Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to get rid of C\Windows\SysWOW64\_WKERNEL.syl.vir


  • This topic is locked This topic is locked
25 replies to this topic

#1 tadpole90

tadpole90

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 21 October 2015 - 09:57 AM

Hallo,

 

I am running windows 7 home edition premium and mainly use IE11 for browsing.  My malwarebytes and spybot  do not find  C\Windows\SysWOW64\_WKERNEL.syl.vir, but combo fix does.  (Sorry I had already run it before I came to your site and read NOT to run it.)  It deletes this file, but within a few days it is back again.  After deleting the file I flush my restore points, but it still comes back.

 

Here is the FRST.txt  Thank you

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:18-10-2015
Ran by user (administrator) on TADPOLE (21-10-2015 16:41:35)
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Strong Technology, LLC.) C:\Program Files (x86)\StrongVPN\StrongDial.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corporation) C:\Windows\System32\snmptrap.exe
(Strong Technology, LLC.) C:\Program Files (x86)\StrongVPN\StrongService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\...\Run: [StrongVPN Client] => C:\Program Files (x86)\StrongVPN\StrongDial.exe [1504952 2015-04-06] (Strong Technology, LLC.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4}: [NameServer] 196.22.218.248,209.203.1.208
Tcpip\..\Interfaces\{C7A97DE5-5203-48E4-9826-C6D598E0FF20}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hotmail.com/
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1180291194-1577208311-465283933-1000 -> {F71159F7-0846-4FF4-B422-545A46CEE251} URL =
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2012-12-13] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [SDCapture@SDDownloadManager.com] - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture
FF Extension: SDCapture - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture [2015-02-13] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com
FF Extension: Wondershare Video Converter Ultimate - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com [2015-08-23] [not signed]
FF HKU\S-1-5-21-1180291194-1577208311-465283933-1000\...\Firefox\Extensions: [SDCapture@SDDownloadManager.com] - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture

Chrome:
=======
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-21]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) [File not signed]
S3 DfSdkS; C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer Free\Dfsdks.exe [544768 2009-08-24] (mst software GmbH, Germany) [File not signed]
R2 iprip; C:\Windows\System32\iprip.dll [35328 2009-07-14] (Microsoft Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
S3 lxebCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe [33960 2009-04-24] (Lexmark International, Inc.)
S3 lxeb_device; C:\Windows\system32\lxebcoms.exe [1032360 2009-04-24] ( )
S3 lxeb_device; C:\Windows\SysWOW64\lxebcoms.exe [602792 2009-04-24] ( )
S2 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [272688 2012-08-23] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-11-23] (Realtek Semiconductor)
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 StrongVPN Service; C:\Program Files (x86)\StrongVPN\StrongService.exe [103608 2015-04-06] (Strong Technology, LLC.)
S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-14] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 XLoveFMEManagerWinService; C:\Program Files (x86)\XloveCam\XLoveFMEManager.exe [327680 2013-11-25] () [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3342640 2012-08-23] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
S3 AX88772; C:\Windows\System32\DRIVERS\ax88772.sys [59904 2008-11-18] (ASIX Electronics Corp.)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28216 2012-12-05] (Intel Corporation)
S3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [42016 2013-11-27] (Visicom Media Inc.)
S3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [35232 2013-12-06] (Visicom Media Inc.)
R0 ntcdrdrv; C:\Windows\System32\DRIVERS\ntcdrdrv.sys [25680 2011-01-06] (NoteBurn Software)
R3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [32136 2012-12-21] (Synaptics Incorporated)
R3 tapstrong; C:\Windows\System32\DRIVERS\tapstrong.sys [38760 2013-11-16] (The OpenVPN Project)
R3 usb3Hub; C:\Windows\System32\DRIVERS\usb3Hub.sys [47072 2012-10-10] (Windows ® Win 7 DDK provider)
R3 XHCIPort; C:\Windows\System32\DRIVERS\XHCIPort.sys [188896 2012-10-10] (Windows ® Win 7 DDK provider)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 LVPr2M64; system32\DRIVERS\LVPr2M64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-21 16:41 - 2015-10-21 16:41 - 00011343 _____ C:\Users\user\Desktop\FRST.txt
2015-10-21 16:23 - 2015-10-21 16:41 - 00000000 ____D C:\FRST
2015-10-21 16:20 - 2015-10-21 16:23 - 02196992 _____ (Farbar) C:\Users\user\Desktop\FRST64.exe
2015-10-21 15:34 - 2015-10-21 15:34 - 00015593 _____ C:\ComboFix.txt
2015-10-21 15:30 - 2015-10-21 15:30 - 00000558 _____ C:\Windows\PFRO.log
2015-10-21 15:11 - 2015-10-21 15:11 - 00000000 ____D C:\ProgramData\HitmanPro
2015-10-21 15:08 - 2015-10-21 15:08 - 00006627 _____ C:\Users\user\Downloads\midget dump.txt
2015-10-21 15:08 - 2015-10-21 15:08 - 00006627 _____ C:\Users\user\Downloads\fhg_dump_2015_10_21.txt
2015-10-21 14:58 - 2015-10-21 15:18 - 05637184 ____R (Swearware) C:\Users\user\Desktop\ComboFix.exe
2015-10-20 14:29 - 2015-10-21 15:40 - 00000336 _____ C:\Windows\setupact.log
2015-10-20 14:29 - 2015-10-20 14:29 - 00000000 _____ C:\Windows\setuperr.log
2015-10-20 14:28 - 2015-10-21 15:41 - 00002120 _____ C:\Windows\DtcInstall.log
2015-10-20 13:31 - 2015-10-21 15:38 - 00222011 _____ C:\Windows\WindowsUpdate.log
2015-10-19 13:06 - 2015-10-19 13:14 - 00000000 ____D C:\Users\user\Documents\Premium Bonds
2015-10-12 16:49 - 2015-10-12 18:04 - 00000000 ____D C:\Program Files (x86)\Unlocker
2015-10-12 12:53 - 2015-10-12 12:53 - 00000464 _____ C:\Users\user\Desktop\27 Serious Alternatives to eBay for Online Sellers and Buyers.url
2015-10-11 14:05 - 2015-10-11 14:05 - 00001602 _____ C:\Users\user\Desktop\PHP Tutorial for Beginners - Webmonkey.url
2015-10-10 16:43 - 2015-10-10 16:43 - 00001104 _____ C:\Users\user\Downloads\fhg_dump_2015_10_10 (1).txt
2015-10-10 16:00 - 2015-10-10 16:00 - 00006468 _____ C:\Users\user\Downloads\fhg_dump_diapersluts16_2015_10_10.txt
2015-10-10 15:59 - 2015-10-10 15:59 - 00006468 _____ C:\Users\user\Downloads\fhg_dump_2015_10_10.txt
2015-10-10 11:21 - 2015-10-10 11:21 - 00000388 _____ C:\Users\user\Desktop\Rakuten LinkShare.url
2015-10-08 15:29 - 2015-10-08 15:29 - 00000317 _____ C:\Users\user\Desktop\Marketing Automation Blog.url
2015-10-06 17:35 - 2015-10-06 17:35 - 00002015 _____ C:\Users\user\Documents\How to buy a juice extractor.txt
2015-10-06 15:58 - 2015-10-06 15:58 - 00000285 _____ C:\Users\user\Documents\sooperarticles.txt
2015-10-06 15:04 - 2015-10-06 15:04 - 00000245 _____ C:\Users\user\Desktop\Sooper Articles Submit Your Contents and Get Massive Exposure.url
2015-10-05 17:49 - 2015-10-05 17:50 - 00128482 _____ C:\Users\user\Downloads\fhg_dump_2015_10_05.txt
2015-10-04 17:23 - 2015-10-04 17:23 - 00001855 _____ C:\Users\user\Desktop\Online CSS3 Code Generator With a Simple Graphical Interface - EnjoyCSS.url
2015-10-02 14:59 - 2015-10-02 15:00 - 00013824 _____ C:\Users\user\Documents\Goldings orthapedic prices each.xls
2015-10-01 16:45 - 2015-10-01 16:45 - 03148854 _____ C:\Users\user\Documents\A1 freshbooks.bmp
2015-10-01 16:45 - 2015-10-01 16:45 - 03148854 _____ C:\A1 freshbooks.bmp
2015-09-30 10:39 - 2015-09-30 10:39 - 03148854 _____ C:\Users\user\Documents\DNS.bmp
2015-09-29 16:52 - 2015-09-29 17:02 - 00143360 _____ C:\Users\user\Documents\db1.mdb
2015-09-29 16:51 - 2015-09-29 16:51 - 00002643 _____ C:\Users\user\Desktop\Microsoft Office Access 2003.lnk
2015-09-29 16:50 - 2015-09-29 16:50 - 00000000 ____D C:\Windows\PCHEALTH
2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (6).htm
2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (5).htm
2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (4).htm
2015-09-29 13:57 - 2015-09-29 13:57 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (3).htm
2015-09-26 17:54 - 2015-09-26 17:54 - 00000253 _____ C:\Users\user\Desktop\Gallery Scraper Administration.url
2015-09-26 16:51 - 2015-09-26 16:51 - 00000000 ____D C:\Users\user\AppData\LocalLow\Oracle
2015-09-26 16:50 - 2015-09-26 16:51 - 00584288 _____ (Oracle Corporation) C:\Users\user\Downloads\JavaSetup8u60.exe
2015-09-26 16:33 - 2015-09-26 16:33 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (2).htm
2015-09-26 16:33 - 2015-09-26 16:33 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (1).htm
2015-09-26 16:32 - 2015-09-26 16:32 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test.htm
2015-09-26 15:26 - 2015-09-26 15:26 - 00012483 _____ C:\Users\user\Documents\Make transparent soap.txt
2015-09-25 17:50 - 2015-09-25 17:50 - 00000198 _____ C:\Users\user\Desktop\Fetishwealth.url
2015-09-25 15:43 - 2015-09-25 15:43 - 00000253 _____ C:\Users\user\Desktop\Cheapest Scripts.url
2015-09-25 15:23 - 2015-09-26 14:48 - 00000000 ____D C:\Users\user\Downloads\SCRIPTS
2015-09-25 15:10 - 2015-09-25 15:10 - 00001075 _____ C:\Users\user\Documents - Shortcut (2).lnk
2015-09-25 15:09 - 2015-09-25 15:10 - 00618484 _____ C:\Users\user\Downloads\Gallery Scraper script.zip
2015-09-24 18:09 - 2015-09-24 18:09 - 00000717 _____ C:\Users\user\Desktop\Homemade Beauty Recipes.url
2015-09-24 14:52 - 2015-09-24 14:52 - 00000218 _____ C:\Users\user\Desktop\reddit the front page of the internet.url
2015-09-23 15:41 - 2015-09-23 15:42 - 00000000 ____D C:\Users\user\Documents\Recipes
2015-09-23 13:16 - 2015-09-23 13:16 - 00000000 ____D C:\Users\user\Documents\ProcAlyzer Dumps
2015-09-22 15:26 - 2015-09-22 15:30 - 00000000 ____D C:\Users\user\Desktop\Social Media

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-21 16:20 - 2015-08-28 18:53 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-21 16:05 - 2014-01-03 15:53 - 00000000 ____D C:\Users\user\Documents\Acam pass
2015-10-21 15:52 - 2009-07-14 06:45 - 00028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-21 15:52 - 2009-07-14 06:45 - 00028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-21 15:45 - 2009-07-14 07:13 - 00788478 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-21 15:41 - 2015-08-28 18:53 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-21 15:41 - 2015-08-22 15:43 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-21 15:41 - 2014-09-27 11:14 - 00000000 ____D C:\Users\user\AppData\Roaming\.strongvpn
2015-10-21 15:40 - 2013-12-18 14:55 - 00000000 _____ C:\Windows\system32\Drivers\lvuvc.hs
2015-10-21 15:34 - 2015-07-23 14:20 - 00000000 ____D C:\Qoobox
2015-10-21 15:30 - 2009-07-14 04:34 - 00000273 _____ C:\Windows\system.ini
2015-10-21 15:25 - 2009-07-14 07:08 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-21 15:17 - 2014-07-27 14:55 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-21 13:53 - 2013-12-21 11:40 - 00000000 ____D C:\Users\user\AppData\Local\Apps\2.0
2015-10-21 13:49 - 2013-12-19 10:48 - 00000000 ____D C:\Users\user\AppData\Roaming\Skype
2015-10-21 13:39 - 2013-12-18 15:19 - 00090769 _____ C:\ProgramData\lxebscan.log
2015-10-20 16:35 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF
2015-10-20 14:00 - 2013-06-10 21:09 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-10-20 13:59 - 2015-05-19 12:11 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-10-20 13:57 - 2013-12-19 13:55 - 00000000 ____D C:\ProgramData\TEMP
2015-10-20 13:56 - 2014-11-06 15:11 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Core FTP (x64)
2015-10-20 13:56 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Tools
2015-10-20 13:50 - 2014-01-03 15:51 - 00000000 ____D C:\Users\user\Documents\AW EARNINGS
2015-10-19 13:29 - 2013-12-18 19:00 - 00000000 ____D C:\Windows\pss
2015-10-19 13:19 - 2013-12-18 15:31 - 00000000 ____D C:\ProgramData\Lx_cats
2015-10-15 19:30 - 2013-12-21 15:41 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-12 17:59 - 2013-12-20 18:05 - 00000000 ____D C:\Users\user\AppData\Roaming\CoreFTP
2015-10-12 17:46 - 2014-01-03 15:58 - 00000000 ___SD C:\Users\user\Documents\MY WEB MILF HALL
2015-10-12 17:32 - 2013-12-19 18:02 - 00001164 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\eBay.lnk
2015-10-12 16:57 - 2014-10-30 14:06 - 00000000 ____D C:\MGtools
2015-10-12 16:40 - 2014-01-17 17:56 - 00000000 ____D C:\Users\user\Documents\NETWORKING TROUBLESHOOTING
2015-10-12 15:32 - 2014-01-20 10:49 - 00000000 ____D C:\Windows\erdnt
2015-10-12 15:32 - 2013-12-18 18:37 - 00000000 ____D C:\Program Files (x86)\WinUtilities
2015-10-12 15:32 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\Msdtc
2015-10-12 15:32 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2015-10-12 12:41 - 2015-03-13 16:00 - 00000000 ____D C:\Users\user\Documents\a nurturelle.com
2015-10-12 12:41 - 2014-12-01 16:42 - 00000000 ____D C:\Users\user\Documents\CAPSULE INGREDIENTS
2015-10-11 14:50 - 2014-09-08 16:42 - 00000000 ____D C:\Users\user\Documents\WEBMASTER
2015-10-11 13:28 - 2015-09-12 15:19 - 00000574 _____ C:\Users\user\Documents\Orders not received yet..txt
2015-10-09 16:25 - 2014-01-05 14:37 - 00002611 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft FrontPage.lnk
2015-10-09 16:25 - 2014-01-05 14:37 - 00002609 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Open Office Document.lnk
2015-10-09 16:25 - 2014-01-05 14:37 - 00002599 _____ C:\ProgramData\Microsoft\Windows\Start Menu\New Office Document.lnk
2015-10-09 16:25 - 2014-01-05 14:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2015-10-09 16:25 - 2013-12-18 16:17 - 00000376 _____ C:\Windows\ODBC.INI
2015-10-09 15:28 - 2015-08-29 15:02 - 00000000 ____D C:\Users\user\Desktop\Website Value calculators
2015-10-09 15:13 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Webmaster
2015-10-09 14:06 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Mainstream
2015-10-05 17:21 - 2013-12-18 15:40 - 00051187 _____ C:\ProgramData\lxebJSW.log
2015-10-05 15:30 - 2014-10-25 22:23 - 00000000 ____D C:\Users\user\Desktop\Shopping
2015-09-29 16:51 - 2013-12-18 16:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-09-29 16:51 - 2009-07-14 04:34 - 00000535 _____ C:\Windows\win.ini
2015-09-28 16:09 - 2015-09-17 18:02 - 00000000 ____D C:\Users\user\Desktop\Soap Making
2015-09-28 13:45 - 2014-10-13 18:08 - 00000270 _____ C:\Users\user\Documents\online orders.txt
2015-09-26 18:29 - 2014-01-02 16:13 - 00000000 ____D C:\Users\user\AppData\Roaming\Free Download Manager
2015-09-24 17:24 - 2014-09-14 14:41 - 00000000 ____D C:\Users\user\Desktop\SUBMISSIONS
2015-09-23 15:41 - 2015-08-10 17:35 - 00000000 ____D C:\Users\user\Documents\Nurturele Articles
2015-09-23 14:40 - 2015-09-17 10:57 - 00000000 ____D C:\Users\user\AppData\Roaming\Anvsoft
2015-09-22 16:31 - 2014-09-08 14:01 - 00000000 ____D C:\Users\user\Documents\A TGP Pics
2015-09-21 14:07 - 2015-09-17 10:36 - 00000000 ____D C:\Users\user\Documents\My IMS Projects

==================== Files in the root of some directories =======

2015-02-08 15:37 - 2015-02-08 15:38 - 0640424 _____ (Akeo Consulting (http://akeo.ie)) C:\Program Files\rufus-1.4.12.exe
2013-12-18 17:19 - 2009-12-06 21:10 - 14452040 _____ () C:\Program Files\winzip140.exe
2015-06-03 16:28 - 2015-08-25 17:12 - 9535232 _____ () C:\Program Files (x86)\Article-Wizard.exe
2014-01-27 02:30 - 2012-03-19 16:19 - 3014656 _____ () C:\Program Files (x86)\dd-wrt.v24_mini_generic.bin
2014-01-24 19:15 - 2012-03-19 16:20 - 3788800 _____ () C:\Program Files (x86)\dd-wrt.v24_vpn_generic.bin
2014-01-20 18:01 - 2010-08-02 13:29 - 0658771 _____ () C:\Program Files (x86)\MWSnap300.exe
2010-11-09 12:26 - 2010-09-27 11:19 - 45696656 _____ () C:\Program Files (x86)\ranktracker.exe
2014-01-29 15:37 - 2010-01-09 15:21 - 21753240 _____ () C:\Program Files (x86)\RCSetup.exe
2013-12-19 18:01 - 2010-08-11 19:03 - 1015869 _____ () C:\Program Files (x86)\unlocker1.9.0.exe
2013-12-18 14:20 - 2013-12-18 14:19 - 0004791 _____ () C:\Program Files (x86)\vpn-co33_ovpn084_account.ovpn
2013-12-19 17:13 - 2009-12-06 21:10 - 14452040 _____ () C:\Program Files (x86)\winzip140.exe
2014-01-17 16:12 - 2010-03-25 20:04 - 6203848 _____ (YL Computing, Inc                                           ) C:\Program Files (x86)\wuinstall.exe
2014-03-17 14:04 - 2015-03-20 17:35 - 0000308 _____ () C:\Users\user\AppData\Roaming\Rim.Desktop.Exception.log
2014-03-17 14:03 - 2014-03-17 15:31 - 0001960 _____ () C:\Users\user\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2014-03-17 15:32 - 2015-03-20 17:35 - 0000231 _____ () C:\Users\user\AppData\Roaming\Rim.DesktopHelper.Exception.log
2014-03-17 14:05 - 2014-11-08 15:47 - 0003584 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-12-12 15:11 - 2014-12-12 15:11 - 0002962 _____ () C:\Users\user\AppData\Local\recently-used.xbel
2014-10-22 15:03 - 2015-08-08 15:53 - 0007597 _____ () C:\Users\user\AppData\Local\Resmon.ResmonCfg
2013-12-18 15:11 - 2013-12-18 15:11 - 0000000 _____ () C:\ProgramData\cmn_upld.log
2013-12-18 15:27 - 2015-07-30 14:34 - 0001764 _____ () C:\ProgramData\FastPics.log
2013-12-18 15:28 - 2015-07-30 14:33 - 0002960 _____ () C:\ProgramData\lxeb.log
2014-05-11 11:18 - 2015-03-12 14:53 - 0000545 _____ () C:\ProgramData\lxebDiagnostics.log
2013-12-18 15:40 - 2015-10-05 17:21 - 0051187 _____ () C:\ProgramData\lxebJSW.log
2013-12-18 15:19 - 2015-10-21 13:39 - 0090769 _____ () C:\ProgramData\lxebscan.log
2013-12-18 15:11 - 2013-12-18 15:11 - 0000000 _____ () C:\ProgramData\LxWbGwLog.log
2013-12-18 15:10 - 2013-12-18 15:10 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-11 12:10

==================== End of FRST.txt ============================

Attached Files


Edited by tadpole90, 21 October 2015 - 10:03 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:08 PM

Posted 23 October 2015 - 11:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 LVPr2M64; system32\DRIVERS\LVPr2M64.sys [X]
Task: {AE6CEE0C-01C5-4166-ABFB-9D493C53F679} - \Inst_Rep -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51
C\Windows\SysWOW64\_WKERNEL.syl.vir

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 23 October 2015 - 11:38 AM

Many thanks for your reply.   I will test how my computer is running tomorrow.  I did notice my email loaded faster.  Thanks, below is the fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version:21-10-2015 01
Ran by user (2015-10-23 18:26:37) Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 LVPr2M64; system32\DRIVERS\LVPr2M64.sys [X]
Task: {AE6CEE0C-01C5-4166-ABFB-9D493C53F679} - \Inst_Rep -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51
C\Windows\SysWOW64\_WKERNEL.syl.vir

*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKCR\PROTOCOLS\Handler\WSWSVCUchrome" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
catchme => service removed successfully
LVPr2M64 => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AE6CEE0C-01C5-4166-ABFB-9D493C53F679}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE6CEE0C-01C5-4166-ABFB-9D493C53F679}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Inst_Rep => key not found.
C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully.
C\Windows\SysWOW64\_WKERNEL.syl.vir => Error: No automatic fix found for this entry.
EmptyTemp: => 76.5 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 18:27:07 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:08 PM

Posted 23 October 2015 - 12:49 PM

C\Windows\SysWOW64\_WKERNEL.syl.vir => Error: No automatic fix found for this entry.


If the file in bold is still on the SysWOW64 folder delete it.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 24 October 2015 - 06:27 AM

Hallo nasdaq,

 

I have deleted WKERNEL.syl.vir and my computer is running so much better.  I have just done in a few minutes what has been taking me over an hour to complete. 

 

Thank you so much for your help, knowledge and time.  Much appreciated.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:08 PM

Posted 24 October 2015 - 08:51 AM

Glad we could help.

#7 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 27 October 2015 - 08:05 AM

Hallo It seems my problem is back again. Today I found I couldn't open and reply easily to my e mails, and webpage windows were not loading, just blank. It took nearly 15 minutes to load this site with repeated refreshes. I ran FRST again an a restriction is back on Internet Explorer. Here are the new logs. Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-10-2015 02 Ran by user (administrator) on TADPOLE (27-10-2015 14:44:05) Running from C:\Users\user\Desktop Loaded Profiles: user (Available Profiles: user) Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe (Microsoft Corporation) C:\Windows\System32\alg.exe (Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe (Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Microsoft Corporation) C:\Windows\System32\snmptrap.exe (Strong Technology, LLC.) C:\Program Files (x86)\StrongVPN\StrongService.exe (Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe ( ) C:\Windows\System32\lxebcoms.exe (Microsoft Corporation) C:\Windows\System32\wbengine.exe (Strong Technology, LLC.) C:\Program Files (x86)\StrongVPN\StrongDial.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKU\S-1-5-21-1180291194-1577208311-465283933-1000\...\Run: [StrongVPN Client] => C:\Program Files (x86)\StrongVPN\StrongDial.exe [1504952 2015-04-06] (Strong Technology, LLC.) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2015-10-26] ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4}: [NameServer] 196.22.218.248,209.203.1.208 Tcpip\..\Interfaces\{C7A97DE5-5203-48E4-9826-C6D598E0FF20}: [DhcpNameServer] 192.168.1.1 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hotmail.com/ SearchScopes: HKU\S-1-5-21-1180291194-1577208311-465283933-1000 -> {F71159F7-0846-4FF4-B422-545A46CEE251} URL = FireFox: ======== FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation) FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation) FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2012-12-13] () FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File] FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.) FF HKLM-x32\...\Firefox\Extensions: [SDCapture@SDDownloadManager.com] - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture FF Extension: SDCapture - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture [2015-02-13] [not signed] FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com FF Extension: Wondershare Video Converter Ultimate - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com [2015-08-23] [not signed] FF HKU\S-1-5-21-1180291194-1577208311-465283933-1000\...\Firefox\Extensions: [SDCapture@SDDownloadManager.com] - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture Chrome: ======= CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-08] ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) [File not signed] S3 DfSdkS; C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer Free\Dfsdks.exe [544768 2009-08-24] (mst software GmbH, Germany) [File not signed] R2 iprip; C:\Windows\System32\iprip.dll [35328 2009-07-14] (Microsoft Corporation) R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation) S3 lxebCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe [33960 2009-04-24] (Lexmark International, Inc.) R3 lxeb_device; C:\Windows\system32\lxebcoms.exe [1032360 2009-04-24] ( ) R3 lxeb_device; C:\Windows\SysWOW64\lxebcoms.exe [602792 2009-04-24] ( ) S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes) S2 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [272688 2012-08-23] () R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-11-23] (Realtek Semiconductor) S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.) S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.) S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.) R2 StrongVPN Service; C:\Program Files (x86)\StrongVPN\StrongService.exe [103608 2015-04-06] (Strong Technology, LLC.) S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-14] (Microsoft Corporation) S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) S3 XLoveFMEManagerWinService; C:\Program Files (x86)\XloveCam\XLoveFMEManager.exe [327680 2013-11-25] () [File not signed] R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3342640 2012-08-23] (Intel® Corporation) S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X] S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation) S3 AX88772; C:\Windows\System32\DRIVERS\ax88772.sys [59904 2008-11-18] (ASIX Electronics Corp.) S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28216 2012-12-05] (Intel Corporation) S3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [42016 2013-11-27] (Visicom Media Inc.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation) S3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [35232 2013-12-06] (Visicom Media Inc.) R0 ntcdrdrv; C:\Windows\System32\DRIVERS\ntcdrdrv.sys [25680 2011-01-06] (NoteBurn Software) S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited) R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd) R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [32136 2012-12-21] (Synaptics Incorporated) R3 tapstrong; C:\Windows\System32\DRIVERS\tapstrong.sys [38760 2013-11-16] (The OpenVPN Project) R3 usb3Hub; C:\Windows\System32\DRIVERS\usb3Hub.sys [47072 2012-10-10] (Windows ® Win 7 DDK provider) R3 XHCIPort; C:\Windows\System32\DRIVERS\XHCIPort.sys [188896 2012-10-10] (Windows ® Win 7 DDK provider) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-10-27 14:42 - 2015-10-27 14:44 - 00011271 _____ C:\Users\user\Desktop\FRST.txt 2015-10-27 12:00 - 2015-10-27 12:00 - 00003746 _____ C:\Users\user\Desktop\Linkbuilding For Adult Camming Models - Webcam Startup.url 2015-10-26 18:36 - 2015-10-26 18:36 - 00001937 _____ C:\Users\user\Desktop\USA, UK Herbal Supplements Store, Herbal Products and Herbal Medicine.url 2015-10-26 17:27 - 2015-10-26 17:27 - 00015428 _____ C:\ComboFix.txt 2015-10-26 17:23 - 2015-10-27 14:37 - 00000168 _____ C:\Windows\setupact.log 2015-10-26 17:23 - 2015-10-26 17:23 - 00000000 _____ C:\Windows\setuperr.log 2015-10-26 17:22 - 2015-10-27 14:37 - 00001453 _____ C:\Windows\DtcInstall.log 2015-10-26 17:22 - 2015-10-26 17:22 - 00000558 _____ C:\Windows\PFRO.log 2015-10-26 13:21 - 2015-10-26 13:21 - 00001580 _____ C:\Users\user\Desktop\LX__Dashboard.exe - Shortcut.lnk 2015-10-26 13:10 - 2015-10-26 17:28 - 00025881 _____ C:\Windows\WindowsUpdate.log 2015-10-25 18:14 - 2015-10-25 18:14 - 00251754 _____ C:\Users\user\Downloads\fhg_dump_2015_10_25.csv 2015-10-22 16:54 - 2015-10-22 16:54 - 00000263 _____ C:\Users\user\Desktop\Awempire Login.url 2015-10-22 13:43 - 2015-10-22 13:43 - 00013634 _____ C:\Users\user\Desktop\coreftp.exe - Shortcut.lnk 2015-10-21 18:12 - 2015-10-21 18:12 - 00003563 _____ C:\Users\user\9 2015-10-21 16:23 - 2015-10-27 14:44 - 00000000 ____D C:\FRST 2015-10-21 16:20 - 2015-10-26 13:15 - 02197504 _____ (Farbar) C:\Users\user\Desktop\FRST64.exe 2015-10-21 15:11 - 2015-10-21 15:11 - 00000000 ____D C:\ProgramData\HitmanPro 2015-10-21 15:08 - 2015-10-21 15:08 - 00006627 _____ C:\Users\user\Downloads\midget dump.txt 2015-10-21 15:08 - 2015-10-21 15:08 - 00006627 _____ C:\Users\user\Downloads\fhg_dump_2015_10_21.txt 2015-10-21 14:58 - 2015-10-21 15:18 - 05637184 ____R (Swearware) C:\Users\user\Desktop\ComboFix.exe 2015-10-19 13:06 - 2015-10-19 13:14 - 00000000 ____D C:\Users\user\Documents\Premium Bonds 2015-10-12 16:49 - 2015-10-12 18:04 - 00000000 ____D C:\Program Files (x86)\Unlocker 2015-10-12 12:53 - 2015-10-12 12:53 - 00000464 _____ C:\Users\user\Desktop\27 Serious Alternatives to eBay for Online Sellers and Buyers.url 2015-10-11 14:05 - 2015-10-11 14:05 - 00001602 _____ C:\Users\user\Desktop\PHP Tutorial for Beginners - Webmonkey.url 2015-10-10 16:43 - 2015-10-10 16:43 - 00001104 _____ C:\Users\user\Downloads\fhg_dump_2015_10_10 (1).txt 2015-10-10 16:00 - 2015-10-10 16:00 - 00006468 _____ C:\Users\user\Downloads\fhg_dump_diapersluts16_2015_10_10.txt 2015-10-10 15:59 - 2015-10-10 15:59 - 00006468 _____ C:\Users\user\Downloads\fhg_dump_2015_10_10.txt 2015-10-10 11:21 - 2015-10-10 11:21 - 00000388 _____ C:\Users\user\Desktop\Rakuten LinkShare.url 2015-10-08 15:29 - 2015-10-08 15:29 - 00000317 _____ C:\Users\user\Desktop\Marketing Automation Blog.url 2015-10-06 17:35 - 2015-10-06 17:35 - 00002015 _____ C:\Users\user\Documents\How to buy a juice extractor.txt 2015-10-06 15:58 - 2015-10-06 15:58 - 00000285 _____ C:\Users\user\Documents\sooperarticles.txt 2015-10-06 15:04 - 2015-10-06 15:04 - 00000245 _____ C:\Users\user\Desktop\Sooper Articles Submit Your Contents and Get Massive Exposure.url 2015-10-05 17:49 - 2015-10-05 17:50 - 00128482 _____ C:\Users\user\Downloads\fhg_dump_2015_10_05.txt 2015-10-04 17:23 - 2015-10-04 17:23 - 00001855 _____ C:\Users\user\Desktop\Online CSS3 Code Generator With a Simple Graphical Interface - EnjoyCSS.url 2015-10-02 14:59 - 2015-10-23 14:41 - 00016384 _____ C:\Users\user\Documents\Goldings orthapedic prices each.xls 2015-10-01 16:45 - 2015-10-01 16:45 - 03148854 _____ C:\Users\user\Documents\A1 freshbooks.bmp 2015-10-01 16:45 - 2015-10-01 16:45 - 03148854 _____ C:\A1 freshbooks.bmp 2015-09-30 10:39 - 2015-09-30 10:39 - 03148854 _____ C:\Users\user\Documents\DNS.bmp 2015-09-29 16:52 - 2015-09-29 17:02 - 00143360 _____ C:\Users\user\Documents\db1.mdb 2015-09-29 16:51 - 2015-09-29 16:51 - 00002643 _____ C:\Users\user\Desktop\Microsoft Office Access 2003.lnk 2015-09-29 16:50 - 2015-09-29 16:50 - 00000000 ____D C:\Windows\PCHEALTH 2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (6).htm 2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (5).htm 2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (4).htm 2015-09-29 13:57 - 2015-09-29 13:57 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (3).htm ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-10-27 14:42 - 2009-07-14 07:13 - 00788478 _____ C:\Windows\system32\PerfStringBackup.INI 2015-10-27 14:40 - 2014-09-27 11:14 - 00000000 ____D C:\Users\user\AppData\Roaming\.strongvpn 2015-10-27 14:37 - 2015-08-28 18:53 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2015-10-27 14:37 - 2015-08-22 15:43 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2015-10-27 14:37 - 2013-12-18 15:19 - 00091636 _____ C:\ProgramData\lxebscan.log 2015-10-27 14:37 - 2013-12-18 14:55 - 00000000 _____ C:\Windows\system32\Drivers\lvuvc.hs 2015-10-27 14:36 - 2013-12-18 19:00 - 00000000 ____D C:\Windows\pss 2015-10-27 14:36 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\Msdtc 2015-10-27 14:36 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration 2015-10-27 14:02 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Mainstream 2015-10-27 13:59 - 2015-09-17 18:02 - 00000000 ____D C:\Users\user\Desktop\Soap Making 2015-10-27 13:45 - 2009-07-14 06:45 - 00028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-10-27 13:45 - 2009-07-14 06:45 - 00028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-10-27 13:20 - 2015-08-28 18:53 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2015-10-27 13:12 - 2013-12-18 15:31 - 00000000 ____D C:\ProgramData\Lx_cats 2015-10-27 12:54 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF 2015-10-27 12:51 - 2013-12-19 10:48 - 00000000 ____D C:\Users\user\AppData\Roaming\Skype 2015-10-26 18:39 - 2013-12-20 18:05 - 00000000 ____D C:\Users\user\AppData\Roaming\CoreFTP 2015-10-26 17:30 - 2013-12-21 15:05 - 00000000 ____D C:\Program Files (x86)\Google 2015-10-26 17:27 - 2015-07-23 14:20 - 00000000 ____D C:\Qoobox 2015-10-26 17:23 - 2009-07-14 04:34 - 00000273 _____ C:\Windows\system.ini 2015-10-26 17:16 - 2009-07-14 07:08 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2015-10-26 17:14 - 2014-07-27 14:55 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-10-26 17:05 - 2014-01-05 14:37 - 00002611 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft FrontPage.lnk 2015-10-26 17:05 - 2014-01-05 14:37 - 00002609 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Open Office Document.lnk 2015-10-26 17:05 - 2014-01-05 14:37 - 00002599 _____ C:\ProgramData\Microsoft\Windows\Start Menu\New Office Document.lnk 2015-10-26 17:05 - 2014-01-05 14:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools 2015-10-26 17:05 - 2013-12-18 16:17 - 00000376 _____ C:\Windows\ODBC.INI 2015-10-24 17:23 - 2013-12-21 15:41 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2015-10-24 14:11 - 2014-01-03 15:53 - 00000000 ____D C:\Users\user\Documents\Acam pass 2015-10-23 18:27 - 2014-07-27 14:55 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware 2015-10-23 17:56 - 2014-07-27 14:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2015-10-23 17:56 - 2013-12-26 18:59 - 00001104 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2015-10-23 15:40 - 2014-11-30 17:08 - 00000428 _____ C:\Users\user\Desktop\Tumblr.url 2015-10-22 18:00 - 2014-01-03 15:58 - 00000000 ___SD C:\Users\user\Documents\MY WEB MILF HALL 2015-10-22 15:36 - 2013-12-21 11:40 - 00000000 ____D C:\Users\user\AppData\Local\Apps\2.0 2015-10-20 14:00 - 2013-06-10 21:09 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk 2015-10-20 13:59 - 2015-05-19 12:11 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task 2015-10-20 13:57 - 2013-12-19 13:55 - 00000000 ____D C:\ProgramData\TEMP 2015-10-20 13:56 - 2014-11-06 15:11 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Core FTP (x64) 2015-10-20 13:56 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Tools 2015-10-20 13:50 - 2014-01-03 15:51 - 00000000 ____D C:\Users\user\Documents\AW EARNINGS 2015-10-12 17:32 - 2013-12-19 18:02 - 00001164 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\eBay.lnk 2015-10-12 16:57 - 2014-10-30 14:06 - 00000000 ____D C:\MGtools 2015-10-12 16:40 - 2014-01-17 17:56 - 00000000 ____D C:\Users\user\Documents\NETWORKING TROUBLESHOOTING 2015-10-12 15:32 - 2014-01-20 10:49 - 00000000 ____D C:\Windows\erdnt 2015-10-12 15:32 - 2013-12-18 18:37 - 00000000 ____D C:\Program Files (x86)\WinUtilities 2015-10-12 12:41 - 2015-03-13 16:00 - 00000000 ____D C:\Users\user\Documents\a nurturelle.com 2015-10-12 12:41 - 2014-12-01 16:42 - 00000000 ____D C:\Users\user\Documents\CAPSULE INGREDIENTS 2015-10-11 14:50 - 2014-09-08 16:42 - 00000000 ____D C:\Users\user\Documents\WEBMASTER 2015-10-11 13:28 - 2015-09-12 15:19 - 00000574 _____ C:\Users\user\Documents\Orders not received yet..txt 2015-10-09 15:28 - 2015-08-29 15:02 - 00000000 ____D C:\Users\user\Desktop\Website Value calculators 2015-10-09 15:13 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Webmaster 2015-10-05 17:21 - 2013-12-18 15:40 - 00051187 _____ C:\ProgramData\lxebJSW.log 2015-10-05 15:30 - 2014-10-25 22:23 - 00000000 ____D C:\Users\user\Desktop\Shopping 2015-10-05 09:50 - 2014-07-27 14:55 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys 2015-10-05 09:50 - 2014-07-27 14:55 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2015-10-05 09:50 - 2013-12-26 18:59 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2015-09-29 16:51 - 2013-12-18 16:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2015-09-29 16:51 - 2009-07-14 04:34 - 00000535 _____ C:\Windows\win.ini 2015-09-28 13:45 - 2014-10-13 18:08 - 00000270 _____ C:\Users\user\Documents\online orders.txt ==================== Files in the root of some directories ======= 2015-02-08 15:37 - 2015-02-08 15:38 - 0640424 _____ (Akeo Consulting (http://akeo.ie)) C:\Program Files\rufus-1.4.12.exe 2013-12-18 17:19 - 2009-12-06 21:10 - 14452040 _____ () C:\Program Files\winzip140.exe 2015-06-03 16:28 - 2015-08-25 17:12 - 9535232 _____ () C:\Program Files (x86)\Article-Wizard.exe 2014-01-27 02:30 - 2012-03-19 16:19 - 3014656 _____ () C:\Program Files (x86)\dd-wrt.v24_mini_generic.bin 2014-01-24 19:15 - 2012-03-19 16:20 - 3788800 _____ () C:\Program Files (x86)\dd-wrt.v24_vpn_generic.bin 2014-01-20 18:01 - 2010-08-02 13:29 - 0658771 _____ () C:\Program Files (x86)\MWSnap300.exe 2010-11-09 12:26 - 2010-09-27 11:19 - 45696656 _____ () C:\Program Files (x86)\ranktracker.exe 2014-01-29 15:37 - 2010-01-09 15:21 - 21753240 _____ () C:\Program Files (x86)\RCSetup.exe 2013-12-19 18:01 - 2010-08-11 19:03 - 1015869 _____ () C:\Program Files (x86)\unlocker1.9.0.exe 2013-12-18 14:20 - 2013-12-18 14:19 - 0004791 _____ () C:\Program Files (x86)\vpn-co33_ovpn084_account.ovpn 2013-12-19 17:13 - 2009-12-06 21:10 - 14452040 _____ () C:\Program Files (x86)\winzip140.exe 2014-01-17 16:12 - 2010-03-25 20:04 - 6203848 _____ (YL Computing, Inc ) C:\Program Files (x86)\wuinstall.exe 2014-03-17 14:04 - 2015-03-20 17:35 - 0000308 _____ () C:\Users\user\AppData\Roaming\Rim.Desktop.Exception.log 2014-03-17 14:03 - 2014-03-17 15:31 - 0001960 _____ () C:\Users\user\AppData\Roaming\Rim.Desktop.HttpServerSetup.log 2014-03-17 15:32 - 2015-03-20 17:35 - 0000231 _____ () C:\Users\user\AppData\Roaming\Rim.DesktopHelper.Exception.log 2014-03-17 14:05 - 2014-11-08 15:47 - 0003584 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2014-12-12 15:11 - 2014-12-12 15:11 - 0002962 _____ () C:\Users\user\AppData\Local\recently-used.xbel 2014-10-22 15:03 - 2015-08-08 15:53 - 0007597 _____ () C:\Users\user\AppData\Local\Resmon.ResmonCfg 2013-12-18 15:11 - 2013-12-18 15:11 - 0000000 _____ () C:\ProgramData\cmn_upld.log 2013-12-18 15:27 - 2015-07-30 14:34 - 0001764 _____ () C:\ProgramData\FastPics.log 2013-12-18 15:28 - 2015-07-30 14:33 - 0002960 _____ () C:\ProgramData\lxeb.log 2014-05-11 11:18 - 2015-03-12 14:53 - 0000545 _____ () C:\ProgramData\lxebDiagnostics.log 2013-12-18 15:40 - 2015-10-05 17:21 - 0051187 _____ () C:\ProgramData\lxebJSW.log 2013-12-18 15:19 - 2015-10-27 14:37 - 0091636 _____ () C:\ProgramData\lxebscan.log 2013-12-18 15:11 - 2013-12-18 15:11 - 0000000 _____ () C:\ProgramData\LxWbGwLog.log 2013-12-18 15:10 - 2013-12-18 15:10 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-10-24 12:32 ==================== End of FRST.txt ============================

#8 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 27 October 2015 - 08:18 AM

Attached File  Addition.txt   38.19KB   1 downloads



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:08 PM

Posted 27 October 2015 - 08:27 AM

Please run the Farbar tool and post a fresh FRST log.

I cannot read the last log due to the formatting.

Make sure each line is terminated with a Carriage and Return.

#10 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 27 October 2015 - 08:43 AM

Sorry Nasdaq, here is a fresh set.

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-10-2015 02
Ran by user (administrator) on TADPOLE (27-10-2015 15:37:39)
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corporation) C:\Windows\System32\snmptrap.exe
(Strong Technology, LLC.) C:\Program Files (x86)\StrongVPN\StrongService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
( ) C:\Windows\System32\lxebcoms.exe
(Strong Technology, LLC.) C:\Program Files (x86)\StrongVPN\StrongDial.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\...\Run: [StrongVPN Client] => C:\Program Files (x86)\StrongVPN\StrongDial.exe [1504952 2015-04-06] (Strong Technology, LLC.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4}: [NameServer] 196.22.218.248,209.203.1.208
Tcpip\..\Interfaces\{C7A97DE5-5203-48E4-9826-C6D598E0FF20}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hotmail.com/
SearchScopes: HKU\S-1-5-21-1180291194-1577208311-465283933-1000 -> {F71159F7-0846-4FF4-B422-545A46CEE251} URL =

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2012-12-13] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [SDCapture@SDDownloadManager.com] - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture
FF Extension: SDCapture - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture [2015-02-13] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com
FF Extension: Wondershare Video Converter Ultimate - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com [2015-08-23] [not signed]
FF HKU\S-1-5-21-1180291194-1577208311-465283933-1000\...\Firefox\Extensions: [SDCapture@SDDownloadManager.com] - C:\Users\user\AppData\Roaming\SD Download Manager\Mozilla\SDCapture

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) [File not signed]
S3 DfSdkS; C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer Free\Dfsdks.exe [544768 2009-08-24] (mst software GmbH, Germany) [File not signed]
R2 iprip; C:\Windows\System32\iprip.dll [35328 2009-07-14] (Microsoft Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
S3 lxebCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe [33960 2009-04-24] (Lexmark International, Inc.)
R3 lxeb_device; C:\Windows\system32\lxebcoms.exe [1032360 2009-04-24] ( )
R3 lxeb_device; C:\Windows\SysWOW64\lxebcoms.exe [602792 2009-04-24] ( )
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S2 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [272688 2012-08-23] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-11-23] (Realtek Semiconductor)
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 StrongVPN Service; C:\Program Files (x86)\StrongVPN\StrongService.exe [103608 2015-04-06] (Strong Technology, LLC.)
S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-14] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 XLoveFMEManagerWinService; C:\Program Files (x86)\XloveCam\XLoveFMEManager.exe [327680 2013-11-25] () [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3342640 2012-08-23] (Intel® Corporation)
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
S3 AX88772; C:\Windows\System32\DRIVERS\ax88772.sys [59904 2008-11-18] (ASIX Electronics Corp.)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28216 2012-12-05] (Intel Corporation)
S3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [42016 2013-11-27] (Visicom Media Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [35232 2013-12-06] (Visicom Media Inc.)
R0 ntcdrdrv; C:\Windows\System32\DRIVERS\ntcdrdrv.sys [25680 2011-01-06] (NoteBurn Software)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [32136 2012-12-21] (Synaptics Incorporated)
R3 tapstrong; C:\Windows\System32\DRIVERS\tapstrong.sys [38760 2013-11-16] (The OpenVPN Project)
R3 usb3Hub; C:\Windows\System32\DRIVERS\usb3Hub.sys [47072 2012-10-10] (Windows ® Win 7 DDK provider)
R3 XHCIPort; C:\Windows\System32\DRIVERS\XHCIPort.sys [188896 2012-10-10] (Windows ® Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-27 14:42 - 2015-10-27 15:37 - 00010858 _____ C:\Users\user\Desktop\FRST.txt
2015-10-27 12:00 - 2015-10-27 12:00 - 00003746 _____ C:\Users\user\Desktop\Linkbuilding For Adult Camming Models - Webcam Startup.url
2015-10-26 18:36 - 2015-10-26 18:36 - 00001937 _____ C:\Users\user\Desktop\USA, UK Herbal Supplements Store, Herbal Products and Herbal Medicine.url
2015-10-26 17:27 - 2015-10-26 17:27 - 00015428 _____ C:\ComboFix.txt
2015-10-26 17:23 - 2015-10-27 14:37 - 00000168 _____ C:\Windows\setupact.log
2015-10-26 17:23 - 2015-10-26 17:23 - 00000000 _____ C:\Windows\setuperr.log
2015-10-26 17:22 - 2015-10-27 14:37 - 00001453 _____ C:\Windows\DtcInstall.log
2015-10-26 17:22 - 2015-10-26 17:22 - 00000558 _____ C:\Windows\PFRO.log
2015-10-26 13:21 - 2015-10-26 13:21 - 00001580 _____ C:\Users\user\Desktop\LX__Dashboard.exe - Shortcut.lnk
2015-10-26 13:10 - 2015-10-26 17:28 - 00025881 _____ C:\Windows\WindowsUpdate.log
2015-10-25 18:14 - 2015-10-25 18:14 - 00251754 _____ C:\Users\user\Downloads\fhg_dump_2015_10_25.csv
2015-10-22 16:54 - 2015-10-22 16:54 - 00000263 _____ C:\Users\user\Desktop\Awempire Login.url
2015-10-22 13:43 - 2015-10-22 13:43 - 00013634 _____ C:\Users\user\Desktop\coreftp.exe - Shortcut.lnk
2015-10-21 18:12 - 2015-10-21 18:12 - 00003563 _____ C:\Users\user\9
2015-10-21 16:23 - 2015-10-27 15:37 - 00000000 ____D C:\FRST
2015-10-21 16:20 - 2015-10-26 13:15 - 02197504 _____ (Farbar) C:\Users\user\Desktop\FRST64.exe
2015-10-21 15:11 - 2015-10-21 15:11 - 00000000 ____D C:\ProgramData\HitmanPro
2015-10-21 15:08 - 2015-10-21 15:08 - 00006627 _____ C:\Users\user\Downloads\midget dump.txt
2015-10-21 15:08 - 2015-10-21 15:08 - 00006627 _____ C:\Users\user\Downloads\fhg_dump_2015_10_21.txt
2015-10-21 14:58 - 2015-10-21 15:18 - 05637184 ____R (Swearware) C:\Users\user\Desktop\ComboFix.exe
2015-10-19 13:06 - 2015-10-19 13:14 - 00000000 ____D C:\Users\user\Documents\Premium Bonds
2015-10-12 16:49 - 2015-10-12 18:04 - 00000000 ____D C:\Program Files (x86)\Unlocker
2015-10-12 12:53 - 2015-10-12 12:53 - 00000464 _____ C:\Users\user\Desktop\27 Serious Alternatives to eBay for Online Sellers and Buyers.url
2015-10-11 14:05 - 2015-10-11 14:05 - 00001602 _____ C:\Users\user\Desktop\PHP Tutorial for Beginners - Webmonkey.url
2015-10-10 16:43 - 2015-10-10 16:43 - 00001104 _____ C:\Users\user\Downloads\fhg_dump_2015_10_10 (1).txt
2015-10-10 16:00 - 2015-10-10 16:00 - 00006468 _____ C:\Users\user\Downloads\fhg_dump_diapersluts16_2015_10_10.txt
2015-10-10 15:59 - 2015-10-10 15:59 - 00006468 _____ C:\Users\user\Downloads\fhg_dump_2015_10_10.txt
2015-10-10 11:21 - 2015-10-10 11:21 - 00000388 _____ C:\Users\user\Desktop\Rakuten LinkShare.url
2015-10-08 15:29 - 2015-10-08 15:29 - 00000317 _____ C:\Users\user\Desktop\Marketing Automation Blog.url
2015-10-06 17:35 - 2015-10-06 17:35 - 00002015 _____ C:\Users\user\Documents\How to buy a juice extractor.txt
2015-10-06 15:58 - 2015-10-06 15:58 - 00000285 _____ C:\Users\user\Documents\sooperarticles.txt
2015-10-06 15:04 - 2015-10-06 15:04 - 00000245 _____ C:\Users\user\Desktop\Sooper Articles Submit Your Contents and Get Massive Exposure.url
2015-10-05 17:49 - 2015-10-05 17:50 - 00128482 _____ C:\Users\user\Downloads\fhg_dump_2015_10_05.txt
2015-10-04 17:23 - 2015-10-04 17:23 - 00001855 _____ C:\Users\user\Desktop\Online CSS3 Code Generator With a Simple Graphical Interface - EnjoyCSS.url
2015-10-02 14:59 - 2015-10-23 14:41 - 00016384 _____ C:\Users\user\Documents\Goldings orthapedic prices each.xls
2015-10-01 16:45 - 2015-10-01 16:45 - 03148854 _____ C:\Users\user\Documents\A1 freshbooks.bmp
2015-10-01 16:45 - 2015-10-01 16:45 - 03148854 _____ C:\A1 freshbooks.bmp
2015-09-30 10:39 - 2015-09-30 10:39 - 03148854 _____ C:\Users\user\Documents\DNS.bmp
2015-09-29 16:52 - 2015-09-29 17:02 - 00143360 _____ C:\Users\user\Documents\db1.mdb
2015-09-29 16:51 - 2015-09-29 16:51 - 00002643 _____ C:\Users\user\Desktop\Microsoft Office Access 2003.lnk
2015-09-29 16:50 - 2015-09-29 16:50 - 00000000 ____D C:\Windows\PCHEALTH
2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (6).htm
2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (5).htm
2015-09-29 14:00 - 2015-09-29 14:00 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (4).htm
2015-09-29 13:57 - 2015-09-29 13:57 - 00000195 _____ C:\Users\user\Downloads\php-in-html-test (3).htm

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-27 15:34 - 2013-12-18 19:00 - 00000000 ____D C:\Windows\pss
2015-10-27 15:30 - 2013-12-18 18:37 - 00000000 ____D C:\Program Files (x86)\WinUtilities
2015-10-27 15:20 - 2015-08-28 18:53 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-27 14:52 - 2013-12-21 15:05 - 00000000 ____D C:\Users\user\AppData\Local\Google
2015-10-27 14:52 - 2013-12-19 13:55 - 00000000 ____D C:\ProgramData\TEMP
2015-10-27 14:47 - 2013-12-21 11:40 - 00000000 ____D C:\Users\user\AppData\Local\Apps\2.0
2015-10-27 14:44 - 2009-07-14 06:45 - 00028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-27 14:44 - 2009-07-14 06:45 - 00028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-27 14:42 - 2009-07-14 07:13 - 00788478 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-27 14:40 - 2014-09-27 11:14 - 00000000 ____D C:\Users\user\AppData\Roaming\.strongvpn
2015-10-27 14:37 - 2015-08-28 18:53 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-27 14:37 - 2015-08-22 15:43 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-27 14:37 - 2013-12-18 15:19 - 00091636 _____ C:\ProgramData\lxebscan.log
2015-10-27 14:37 - 2013-12-18 14:55 - 00000000 _____ C:\Windows\system32\Drivers\lvuvc.hs
2015-10-27 14:36 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\Msdtc
2015-10-27 14:36 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2015-10-27 14:02 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Mainstream
2015-10-27 13:59 - 2015-09-17 18:02 - 00000000 ____D C:\Users\user\Desktop\Soap Making
2015-10-27 13:12 - 2013-12-18 15:31 - 00000000 ____D C:\ProgramData\Lx_cats
2015-10-27 12:54 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF
2015-10-27 12:51 - 2013-12-19 10:48 - 00000000 ____D C:\Users\user\AppData\Roaming\Skype
2015-10-26 18:39 - 2013-12-20 18:05 - 00000000 ____D C:\Users\user\AppData\Roaming\CoreFTP
2015-10-26 17:27 - 2015-07-23 14:20 - 00000000 ____D C:\Qoobox
2015-10-26 17:23 - 2009-07-14 04:34 - 00000273 _____ C:\Windows\system.ini
2015-10-26 17:16 - 2009-07-14 07:08 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-26 17:14 - 2014-07-27 14:55 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-26 17:05 - 2014-01-05 14:37 - 00002611 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft FrontPage.lnk
2015-10-26 17:05 - 2014-01-05 14:37 - 00002609 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Open Office Document.lnk
2015-10-26 17:05 - 2014-01-05 14:37 - 00002599 _____ C:\ProgramData\Microsoft\Windows\Start Menu\New Office Document.lnk
2015-10-26 17:05 - 2014-01-05 14:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2015-10-26 17:05 - 2013-12-18 16:17 - 00000376 _____ C:\Windows\ODBC.INI
2015-10-24 14:11 - 2014-01-03 15:53 - 00000000 ____D C:\Users\user\Documents\Acam pass
2015-10-23 18:27 - 2014-07-27 14:55 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-23 17:56 - 2014-07-27 14:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-23 17:56 - 2013-12-26 18:59 - 00001104 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-23 15:40 - 2014-11-30 17:08 - 00000428 _____ C:\Users\user\Desktop\Tumblr.url
2015-10-22 18:00 - 2014-01-03 15:58 - 00000000 ___SD C:\Users\user\Documents\MY WEB MILF HALL
2015-10-20 14:00 - 2013-06-10 21:09 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-10-20 13:59 - 2015-05-19 12:11 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-10-20 13:56 - 2014-11-06 15:11 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Core FTP (x64)
2015-10-20 13:56 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Tools
2015-10-20 13:50 - 2014-01-03 15:51 - 00000000 ____D C:\Users\user\Documents\AW EARNINGS
2015-10-12 17:32 - 2013-12-19 18:02 - 00001164 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\eBay.lnk
2015-10-12 16:57 - 2014-10-30 14:06 - 00000000 ____D C:\MGtools
2015-10-12 16:40 - 2014-01-17 17:56 - 00000000 ____D C:\Users\user\Documents\NETWORKING TROUBLESHOOTING
2015-10-12 15:32 - 2014-01-20 10:49 - 00000000 ____D C:\Windows\erdnt
2015-10-12 12:41 - 2015-03-13 16:00 - 00000000 ____D C:\Users\user\Documents\a nurturelle.com
2015-10-12 12:41 - 2014-12-01 16:42 - 00000000 ____D C:\Users\user\Documents\CAPSULE INGREDIENTS
2015-10-11 14:50 - 2014-09-08 16:42 - 00000000 ____D C:\Users\user\Documents\WEBMASTER
2015-10-11 13:28 - 2015-09-12 15:19 - 00000574 _____ C:\Users\user\Documents\Orders not received yet..txt
2015-10-09 15:28 - 2015-08-29 15:02 - 00000000 ____D C:\Users\user\Desktop\Website Value calculators
2015-10-09 15:13 - 2014-01-13 18:26 - 00000000 ____D C:\Users\user\Desktop\Webmaster
2015-10-05 17:21 - 2013-12-18 15:40 - 00051187 _____ C:\ProgramData\lxebJSW.log
2015-10-05 15:30 - 2014-10-25 22:23 - 00000000 ____D C:\Users\user\Desktop\Shopping
2015-10-05 09:50 - 2014-07-27 14:55 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-05 09:50 - 2014-07-27 14:55 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 09:50 - 2013-12-26 18:59 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-09-29 16:51 - 2013-12-18 16:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-09-29 16:51 - 2009-07-14 04:34 - 00000535 _____ C:\Windows\win.ini
2015-09-28 13:45 - 2014-10-13 18:08 - 00000270 _____ C:\Users\user\Documents\online orders.txt

==================== Files in the root of some directories =======

2015-02-08 15:37 - 2015-02-08 15:38 - 0640424 _____ (Akeo Consulting (http://akeo.ie)) C:\Program Files\rufus-1.4.12.exe
2013-12-18 17:19 - 2009-12-06 21:10 - 14452040 _____ () C:\Program Files\winzip140.exe
2015-06-03 16:28 - 2015-08-25 17:12 - 9535232 _____ () C:\Program Files (x86)\Article-Wizard.exe
2014-01-27 02:30 - 2012-03-19 16:19 - 3014656 _____ () C:\Program Files (x86)\dd-wrt.v24_mini_generic.bin
2014-01-24 19:15 - 2012-03-19 16:20 - 3788800 _____ () C:\Program Files (x86)\dd-wrt.v24_vpn_generic.bin
2014-01-20 18:01 - 2010-08-02 13:29 - 0658771 _____ () C:\Program Files (x86)\MWSnap300.exe
2010-11-09 12:26 - 2010-09-27 11:19 - 45696656 _____ () C:\Program Files (x86)\ranktracker.exe
2014-01-29 15:37 - 2010-01-09 15:21 - 21753240 _____ () C:\Program Files (x86)\RCSetup.exe
2013-12-19 18:01 - 2010-08-11 19:03 - 1015869 _____ () C:\Program Files (x86)\unlocker1.9.0.exe
2013-12-18 14:20 - 2013-12-18 14:19 - 0004791 _____ () C:\Program Files (x86)\vpn-co33_ovpn084_account.ovpn
2013-12-19 17:13 - 2009-12-06 21:10 - 14452040 _____ () C:\Program Files (x86)\winzip140.exe
2014-01-17 16:12 - 2010-03-25 20:04 - 6203848 _____ (YL Computing, Inc                                           ) C:\Program Files (x86)\wuinstall.exe
2014-03-17 14:04 - 2015-03-20 17:35 - 0000308 _____ () C:\Users\user\AppData\Roaming\Rim.Desktop.Exception.log
2014-03-17 14:03 - 2014-03-17 15:31 - 0001960 _____ () C:\Users\user\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2014-03-17 15:32 - 2015-03-20 17:35 - 0000231 _____ () C:\Users\user\AppData\Roaming\Rim.DesktopHelper.Exception.log
2014-03-17 14:05 - 2014-11-08 15:47 - 0003584 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-12-12 15:11 - 2014-12-12 15:11 - 0002962 _____ () C:\Users\user\AppData\Local\recently-used.xbel
2014-10-22 15:03 - 2015-08-08 15:53 - 0007597 _____ () C:\Users\user\AppData\Local\Resmon.ResmonCfg
2013-12-18 15:11 - 2013-12-18 15:11 - 0000000 _____ () C:\ProgramData\cmn_upld.log
2013-12-18 15:27 - 2015-07-30 14:34 - 0001764 _____ () C:\ProgramData\FastPics.log
2013-12-18 15:28 - 2015-07-30 14:33 - 0002960 _____ () C:\ProgramData\lxeb.log
2014-05-11 11:18 - 2015-03-12 14:53 - 0000545 _____ () C:\ProgramData\lxebDiagnostics.log
2013-12-18 15:40 - 2015-10-05 17:21 - 0051187 _____ () C:\ProgramData\lxebJSW.log
2013-12-18 15:19 - 2015-10-27 14:37 - 0091636 _____ () C:\ProgramData\lxebscan.log
2013-12-18 15:11 - 2013-12-18 15:11 - 0000000 _____ () C:\ProgramData\LxWbGwLog.log
2013-12-18 15:10 - 2013-12-18 15:10 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-24 12:32

==================== End of FRST.txt ============================

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:08 PM

Posted 27 October 2015 - 01:12 PM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Is the issue persisting?

Wait for further instructions.

#12 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 28 October 2015 - 08:22 AM

Hallo Nasdaq

 

Thank you for the reply and instructions.  Below are the requested logs :

 

Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-10-2015 02
Ran by user (2015-10-28 13:16:57) Run:4
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet
Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51

End

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet => Error: No automatic fix found for this entry.
Explorer: Restriction <======= ATTENTION => Error: No automatic fix found for this entry.
HKU\S-1-5-21-1180291194-1577208311-465283933-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3 => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9 => key not found.
gupdate => service not found.
gupdatem => service not found.
C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully.
EmptyTemp: => 15.9 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 13:17:27 ====

 

 

 

 

RogueReport.txt

 

RogueKiller V10.11.3.0 [Oct 26 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Administrator]
Started from : C:\Users\user\Desktop\RogueKiller.exe
Mode : Scan -- Date : 10/28/2015 14:29:24

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 17 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.hotmail.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.hotmail.com/  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4} | NameServer : 196.22.218.248,209.203.1.208 ([SOUTH AFRICA (ZA)][SOUTH AFRICA (ZA)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4} | NameServer : 196.22.218.248,209.203.1.208 ([SOUTH AFRICA (ZA)][SOUTH AFRICA (ZA)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4} | NameServer : 196.22.218.248,209.203.1.208 ([SOUTH AFRICA (ZA)][SOUTH AFRICA (ZA)])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1180291194-1577208311-465283933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Name][File] C:\Program Files (x86)\Spybot - Search & Destroy 2\explorer.exe -> Found

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] d73c6d14ac95676137c72a748412af4f
[BSP] f0f42d72d5836d6dafcf81ee62f05daf : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15542 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31911936 | Size: 938286 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

 

 

 

 

 

I am getting the following message when I try to Add Reply

 

"Your post was too long. Please go back and shorten it a little."

 

 

so I will send a separate reply with the  TDDS   

 

 

aswMBR.txt

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-10-28 14:46:08
-----------------------------
14:46:08.082    OS Version: Windows x64 6.1.7601 Service Pack 1
14:46:08.082    Number of processors: 4 586 0x3A09
14:46:08.082    ComputerName: TADPOLE  UserName: user
14:46:09.361    Initialize success
14:46:09.423    VM: initialized successfully
14:46:09.423    VM: Intel CPU supported
14:46:19.674    VM: disk I/O iaStorA.sys
14:46:46.190    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000070
14:46:46.190    Disk 0 Vendor: ATA_____ 1A01 Size: 953869MB BusType: 11
14:46:46.362    Disk 0 MBR read successfully
14:46:46.362    Disk 0 MBR scan
14:46:46.362    Disk 0 Windows VISTA default MBR code
14:46:46.377    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
14:46:46.408    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        15542 MB offset 81920
14:46:46.408    Disk 0 Boot: NTFS     code=1
14:46:46.424    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       938286 MB offset 31911936
14:46:46.564    Disk 0 scanning C:\Windows\system32\drivers
14:46:52.071    Service scanning
14:47:41.399    Modules scanning
14:47:41.414    Disk 0 trace - called modules:
14:47:41.492    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys storport.sys hal.dll iaStorA.sys
14:47:41.508    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009da9060]
14:47:41.508    3 CLASSPNP.SYS[fffff880015c943f] -> nt!IofCallDriver -> [0xfffffa8009bf6b30]
14:47:41.523    5 iaStorF.sys[fffff880019f09a0] -> nt!IofCallDriver -> \Device\00000070[0xfffffa8007b3a9c0]
14:47:41.539    Disk 0 statistics 98016/0/0 @ 8.79 MB/s
14:47:41.539    Scan finished successfully
14:48:11.943    Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
14:48:11.943    The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR.txt"

 

 

 

 

 

 

Attached Files

  • Attached File  MBR.zip   570bytes   0 downloads


#13 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 28 October 2015 - 08:35 AM

Hallo Nasdaq,

 

I am still getting the message : "Your post was too long. Please go back and shorten it a little"  when I try to post the TDSS Report on its own, so I pasted it into notepad and zipped it.  I have attached it, hope that is okay.

 

Thanks

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:08 PM

Posted 28 October 2015 - 09:24 AM



If you are not located in South Africa run the RogueKiller tool and fix these items.

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4} | NameServer : 196.22.218.248,209.203.1.208 ([SOUTH AFRICA (ZA)][SOUTH AFRICA (ZA)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4} | NameServer : 196.22.218.248,209.203.1.208 ([SOUTH AFRICA (ZA)][SOUTH AFRICA (ZA)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{80C21CD3-9259-403F-B0E2-1357674666C4} | NameServer : 196.22.218.248,209.203.1.208 ([SOUTH AFRICA (ZA)][SOUTH AFRICA (ZA)]) -> Found



Some how this command was listed on 2 separate lines in your FixList.txt file and the fix failed.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#15 tadpole90

tadpole90
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 28 October 2015 - 09:37 AM

Hallo

 

I am not located in South Africa, but my ISP (satellite Internet) is there, so I did not run  the RogueKiller

 

Here is the Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-10-2015 02
Ran by user (2015-10-28 16:30:45) Run:5
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

End

*****************

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.

==== End of Fixlog 16:30:45 ====

 

 

I am still unable to load some  web pages.

 

Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users