Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

aswMBR log


  • This topic is locked This topic is locked
7 replies to this topic

#1 lwyborny

lwyborny

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 17 October 2015 - 08:14 AM

I have a DNSunlocker adware, and probably others, and I have run AntiMalwarebytes, Adwcleaner, and Spybot, but the adware is still there.  I read about aswMBR on your website and ran it.  Here is the log from the run, which shows an infection in "uninstall.exe" file.  But, I did not want to do anything until someone confirmed what I should do.  The output to the log is copied in below. 

 

Lester 

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-10-17 02:55:39
-----------------------------
02:55:39.797    OS Version: Windows x64 6.2.9200 
02:55:39.797    Number of processors: 4 586 0x1001
02:55:39.797    ComputerName: WYBORNYPC  UserName: lwyborny
02:55:56.493    Initialize success
02:55:56.618    VM: initialized successfully
02:55:56.618    VM: Amd CPU supported 
03:20:36.837    AVAST engine defs: 15101601
03:20:50.767    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000026
03:20:50.767    Disk 0 Vendor: ST1000DM003-9YN162 HP16 Size: 953869MB BusType: 11
03:20:50.892    Disk 0 MBR read successfully
03:20:50.892    Disk 0 MBR scan
03:20:50.908    Disk 0 unknown MBR code
03:20:50.924    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
03:20:51.002    Disk 0 scanning C:\WINDOWS\system32\drivers
03:21:11.509    Service scanning
03:21:50.600    Modules scanning
03:21:50.600    Disk 0 trace - called modules:
03:21:50.632    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys storahci.sys hal.dll 
03:21:50.647    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000fa8ff060]
03:21:50.663    3 CLASSPNP.SYS[fffff80107353170] -> nt!IofCallDriver -> \Device\00000026[0xffffe000fa738060]
03:21:59.022    AVAST engine scan C:\WINDOWS
03:22:10.101    AVAST engine scan C:\WINDOWS\system32
03:28:02.766    AVAST engine scan C:\WINDOWS\system32\drivers
03:28:28.489    AVAST engine scan C:\Users\lwyborny
03:39:56.308    Disk 0 statistics 3592810/0/0 @ 4.53 MB/s
03:39:56.308    Scan stopped
03:39:58.714    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000026
03:39:58.729    Disk 0 Vendor: ST1000DM003-9YN162 HP16 Size: 953869MB BusType: 11
03:39:58.854    Disk 0 MBR read successfully
03:39:58.870    Disk 0 MBR scan
03:39:58.886    Disk 0 unknown MBR code
03:39:58.886    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
03:39:58.979    Disk 0 scanning C:\WINDOWS\system32\drivers
03:40:19.050    Service scanning
03:40:56.773    Modules scanning
03:40:56.788    Disk 0 trace - called modules:
03:40:56.820    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys storahci.sys hal.dll 
03:40:56.820    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000fa8ff060]
03:40:56.835    3 CLASSPNP.SYS[fffff80107353170] -> nt!IofCallDriver -> \Device\00000026[0xffffe000fa738060]
03:41:03.179    AVAST engine scan C:\WINDOWS
03:41:13.523    AVAST engine scan C:\WINDOWS\system32
03:47:09.540    AVAST engine scan C:\WINDOWS\system32\drivers
03:47:37.072    AVAST engine scan C:\Users\lwyborny
04:03:00.024    File: C:\Users\lwyborny\AppData\Local\{94E3A2BF-B04B-CE07-DDD3-EBEFF9BB1777}\uninstall.exe  **INFECTED** Win32:Malware-gen
04:06:34.398    AVAST engine scan C:\ProgramData
04:50:33.650    Disk 0 statistics 8283943/0/0 @ 1.36 MB/s
04:50:33.666    Scan finished successfully
08:36:02.642    Disk 0 MBR has been saved successfully to "C:\Users\lwyborny\Desktop\MBR.dat"
08:36:02.674    The log file has been saved successfully to "C:\Users\lwyborny\Desktop\aswMBR.txt"
 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 17 October 2015 - 08:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

The folder in bold should be deleted.
It may be used by an other process.

File: C:\Users\lwyborny\AppData\Local\{94E3A2BF-B04B-CE07-DDD3-EBEFF9BB1777}\uninstall.exe **INFECTED** Win32:Malware-gen

Before deleting the file run this tool.

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

When finished download and run this tool.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

If the folder listed in bold above is still present try to delete it.

Post the logs and let me know what problem persists.

#3 lwyborny

lwyborny
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 17 October 2015 - 10:50 AM

Thanks for your help!

 

Since neither program deleted that folder, I deleted it manually (the folder: {94E3A2BF-B04B-CE07-DDD3-EBEFF9BB1777}).  I still have redirects, although I don't know about DNSunlocker yet, although it has not come up yet (previously, it would only come up occasionally).

 

Malwarebytes did not find anything (I have been running it already), but here is the run log (by the way, I ran rkill before hand first to give these programs a greater chance, the rkill log is at the very end):

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/17/2015
Scan Time: 10:28 AM
Logfile: malwarebytes10_17.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.10.17.03
Rootkit Database: v2015.10.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: lwyborny

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 323919
Time Elapsed: 26 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

I also ran Farbar and here is the runlog and addition log afterwards:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-10-2015
Ran by lwyborny (administrator) on WYBORNYPC (17-10-2015 11:19:53)
Running from C:\Users\lwyborny\Desktop\Farbar
Loaded Profiles: lwyborny (Available Profiles: lwyborny)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Rosetta Stone Ltd.) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Hewlett-Packard ) C:\Program Files\IDT\WDM\Beats64.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP ENVY 5530 series\Bin\ScanToPCActivationApp.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteUser.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BeatsOSDApp] => C:\Program Files\IDT\WDM\beats64.exe [37888 2012-08-10] (Hewlett-Packard )
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-08-10] (IDT, Inc.)
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-02] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\...\Run: [HP ENVY 5530 series (NET)] => C:\Program Files\HP\HP ENVY 5530 series\Bin\ScanToPCActivationApp.exe [3487240 2014-07-21] (Hewlett-Packard Development Company, LP)
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
Startup: C:\Users\lwyborny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - .lnk [2015-05-09]
ShortcutTarget: Monitor Ink Alerts - .lnk -> C:\Program Files\HP\HP ENVY 5530 series\Bin\HPStatusBL.dll (Hewlett-Packard Development Company, LP)
Startup: C:\Users\lwyborny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP ENVY 5530 series.lnk [2015-10-05]
ShortcutTarget: Monitor Ink Alerts - HP ENVY 5530 series.lnk -> C:\Program Files\HP\HP ENVY 5530 series\Bin\HPStatusBL.dll (Hewlett-Packard Development Company, LP)
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{DC93B5D7-FDD7-4016-ACF9-A6F9A86B5F34}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK13/1
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aol.com/
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK13/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {6586d803-df30-46d3-a89a-4136c8571d45} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {7B5F59CD-4BFB-4C7F-9929-F24E1715EA82} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {7B5F59CD-4BFB-4C7F-9929-F24E1715EA82} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> {7B5F59CD-4BFB-4C7F-9929-F24E1715EA82} URL =
SearchScopes: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
SearchScopes: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
Toolbar: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2012-05-11] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2255686064-2195310188-3974504392-1001: @fuze.com/Fuze,platform=x64,version=15.08.24680.0 -> C:\Users\lwyborny\AppData\Local\FuzeBox\Fuze\x64\npfuzex64.dll [2015-08-24] (FuzeBox)
FF Plugin HKU\S-1-5-21-2255686064-2195310188-3974504392-1001: @fuze.com/Fuze,platform=x86,version=15.08.24680.0 -> C:\Users\lwyborny\AppData\Local\FuzeBox\Fuze\npfuzex86.dll [2015-08-24] (FuzeBox)

Chrome:
=======
CHR Profile: C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-25]
CHR Extension: (Google Search) - C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-25]
CHR Extension: (uBlock) - C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default\Extensions\epcnnfbjfcgphgdmggkamkmgojdagdnn [2015-07-03]
CHR Extension: (Fuze on Chrome™) - C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcehcblfpidimbihdfophhhdejckolgh [2015-09-12]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-06-27]
CHR Extension: (Google Wallet) - C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-25]
CHR Extension: (Gmail) - C:\Users\lwyborny\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-25]
CHR HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kcehcblfpidimbihdfophhhdejckolgh] - hxxps://clients2.google.com/service/update2/crx
StartMenuInternet: Google Chrome - chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 HPConnectedRemote; c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35232 2012-08-29] (Hewlett-Packard)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [321536 2012-08-10] (IDT, Inc.) [File not signed]
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-10-03] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 netr28x; C:\Windows\system32\DRIVERS\netr28x.sys [2512016 2014-06-13] (MediaTek Inc.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S1 kssdhbth; \??\C:\WINDOWS\system32\drivers\kssdhbth.sys [X]
U3 aswMBR; \??\C:\Users\lwyborny\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\lwyborny\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-17 11:19 - 2015-10-17 11:19 - 00000000 ____D C:\FRST
2015-10-17 11:05 - 2015-10-17 11:19 - 00000000 ____D C:\Users\lwyborny\Desktop\Farbar
2015-10-17 11:02 - 2015-10-17 11:03 - 02196992 _____ (Farbar) C:\Users\lwyborny\Downloads\FRST64.exe
2015-10-17 10:58 - 2015-10-17 10:58 - 00001057 _____ C:\Users\lwyborny\Desktop\malwarebytes10_17.txt
2015-10-17 08:36 - 2015-10-17 08:36 - 00003107 _____ C:\Users\lwyborny\Desktop\aswMBR.txt
2015-10-17 08:36 - 2015-10-17 08:36 - 00000512 _____ C:\Users\lwyborny\Desktop\MBR.dat
2015-10-17 00:37 - 2015-10-17 02:05 - 00000000 ____D C:\WINDOWS\pss
2015-10-16 23:57 - 2015-10-16 23:58 - 00002490 _____ C:\Users\lwyborny\Desktop\FSS.txt
2015-10-16 22:24 - 2015-09-15 08:20 - 00450832 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20151016-222418.backup
2015-10-16 20:48 - 2015-10-17 10:25 - 00003506 _____ C:\Users\lwyborny\Desktop\Rkill.txt
2015-10-14 15:17 - 2015-09-18 23:18 - 00035384 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2015-10-14 15:17 - 2015-09-18 09:42 - 01290752 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-10-14 15:17 - 2015-09-18 09:42 - 01163776 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-10-14 15:17 - 2015-09-18 09:42 - 00766464 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-10-14 15:17 - 2015-09-18 09:42 - 00699904 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-10-14 15:17 - 2015-09-18 09:42 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-10-14 15:17 - 2015-09-18 09:42 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2015-10-13 18:17 - 2015-08-26 22:43 - 22372152 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2015-10-13 18:17 - 2015-08-26 22:42 - 19795904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2015-10-13 18:17 - 2015-08-07 17:40 - 01134752 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2015-10-13 18:17 - 2015-08-07 17:40 - 00686960 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2015-10-13 18:17 - 2015-08-07 17:40 - 00507176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2015-10-13 18:17 - 2015-08-07 10:13 - 00862720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2015-10-13 18:17 - 2015-08-06 12:47 - 04710400 _____ (Microsoft Corporation) C:\WINDOWS\system32\d2d1.dll
2015-10-13 18:17 - 2015-08-06 12:18 - 04068352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d2d1.dll
2015-10-13 18:16 - 2015-09-29 08:31 - 07457624 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-10-13 18:16 - 2015-09-29 08:31 - 01658536 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2015-10-13 18:16 - 2015-09-29 08:31 - 01519592 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2015-10-13 18:16 - 2015-09-29 08:31 - 01487008 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
2015-10-13 18:16 - 2015-09-29 08:31 - 01355848 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
2015-10-13 18:16 - 2015-09-24 12:42 - 00348672 _____ (Microsoft Corporation) C:\WINDOWS\system32\bdesvc.dll
2015-10-13 18:16 - 2015-09-24 12:40 - 00737280 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
2015-10-13 18:16 - 2015-09-10 14:02 - 25851392 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-10-13 18:16 - 2015-09-10 13:19 - 00585728 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-10-13 18:16 - 2015-09-10 13:18 - 02886656 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-10-13 18:16 - 2015-09-10 13:18 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-10-13 18:16 - 2015-09-10 13:14 - 05990400 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-10-13 18:16 - 2015-09-10 13:09 - 20358144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-10-13 18:16 - 2015-09-10 13:06 - 00616960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-10-13 18:16 - 2015-09-10 13:04 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-10-13 18:16 - 2015-09-10 12:51 - 00489984 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtmsft.dll
2015-10-13 18:16 - 2015-09-10 12:39 - 00504832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-10-13 18:16 - 2015-09-10 12:37 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-10-13 18:16 - 2015-09-10 12:37 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-10-13 18:16 - 2015-09-10 12:35 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2015-10-13 18:16 - 2015-09-10 12:33 - 02279936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-10-13 18:16 - 2015-09-10 12:28 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-10-13 18:16 - 2015-09-10 12:28 - 00480256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2015-10-13 18:16 - 2015-09-10 12:27 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-10-13 18:16 - 2015-09-10 12:24 - 14456832 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-10-13 18:16 - 2015-09-10 12:21 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-10-13 18:16 - 2015-09-10 12:19 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-10-13 18:16 - 2015-09-10 12:19 - 00720896 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-10-13 18:16 - 2015-09-10 12:19 - 00374784 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-10-13 18:16 - 2015-09-10 12:17 - 02126336 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-10-13 18:16 - 2015-09-10 12:17 - 00416256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtmsft.dll
2015-10-13 18:16 - 2015-09-10 12:07 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2015-10-13 18:16 - 2015-09-10 12:05 - 00279040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2015-10-13 18:16 - 2015-09-10 12:02 - 04527616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-10-13 18:16 - 2015-09-10 12:01 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-10-13 18:16 - 2015-09-10 12:00 - 12853760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-10-13 18:16 - 2015-09-10 11:57 - 02487808 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-10-13 18:16 - 2015-09-10 11:57 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-10-13 18:16 - 2015-09-10 11:55 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-10-13 18:16 - 2015-09-10 11:55 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-10-13 18:16 - 2015-09-10 11:55 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-10-13 18:16 - 2015-09-10 11:45 - 01546752 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-10-13 18:16 - 2015-09-10 11:34 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-10-13 18:16 - 2015-09-10 11:31 - 02011136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-10-13 18:16 - 2015-09-10 11:27 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-10-13 18:16 - 2015-09-10 11:26 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-10-13 18:16 - 2015-08-07 17:40 - 01736520 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-10-13 18:16 - 2015-08-07 17:40 - 01499920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-10-13 18:16 - 2015-08-06 13:05 - 00669184 _____ (Microsoft Corporation) C:\WINDOWS\system32\hhctrl.ocx
2015-10-13 18:16 - 2015-08-06 12:37 - 00536576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hhctrl.ocx
2015-10-13 18:15 - 2015-09-29 08:29 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-10-13 18:15 - 2015-09-28 14:45 - 03705344 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-10-13 18:15 - 2015-09-28 14:26 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-10-13 18:15 - 2015-09-28 14:25 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-10-13 18:15 - 2015-09-28 14:25 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-10-13 18:15 - 2015-09-28 14:25 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-10-13 18:15 - 2015-09-28 14:22 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-10-13 18:15 - 2015-09-28 14:22 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-10-13 18:15 - 2015-09-28 14:22 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-10-13 18:15 - 2015-09-28 14:15 - 02243072 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-10-13 18:15 - 2015-09-28 14:13 - 00891904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-10-13 18:15 - 2015-09-28 14:12 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00901264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ucrtbase.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00066400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00022368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00019808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00016224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00015712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00014176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00013664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:42 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00984448 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00063840 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-private-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00020832 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-math-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00019808 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-string-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00016224 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00015712 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-convert-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00014176 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-time-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00013664 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-process-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-heap-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-conio-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-utility-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-locale-l1-1-0.dll
2015-10-13 18:15 - 2015-08-22 09:35 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-environment-l1-1-0.dll
2015-10-13 18:15 - 2015-07-16 14:58 - 00074752 _____ (Microsoft Corporation) C:\WINDOWS\system32\NcdAutoSetup.dll
2015-10-04 10:10 - 2015-10-16 22:37 - 00000000 ____D C:\AdwCleaner
2015-10-04 10:09 - 2015-10-04 10:09 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\lwyborny\Downloads\rkill.com
2015-09-30 01:58 - 2015-10-17 10:26 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-09-30 01:58 - 2015-10-16 20:48 - 00001080 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-09-30 01:58 - 2015-10-16 20:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-09-30 01:58 - 2015-10-16 20:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-09-30 01:58 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-09-30 01:58 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-09-30 01:58 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2015-09-30 01:58 - 2015-09-30 01:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-09-30 01:54 - 2015-09-30 01:57 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\lwyborny\Downloads\mbam-setup-2.1.8.1057.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-17 11:02 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-10-17 10:18 - 2014-10-02 22:35 - 02092221 _____ C:\WINDOWS\WindowsUpdate.log
2015-10-17 10:08 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-10-17 08:50 - 2013-02-24 20:51 - 00003942 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{D182B0C6-6314-4D00-99E0-43E59A7755F7}
2015-10-17 02:19 - 2015-01-17 16:34 - 00008252 _____ C:\WINDOWS\setupact.log
2015-10-17 02:19 - 2014-08-22 10:00 - 00000384 _____ C:\WINDOWS\Tasks\DriverToolkit Autorun.job
2015-10-17 02:19 - 2013-08-22 10:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-10-17 02:06 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-10-17 00:31 - 2015-04-18 13:09 - 00000000 ____D C:\Users\lwyborny\AppData\Local\HP
2015-10-17 00:24 - 2014-03-18 06:03 - 00956476 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-10-16 20:59 - 2013-02-24 20:56 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2255686064-2195310188-3974504392-1001
2015-10-16 12:31 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\rescache
2015-10-16 11:40 - 2014-12-10 19:08 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-10-16 11:40 - 2014-07-13 09:25 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2015-10-16 11:40 - 2013-08-22 11:36 - 00000000 ___RD C:\WINDOWS\ToastData
2015-10-15 16:59 - 2015-07-21 13:27 - 00003886 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2015-10-15 16:58 - 2015-07-21 13:27 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-10-15 14:05 - 2012-07-26 03:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-10-14 14:20 - 2013-02-27 20:30 - 00000052 _____ C:\WINDOWS\SysWOW64\DOErrors.log
2015-10-13 18:32 - 2013-08-14 17:44 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-10-13 18:26 - 2013-02-25 22:30 - 143481208 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-10-12 13:20 - 2015-08-31 01:09 - 00075264 ___SH C:\Users\lwyborny\Downloads\Thumbs.db
2015-10-06 17:49 - 2015-04-04 06:16 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-10-05 13:39 - 2015-04-04 06:16 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-10-04 10:31 - 2014-03-18 05:54 - 00740796 _____ C:\WINDOWS\PFRO.log
2015-10-04 09:03 - 2014-07-09 15:00 - 00003184 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForlwyborny
2015-10-04 09:03 - 2014-07-09 15:00 - 00000364 _____ C:\WINDOWS\Tasks\HPCeeScheduleForlwyborny.job
2015-10-02 10:24 - 2015-03-11 20:33 - 00810488 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-10-02 10:24 - 2015-03-11 20:33 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-09-20 11:34 - 2014-10-02 22:22 - 00000000 ____D C:\Users\lwyborny

==================== Files in the root of some directories =======

2015-06-15 19:01 - 2015-08-13 13:52 - 0000024 _____ () C:\Users\lwyborny\AppData\Roaming\appdataFr25.bin
2015-05-05 19:56 - 2015-05-05 19:56 - 0000020 _____ () C:\Users\lwyborny\AppData\Roaming\appdataFr3.bin
2015-08-14 02:41 - 2015-09-02 06:41 - 0000142 _____ () C:\Users\lwyborny\AppData\Roaming\WB.CFG
2015-05-10 10:52 - 2015-05-10 10:53 - 0000806 _____ () C:\Users\lwyborny\AppData\Local\Temp-log.txt
2015-04-18 13:10 - 2015-04-18 13:10 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-02-24 20:50 - 2013-02-24 20:50 - 0000141 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-17 10:32

==================== End of FRST.txt ============================

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:17-10-2015
Ran by lwyborny (2015-10-17 11:20:58)
Running from C:\Users\lwyborny\Desktop\Farbar
Windows 8.1 (X64) (2014-10-03 12:40:47)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2255686064-2195310188-3974504392-500 - Administrator - Disabled)
Guest (S-1-5-21-2255686064-2195310188-3974504392-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2255686064-2195310188-3974504392-1005 - Limited - Enabled)
lwyborny (S-1-5-21-2255686064-2195310188-3974504392-1001 - Administrator - Enabled) => C:\Users\lwyborny

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

4 Elements II (x32 Version: 2.2.0.98 - WildTangent) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20069 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 4.0.0.1390 - Adobe Systems Incorporated)
Alcor Micro USB Card Reader Driver  (HKLM-x32\...\AmUStor) (Version: 20.21.3317.03861 - Alcor Micro Corp.)
Alcor Micro USB Card Reader Driver  (x32 Version: 20.21.3317.03861 - Alcor Micro Corp.) Hidden
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Build-a-lot 4 - Power Source (x32 Version: 2.2.0.98 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.1.5510 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.1.1916 - CyberLink Corp.)
CyberLink PhotoDirector (HKLM-x32\...\InstallShield_{4862344A-A39C-4897-ACD4-A1BED5163C5A}) (Version: 2.0.1.3109 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.1.1902 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.5.3414 - CyberLink Corp.)
CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.1.4319 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
FATE: The Cursed King (x32 Version: 2.2.0.97 - WildTangent) Hidden
Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
FlatOut 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Fuze (per-user) (HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\...\{e4a25610-f827-43d4-8406-2e29554bafd2}) (Version: 15.8.24680.0 - FuzeBox)
Fuze (per-user) (Version: 15.08.24680.0 - FuzeBox) Hidden
Google Chrome (HKLM-x32\...\{B9A82C41-4F48-3C15-8A84-1A84582BE03E}) (Version: 66.88.49307 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.28.1 - Google Inc.) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
Hoyle Card Games (x32 Version: 2.2.0.95 - WildTangent) Hidden
HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: v1.0 - Meridian Audio Ltd)
HP Connected Remote (HKLM-x32\...\{F243A34B-AB7F-4065-B770-B85B767C247C}) (Version: 1.0.1206 - Hewlett-Packard)
HP ENVY 5530 series Basic Device Software (HKLM\...\{FE11AA0F-756F-4879-97A0-B1705E2DCABE}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP ENVY 5530 series Help (HKLM-x32\...\{97EAE055-1BE8-4775-8101-453E9715EC3F}) (Version: 30.0.0 - Hewlett Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.3.0 - WildTangent)
HP MyRoom (HKLM-x32\...\{9C35EDE5-4B0F-45E7-A438-314BA889948E}) (Version: 9.0.0.0 - Hewlett-Packard Company)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Quick Start (HKLM-x32\...\{574F0207-8E98-46CD-8F79-318348C98C46}) (Version: 1.0.4660.30220 - Hewlett-Packard)
HP Registration Service (HKLM\...\{E4D6CCF2-0AAF-4B9C-9DE5-893EDC9B4BAA}) (Version: 1.0.5976.4186 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}) (Version: 7.4.45.4 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 12.00.0000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6418.0 - IDT)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mahjongg Dimensions Deluxe: Tiles in Time (x32 Version: 2.2.0.98 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft Office (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.6120.5004 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mortimer Beckett and the Crimson Thief Premium Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.98 - WildTangent) Hidden
Product Improvement Study for HP ENVY 5530 series (HKLM\...\{2EC3E3B8-797A-47FD-B3A2-574C96597A19}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
Ralink RT5390R 802.11bgn Wi-Fi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 5.0.48.0 - Mediatek)
Recovery Manager (x32 Version: 5.5.0.5530 - CyberLink Corp.) Hidden
Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Rosetta Stone audio optimizer (HKLM-x32\...\com.rosettastone.RosettaStoneAudioOptimizer) (Version: 1.0.5 - Rosetta Stone, Ltd)
Rosetta Stone audio optimizer (x32 Version: 1.0.5 - Rosetta Stone, Ltd) Hidden
Rosetta Stone Ltd Services (HKLM-x32\...\{3165E4A6-D5DE-46B0-8597-D55E2B826B84}) (Version: 3.2.21 - Rosetta Stone Ltd.)
Rosetta Stone TOTALe (HKLM-x32\...\{6B6BC189-D606-4BC7-9758-E6C364F76A55}) (Version: 4.5.5.0 - Rosetta Stone, Ltd)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest™ - Australia (x32 Version: 2.2.0.98 - WildTangent) Hidden
WildTangent Games App (x32 Version: 4.0.9.6 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001_Classes\CLSID\{4787082E-1BB0-4790-8346-4BA408818450}\InprocServer32 -> C:\Users\lwyborny\AppData\Local\FuzeBox\Fuze\x64\npfuzex64.dll (FuzeBox)
CustomCLSID: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001_Classes\CLSID\{CFF3F401-4DA6-48BE-9F16-6066CFA9374C}\InprocServer32 -> C:\Users\lwyborny\AppData\Local\FuzeBox\Fuze\x64\npfuzex64.dll (FuzeBox)

==================== Restore Points =========================

29-09-2015 03:26:31 Scheduled Checkpoint
05-10-2015 13:38:56 Windows Update
13-10-2015 18:23:33 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 09:25 - 2015-10-16 22:24 - 00450832 ___RA C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 15467 more lines.

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {03FF8A62-FAFB-4E09-AEF8-BDA60C1A0B62} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {20482FA2-AFD8-47DC-871D-8C7AE4B6BF81} - System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater => C:\Windows\system32\CompatTelRunner.exe [2015-09-18] (Microsoft Corporation)
Task: {2B53DE7A-3269-4F78-92CD-6B4A2892E1D2} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {384F13FE-392C-4544-9EE4-ADD93A8D317D} - System32\Tasks\DriverToolkit Autorun => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: {3A322CDC-6496-464D-B195-BBE82260F736} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-10-13] (Microsoft Corporation)
Task: {6A9BEB2A-A565-4F0A-8C3F-6E2C9BD44701} - System32\Tasks\HPCustParticipation HP ENVY 5530 series => C:\Program Files\HP\HP ENVY 5530 series\Bin\HPCustPartic.exe [2014-07-21] (Hewlett-Packard Development Company, LP)
Task: {A3CDCC39-D137-490B-9393-2CF0C98DFA93} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-09-14] (Adobe Systems Incorporated)
Task: {BE4DAA7A-B477-4A92-82AB-FD166A59BB07} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {D6049EF6-96CC-4C06-934A-556E51E654E5} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_CN51R4668J05XT => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2015-08-27] (Hewlett-Packard)
Task: {D76F2896-0F4F-43A2-A34B-0C186B5FD966} - System32\Tasks\{814682BD-814C-4C27-9B34-5B6AAA074382} => pcalua.exe -a "C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe" -c /AppMode=SETUP /Uninstall /UDS=1
Task: {DF77FAEB-62A2-4B73-BF61-FFA706EF131F} - System32\Tasks\HPCeeScheduleForlwyborny => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {E64D1AC5-5309-4072-9E4E-9AF471BD6798} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2015-08-27] (Hewlett-Packard)
Task: {E9D6E9E6-00EE-4F4C-8908-2AC2D4930D67} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {ED6AF730-D400-4D6F-9DC7-90D8D2FBC428} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {FC71AD0B-A3DC-410E-A3EA-A31FBAD0FC38} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\DriverToolkit Autorun.job => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForlwyborny.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (Whitelisted) ==============

2012-08-29 13:02 - 2012-08-29 13:02 - 00120224 _____ () c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPItunesModule.dll
2012-08-29 13:02 - 2012-08-29 13:02 - 00048544 _____ () c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPItunesProxy.dll
2012-08-29 13:02 - 2012-08-29 13:02 - 00180224 _____ () c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\zxing.dll
2014-10-03 08:41 - 2014-10-03 08:41 - 00120224 _____ () C:\Users\lwyborny\AppData\Local\assembly\dl3\VOGRBXNJ.4N5\EM084KRA.Z54\6a9bb051\00ef7209_0886cd01\HPItunesModule.DLL
2015-09-15 07:55 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-09-15 07:55 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2015-09-15 07:55 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2015-09-15 07:55 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2015-09-15 07:55 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-10-12 21:56 - 2012-06-07 23:34 - 00627216 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2012-06-08 14:34 - 2012-06-08 14:34 - 00016400 _____ () c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
2015-08-14 02:53 - 2015-08-07 20:13 - 01405768 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.155\libglesv2.dll
2015-08-14 02:53 - 2015-08-07 20:13 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.155\libegl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 15751 more restricted sites.

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\web\wallpaper\HP\HP_Svinoya_Norway_Sunset.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{C278A18E-F71B-4259-9A8E-0D2FCFA32CC5}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
FirewallRules: [{C227A831-63B1-46D6-88C3-644C3DA7C59B}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
FirewallRules: [{5810AD80-DE4C-49B6-9E25-7FE7011E6367}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
FirewallRules: [{7613B8B5-D268-4959-A95B-2FC974E0D04B}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
FirewallRules: [{A46347AA-839A-4F55-882F-5AB00CFEBA8B}] => (Allow) LPort=1900
FirewallRules: [{0C5D8854-292E-4D4E-8ED5-ED3EBE8DFDDE}] => (Allow) LPort=2869
FirewallRules: [{91ACFB42-524E-48EE-91A3-63904C83C9BD}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{230E7926-21C7-48DE-9016-626BCA4B8E51}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD10.EXE
FirewallRules: [{1735F3A8-4136-467A-8363-329822808496}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{51468B03-8E99-4E38-8E86-C1B4AD58DC35}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0272C28D-1AE9-4CAD-8C30-7CD5D9B15BAB}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{71367491-1ADE-41BC-8A65-B28F34C44ED9}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{F4A080D1-CE77-4E41-8B0A-1994A1A8A82F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{C9DE3AD2-F484-4889-B96F-A9F42670B6E7}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{5566680D-116B-4232-8979-9AAFADBE50E8}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [TCP Query User{3EC65E83-D9A1-4E26-98E6-5B69F321DD16}C:\users\lwyborny\appdata\local\fuzebox\fuze\fuze.exe] => (Allow) C:\users\lwyborny\appdata\local\fuzebox\fuze\fuze.exe
FirewallRules: [UDP Query User{9B7F8D48-637C-4709-A1E9-3282D9115713}C:\users\lwyborny\appdata\local\fuzebox\fuze\fuze.exe] => (Allow) C:\users\lwyborny\appdata\local\fuzebox\fuze\fuze.exe
FirewallRules: [{03D21033-19E7-446E-9BDB-A5CC6AB93E3D}] => (Allow) C:\Program Files\HP\HP ENVY 5530 series\Bin\DeviceSetup.exe
FirewallRules: [{D5BF3853-9E7C-4C74-AD7A-74727DB35112}] => (Allow) LPort=5357
FirewallRules: [{C60F064D-5583-44FD-97C3-FEA142D79EC1}] => (Allow) C:\Program Files\HP\HP ENVY 5530 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{4428926F-A244-46F8-B1BC-9D0EB5D23DE9}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{E4C50FD5-B9C4-41E8-80BD-48A7C443A3F3}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{C86E78B7-8343-4823-8E8A-19987B1F6379}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe
FirewallRules: [{EC29EFA3-0265-42B6-A964-97EAFFF323D2}] => (Allow) LPort=53000
FirewallRules: [{9C6F6E90-965E-4198-B937-415F9ED1E607}] => (Allow) LPort=52000
FirewallRules: [{3D551876-00E6-45D4-AC48-135FCD6AE0C0}] => (Allow) C:\Users\lwyborny\Desktop\Farbar\FRST64.exe
FirewallRules: [{F0764DA3-BEB3-4174-A1BF-C273945719AA}] => (Allow) C:\Users\lwyborny\Desktop\Farbar\FRST64.exe
FirewallRules: [{EF7D7DE2-BC52-451C-96DE-477A41188E9E}] => (Allow) C:\Users\lwyborny\Desktop\Farbar\FRST64.exe
FirewallRules: [{465604BC-56D3-415F-885A-E94F66EB5633}] => (Allow) C:\Users\lwyborny\Desktop\Farbar\FRST64.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/17/2015 11:04:28 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WybornyPC)
Description: Activation of app Microsoft.BingSports_8wekyb3d8bbwe!AppexSports failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (10/17/2015 10:19:28 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WybornyPC)
Description: Activation of app Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (10/17/2015 10:06:29 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17840 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d3c

Start Time: 01d108dae608e715

Termination Time: 218

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 3fdadbbb-74d8-11e5-bee5-6894238020d1

Faulting package full name:

Faulting package-relative application ID:

Error: (10/17/2015 10:04:28 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WybornyPC)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (10/17/2015 09:36:07 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mmamain.exe version 1.5.0.41 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13c4

Start Time: 01d108e0bcca5c2a

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\SymantecCorporation.NortonStudio_1.5.0.41_x86__v68kp9n051hdp\mmamain.exe

Report Id: 040d50e3-74d4-11e5-bee5-6894238020d1

Faulting package full name: SymantecCorporation.NortonStudio_1.5.0.41_x86__v68kp9n051hdp

Faulting package-relative application ID: App

Error: (10/17/2015 09:36:06 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: WybornyPC)
Description: App SymantecCorporation.NortonStudio_1.5.0.41_x86__v68kp9n051hdp+App did not launch within its allotted time.

Error: (10/17/2015 09:35:49 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: WybornyPC)
Description: App SymantecCorporation.NortonStudio_1.5.0.41_x86__v68kp9n051hdp+App did not launch within its allotted time.

Error: (10/17/2015 09:04:27 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WybornyPC)
Description: Activation of app Microsoft.BingSports_8wekyb3d8bbwe!AppexSports failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (10/17/2015 08:19:27 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WybornyPC)
Description: Activation of app Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (10/17/2015 08:04:28 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WybornyPC)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

System errors:
=============
Error: (10/17/2015 11:24:54 AM) (Source: DCOM) (EventID: 10010) (User: WybornyPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (10/17/2015 10:55:01 AM) (Source: DCOM) (EventID: 10010) (User: WybornyPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (10/17/2015 10:54:31 AM) (Source: DCOM) (EventID: 10010) (User: WybornyPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (10/17/2015 10:45:42 AM) (Source: DCOM) (EventID: 10010) (User: WybornyPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (10/17/2015 10:45:12 AM) (Source: DCOM) (EventID: 10010) (User: WybornyPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (10/17/2015 10:33:35 AM) (Source: DCOM) (EventID: 10010) (User: WybornyPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (10/17/2015 10:33:05 AM) (Source: DCOM) (EventID: 10010) (User: WybornyPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (10/17/2015 02:21:54 AM) (Source: Schannel) (EventID: 4102) (User: NT AUTHORITY)
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

Error: (10/17/2015 02:21:46 AM) (Source: Schannel) (EventID: 4102) (User: NT AUTHORITY)
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

Error: (10/17/2015 02:21:42 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
%%2

CodeIntegrity:
===================================
  Date: 2015-07-21 13:17:48.865
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-21 13:17:48.522
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:46.145
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:45.848
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:45.645
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:45.473
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:45.285
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:44.754
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:44.457
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-07-06 06:57:44.192
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

==================== Memory info ===========================

Processor: AMD A8-5500 APU with Radeon™ HD Graphics
Percentage of memory in use: 45%
Total physical RAM: 5527.51 MB
Available physical RAM: 3022.77 MB
Total Virtual: 6423.51 MB
Available Virtual: 3532.73 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:910.21 GB) (Free:849.06 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Recovery Image) (Fixed) (Total:19.38 GB) (Free:2.39 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 25EACC31)

Partition: GPT.

==================== End of Addition.txt ============================

 

 

 

Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/17/2015 10:25:31 AM in x64 mode.
Windows Version: Windows 8.1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1001namen.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 www.100sexlinks.com
  127.0.0.1 100sexlinks.com

  20 out of 15494 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 10/17/2015 10:25:47 AM
Execution time: 0 hours(s), 0 minute(s), and 16 seconds(s)



#4 lwyborny

lwyborny
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 17 October 2015 - 11:10 AM

One change I made looking at the log files.  When I was trying to run Farbar, and it would not, I went to the Windows firewall and allowed it.  I noticed that Bonjour was there and I unchecked the box for that.  I see that when Farbar ran, it showed that the Bonjour program was still allowed.  I went back and removed it altogether. 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 18 October 2015 - 08:11 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> {7B5F59CD-4BFB-4C7F-9929-F24E1715EA82} URL =
SearchScopes: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
Toolbar: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S1 kssdhbth; \??\C:\WINDOWS\system32\drivers\kssdhbth.sys [X]
U3 aswMBR; \??\C:\Users\lwyborny\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\lwyborny\AppData\Local\Temp\aswVmm.sys [X]
C:\Users\lwyborny\AppData\Roaming\appdataFr25.bin
C:\Users\lwyborny\AppData\Roaming\appdataFr3.bin
C:\ProgramData\Ament.ini

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How is the computer running now?

#6 lwyborny

lwyborny
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 18 October 2015 - 11:42 AM

I deleted the explorer cache and did the reset.

 

The results of the Farbar fix are copied in below.  I will do the adwcleaner clean later as I need to run (although I have been running it already, but I am not sure what to fix with it so would appreciate your help).  But the computer seems faster and I have not yet had a redirect in the last several minutes!  I will finish the work later on today.

 

Lester

 

Fix result of Farbar Recovery Scan Tool (x64) Version:17-10-2015
Ran by lwyborny (2015-10-18 12:25:29) Run:1
Running from C:\Users\lwyborny\Desktop\Farbar
Loaded Profiles: lwyborny (Available Profiles: lwyborny)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> {7B5F59CD-4BFB-4C7F-9929-F24E1715EA82} URL =
SearchScopes: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
Toolbar: HKU\S-1-5-21-2255686064-2195310188-3974504392-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S1 kssdhbth; \??\C:\WINDOWS\system32\drivers\kssdhbth.sys [X]
U3 aswMBR; \??\C:\Users\lwyborny\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\lwyborny\AppData\Local\Temp\aswVmm.sys [X]
C:\Users\lwyborny\AppData\Roaming\appdataFr25.bin
C:\Users\lwyborny\AppData\Roaming\appdataFr3.bin
C:\ProgramData\Ament.ini

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}" => key removed successfully
HKCR\Wow6432Node\CLSID\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} => key not found.
"HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7B5F59CD-4BFB-4C7F-9929-F24E1715EA82}" => key removed successfully
HKCR\CLSID\{7B5F59CD-4BFB-4C7F-9929-F24E1715EA82} => key not found.
"HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8CDE19E6-71C2-4B46-89B7-35F6A18C571A}" => key removed successfully
HKCR\CLSID\{8CDE19E6-71C2-4B46-89B7-35F6A18C571A} => key not found.
HKU\S-1-5-21-2255686064-2195310188-3974504392-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
gupdate => service removed successfully
gupdatem => service removed successfully
kssdhbth => service removed successfully
aswMBR => service not found.
aswVmm => service not found.
C:\Users\lwyborny\AppData\Roaming\appdataFr25.bin => moved successfully
C:\Users\lwyborny\AppData\Roaming\appdataFr3.bin => moved successfully
C:\ProgramData\Ament.ini => moved successfully
EmptyTemp: => 1.7 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 12:28:08 ====



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 24 October 2015 - 08:52 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 30 October 2015 - 09:29 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users