59D79-583A-4547-A620-EAD932A2F2EB}]

""="_IUccUserSearchQueryEvents"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\CLSID\{1E041E06-E1C5-4B7B-ADD3-20E32D155C2E}]

"ActivatableClassId"="Windows.ApplicationModel.Search.SearchQueryLinguisticDetails"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Search.SearchQueryLinguisticDetails]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{46A1205B-69C9-4745-B72F-A8A4FC8F24AE}]

""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetails"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]

""="ISearchQueryHelper"

 

[HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Classes\ActivatableClasses\CLSID\{F0C316F1-D05C-5D61-8571-FD31A695E711}]

"ActivatableClassId"="AppEx.Sports.Services.TypeDefs.Request.AppSearchQuery"

 

[HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001_Classes\ActivatableClasses\CLSID\{F0C316F1-D05C-5D61-8571-FD31A695E711}]

"ActivatableClassId"="AppEx.Sports.Services.TypeDefs.Request.AppSearchQuery"

 

 

===================== Search result for "trolltech" ==========

 

[HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Trolltech]

 

[HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]

 

====== End of Search ======

 

 

 

 

How is your computer behaving?

Good! It’s fast, a quick smoke test doesn’t reveal anything, not even Chrome is slowing down. Can’t complain…

 

Edit: Ok, so now Chrome did its usual slow appearence, 12 - 15 seconds to get to Gmail.

 

 

Cheers,

 LemonTea


Edited by LemonTea, 19 October 2015 - 11:22 AM.


#9 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 20 October 2015 - 12:48 AM

Hello LemonTea,
 

Good! It’s fast, a quick smoke test doesn’t reveal anything, not even Chrome is slowing down. Can’t complain…

Are you still having trouble accessing folders?



Edit: Ok, so now Chrome did its usual slow appearence, 12 - 15 seconds to get to Gmail.

Please let me know if you see an improvement after the following fix.


Please do the following..



  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Trolltech]

CreateRestorePoint:
  •  
  • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log


Next..


Adwcleaner


  • Close all your programs and right-click AdwCleaner.exe and select Run as administrator.
  • Click on Scan.
  • After the scan is over, select Cleaning.
  • Note: All programs will be closed and your computer will be rebooted, therefore I advise you to save any unsaved work.
  • A notepad window will open.  Please copy/paste the contents in your next reply.


-----------------------------------------
In your next reply, I would like to see..

  • Answer to my question.
  • Update on Chrome performance.
  • fixlog.txt
  • Adwcleaner log.
    Please post everything in the order given.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#10 LemonTea

LemonTea
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gothenburg, Sweden
  • Local time:03:41 PM

Posted 20 October 2015 - 01:00 PM

Hi mAL,

 

Here we go.

 

 

 

Are you still having trouble accessing folders?

Yes

 

 

Edit: Ok, so now Chrome did its usual slow appearence, 12 - 15 seconds to get to Gmail.

Please let me know if you see an improvement after the following fix

As of now, yes – improvement! No slow loading pages with Chrome!

 

 

 

FRST

Obervation:

When running I still had an IE11 session open to BleepingComputer. It was closed. When opening IE11 there was a message stating that “Your last browsing session closed unexpectedly.” and I could select a Restore session button. I chose not to, instead went to BleepingComputer as usual by typing the URL (I was still logged in).

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:14-10-2015 01

Ran by Arvid (2015-10-20 18:40:14) Run:2

Running from C:\Users\Arvid\Desktop\FRST

Loaded Profiles: Arvid (Available Profiles: Arvid)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]

[-HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Trolltech]

 

CreateRestorePoint:

*****************

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} => key removed successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} => key removed successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} => key removed successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} => key removed successfully

HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Trolltech => could not remove at first attempt (ErrorCode: C0000121), see next line.

HKEY_USERS\S-1-5-21-3077866842-893399285-3411573189-1001\Software\Trolltech => key removed successfully

Restore point was successfully created.

 

==== End of Fixlog 18:40:26 ====

 

 

 

 

Adwcleaner

 

 

# AdwCleaner v5.014 - Logfile created 20/10/2015 at 18:50:46

# Updated 18/10/2015 by Xplode

# Database : 2015-10-18.5 [Server]

# Operating system : Windows 8.1  (x64)

# Username : Arvid - JEEZ

# Running from : C:\Users\Arvid\Desktop\AdwCleaner\AdwCleaner.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

 

***** [ Files ] *****

 

 

***** [ DLLs ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update

[-] Key Deleted : HKCU\Software\Avg Secure Update

[!] Key Not Deleted : [x64] HKCU\Software\Avg Secure Update

 

***** [ Web browsers ] *****

 

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : myhome.vi-view.com

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : vi-view

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : burnout-paradise.en.softonic.com

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://myhome.vi-view.com/?type=hp&ts=1418042198&from=cor&uid=SamsungXSSDX850XPROX256GB_S1SUNSAF803955P

 

*************************

 

:: Winsock settings cleared

 

*************************

 

C:\AdwCleanerDebug.txt - [55 bytes] - [08/12/2014 16:13:48]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1479 bytes] ##########

 

 

Over to you, mAL, have a good one.

 

 

Cheers,

 LemonTea



#11 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 21 October 2015 - 11:33 AM

Hello LemonTea,

The remaining problems on your computer are not malware related.  I will do my best to help you find a solution, however I might have to refer you to another forum on this site if we are unsuccesful.
 

When I right click on the folder “Min musik” (My music), select Properties and then selecting the Security tab I see this for Account Unknown(S-1-5-21-3077866842-893399285-3411573189-1002)

The "Account Unknown" is related to an account that was previously removed either by you or Windows.  This account is harmless in itself and we can certainly try to delete it, however I would first like to deal with the issue accessing folders.
 

When opening File Explorer I now notice that some folders can’t be accessed on my C: drive, like Document and Settings, in Program Files folder the Shared Files folder, in the Users folder All users and Default User and in the Documents folder My music, My pictures and My video clips and maybe more.

The folders you mentioned are related to older versions of Windows. This would explain why you are unable to access them, since they are not "compatible" with your OS.  There is a quick way to find out if this is in fact the problem:
 

  • Please open Windows Explorer like you did before.
  • Select the View tab, located on the top.
  • Uncheck the Hidden items option in the Show/Hide section.
  • If you navigate to the folders you mentioned above, are they still present?

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#12 LemonTea

LemonTea
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gothenburg, Sweden
  • Local time:03:41 PM

Posted 22 October 2015 - 03:51 AM

Hi mAL,

 

After unchecking Hidden items like you described above (and closing File Explorer and then opening it again) these folders were not visible. When Hidden items are checked they are.

If they are not compatible with my OS, how come I have them there at all?

 

 

I have another question. When running AdwCleaner these vi-view were still present, are they supposed to be there?

 

 

***** [ Web browsers ] *****

 

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : myhome.vi-view.com

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : vi-view

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : burnout-paradise.en.softonic.com

[-] [C:\Users\Arvid\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://myhome.vi-view.com/?type=hp&ts=1418042198&from=cor&uid=SamsungXSSDX850XPROX256GB_S1SUNSAF803955P

 

I would like to delete burnout-paradise goo, That would be no problem, right? It's such fun on playstation and such a drag on pc...

 

 

Edit: Slow loading Chrome pages are back.

 

 

Regards,

 LemonTea


Edited by LemonTea, 22 October 2015 - 03:58 AM.


#13 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 23 October 2015 - 12:10 AM

Hello LemonTea,
 

After unchecking Hidden items like you described above (and closing File Explorer and then opening it again) these folders were not visible. When Hidden items are checked they are.

If they are not compatible with my OS, how come I have them there at all?

By "incompatible" I meant that the folders you mentioned have changed names and location in newer versions of Windows.  This is why you were seeing the message "Location is not available".  From what I understand Microsoft has kept a copy of the "old folders" as a mean to redirect programs that did not make the switch to the "new folders".  I hope this makes sense.  In any case, there are only two things to keep in mind:



  • These hidden folders have a purpose.
  • They were hidden to prevent people from modifying and/or deleting them (the same can be said about other hidden files and folders on your computer), which is why I advise you to keep the "Hidden items" option Disabled in the future.

 
 

I have another question. When running AdwCleaner these vi-view were still present, are they supposed to be there?

This is nothing to worry about, since AdwCleaner has since removed them.



I would like to delete burnout-paradise goo, That would be no problem, right? It's such fun on playstation and such a drag on pc...

That is not a problem.  To remove the software, please follow the steps below..



  • Click the Star Menu and select Control Panel.
  • Click Programs, then Programs and Features.
  • Select the following programs:

    Burnout™ Paradise The Ultimate Box

  • Select Uninstall.
  • When prompted select Yes.
  • Answer any questions attentively.
  • When the process is finished, please restart your computer.

Note: you can only remove one program at a time.




Edit: Slow loading Chrome pages are back.

Chrome being slow could be caused by several different factors.  I believe the easiest and fastest way to troubleshoot this issue is to remove/re-install the browser and gradually start re-installing your personal stuff.


I advise you to backup any bookmarks before you follow the steps below.  The instructions for doing so can be found here:


Google Chrome - How to backup your bookmarks


  • Click the Star Menu and select Control Panel.
  • Click Programs, then Programs and Features.
  • Select the following programs:

    Google Chrome

  • Select Uninstall.
  • Ensure that Also delete your browsing data? is checked.
  • When prompted select Yes.
  • Answer any questions attentively.
  • When the process is finished, please restart your computer.

Note: you can only remove one program at a time.


To re-install Google Chrome, please do the following..


  • Click on the following link: Google Chrome.
  • Read the Terms of Service and select Accept and Install.
  • Save ChromeSetup.exe to your desktop.
  • Go to your desktop and right-click on ChromeSetup.exe and select Run as administrator.
  • Google Chrome will then install itself.
  • When the process is over, Chrome will open.

Do not re-intall your bookmarks and extensions right away!  Try using Chrome on its own first and ONLY if you don't run into any issues then you can re-install them gradually.  If at any time Chrome starts acting slow, stop and let me know.


-----------------------------------------
In your next reply, I would like to see..


  • Is Google Chrome running faster?

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#14 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 882 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 26 October 2015 - 12:36 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#15 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 882 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 30 October 2015 - 01:13 AM

As per the request of Lemon Tea, this topic has been re-opened.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users