Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Search Safer after running Malwarebytes can't connect to internet


  • This topic is locked This topic is locked
2 replies to this topic

#1 jj266609

jj266609

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 29 October 2015 - 02:05 PM

I've attached the FRST log

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:28-10-2015
Ran by Jude (administrator) on JUDE-PC (29-10-2015 11:59:59)
Running from F:\
Loaded Profiles: Jude (Available Profiles: Jude & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\hkcmd.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(PACE Anti-Piracy, Inc.) C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-21] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1870120 2009-10-15] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [506208 2009-10-29] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [911160 2009-10-26] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [707416 2009-11-10] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1489248 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] => C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-11-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [595816 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271168 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [557768 2014-09-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-02] (Intel Corporation)
HKLM-x32\...\Run: [SVPWUTIL] => C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe [352256 2009-08-12] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [HWSetup] => C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [423936 2009-06-02] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [TWebCamera] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2446648 2009-11-05] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] => C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe [529256 2009-08-09] (Toshiba)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [LTCM Client] => C:\Program Files (x86)\LTCM Client\ltcmClient.exe [1596096 2009-08-05] (Leader Technologies Inc.)
HKLM-x32\...\Run: [NACAgentUI] => C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe [454400 2010-08-19] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2691480 2014-03-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Path] => C:\Program Files (x86)\ZOOM\Edit_Share\bin\ZOOM Edit&Share startup.exe [1989632 2012-06-08] ()
HKLM-x32\...\Run: [DigiDo] => C:\Program Files (x86)\Time Warner Cable\TWC WiFi\TrayApp.exe [1158480 2013-02-27] (Affinegy, Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [EPSON NX510 Series] => C:\windows\system32\spool\DRIVERS\x64\3\E_IATIFIA.EXE [223232 2009-11-04] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [Xvid] => C:\Program Files (x86)\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [BitTorrent] => C:\Users\Jude\AppData\Roaming\BitTorrent\BitTorrent.exe [1977192 2015-10-22] (BitTorrent Inc.)
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [Facebook Update] => C:\Users\Jude\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2014-10-07] (Facebook Inc.)
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [UM] => C:\Users\Jude\AppData\Roaming\Update Manager\UM.EXE
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [6274184 2015-08-23] (Plex, Inc.)
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [9nBEv6pEC58D] => regsvr32.exe /s "C:\PROGRA~3\9nBEv6pEC58D.dll"
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [CubiLnax] => regsvr32.exe "C:\Users\Jude\AppData\Local\IehaWwuj\EozUzgo.dll"
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Policies\Explorer: [HideSCAHealth] 1
AppInit_DLLs: C:\PROGRA~3\WINCLE~1\WINCLE~2.DLL => No File
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-03-20] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-03-20] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-03-20] ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-09-02]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.163\SSScheduler.exe (McAfee, Inc.)
BootExecute: autocheck autochk /k:C*
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 01 C:\windows\SysWOW64\mswsock.dll [232448 2010-11-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog9 01 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 02 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 03 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 04 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 15 C:\windows\system32\plsapp.dll No File
Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 02 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 03 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 04 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 15 C:\windows\system32\plsapp64.dll No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{3E79FF26-2F2E-4F84-815E-226111E3F477}: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{CB58A216-D4C3-4814-930A-3E950839333B}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSSE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSSE
URLSearchHook: HKLM-x32 - (No Name) - {656461ef-40f6-4115-9ff1-bced9812ccbb} - No File
URLSearchHook: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 - (No Name) - {656461ef-40f6-4115-9ff1-bced9812ccbb} - No File
SearchScopes: HKLM -> DefaultScope {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {2B606F37-63D2-40A3-A8FD-106EEFCD620B} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM -> {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM-x32 -> DefaultScope {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {14309F87-0165-4C43-BF49-6A478540A49F} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM-x32 -> {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> DefaultScope {62F01841-5930-49B9-B641-0CA78CDE60D1} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {14309F87-0165-4C43-BF49-6A478540A49F} URL = hxxp://www.bing.com/search?FORM=UP21DF&PC=UP21&dt=042313&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {3984F7DD-88AD-4934-9792-0391A5719BBB} URL = hxxp://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {409DD3B4-D1F8-EC6E-EDBD-2367FDA78762} URL = hxxp://www.bing.com/search?q={searchTerms}&pc=Z015&form=ZGAIDF
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {62F01841-5930-49B9-B641-0CA78CDE60D1} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {B89294BE-A3A0-B4F4-B086-4CE2E34C0C9B} URL = hxxp://www.bing.com/search?q={searchTerms}&pc=ZUGO&form=ZGAIDF
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {BE4EDAEA-EE0A-4697-9661-44F4EE8D6EC0} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA_enUS377
SearchScopes: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> {E17D66D5-8C45-4649-9325-6D5618669D04} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-14] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-14] (Oracle Corporation)
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No File
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Jude\AppData\Roaming\Mozilla\Firefox\Profiles\8zecnceh.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine,S:
FF DefaultSearchEngine.US: Google
FF SearchEngineOrder.1,S:
FF SelectedSearchEngine: Google
FF SelectedSearchEngine,S:
FF Keyword.URL: hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=282369&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_19_0_0_226.dll [2015-10-17] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-09-19] (Adobe Systems)
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2014-03-20] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-17] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-10-01] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-14] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-14] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll [2013-01-24] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @nbc.com/DirectPlayer -> C:\Program Files (x86)\NBC Direct\npDirectPlayerMozilla.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-09-19] (Adobe Systems)
FF Plugin HKU\S-1-5-21-2540521652-1859901435-2141200411-1001: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Jude\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Extension: SaveNewiaoAAppZ - C:\Users\Jude\AppData\Roaming\Mozilla\Firefox\Profiles\8zecnceh.default\Extensions\cnhggndex@lgaeouo.net [2014-05-07] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF => not found

Chrome:
=======
CHR HomePage: Default -> hxxp://www.yahoo.com/
CHR StartupUrls: Default -> "hxxp://www.yahoo.com/"
CHR Profile: C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Angry Birds) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2014-12-15]
CHR Extension: (Google Docs) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-03]
CHR Extension: (Google Drive) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-24]
CHR Extension: (YouTube) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-27]
CHR Extension: (HelloFax: 50 Free Fax Pages) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\bocmleclimfnadgmcdgecijlblfcmfnm [2015-02-27]
CHR Extension: (Google Search) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Google Docs Offline) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-04]
CHR Extension: (AdBlock) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-10-24]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-26]
CHR Extension: (Lazarus: Form Recovery) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\loljledaigphbcpfhfmgopdkppkifgno [2014-10-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-25]
CHR Extension: (Hover Zoom) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2015-09-30]
CHR Extension: (Gmail) - C:\Users\Jude\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-27]
CHR HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ngmmcbedgcbfghamlghhpbpifnbhhpik] - C:\Users\Jude\AppData\Local\CRE\ngmmcbedgcbfghamlghhpbpifnbhhpik.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [eihhgekonheiliaidomffpplfhecmkag] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [icmlaeflemplmjndnaapfdbbnpncnbda] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [ngmmcbedgcbfghamlghhpbpifnbhhpik] - C:\Users\Jude\AppData\Local\CRE\ngmmcbedgcbfghamlghhpbpifnbhhpik.crx <not found>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AffinegyService; C:\Program Files (x86)\Time Warner Cable\TWC WiFi\AffinegyService.exe [592720 2013-02-27] (Affinegy, Inc.)
S3 digiSPTIService64; C:\Program Files\Avid\Pro Tools\digisptiservice64.exe [190464 2014-06-28] (Avid Technology, Inc.) [File not signed]
S2 FastTrackDuoAudioDevMon; C:\Program Files (x86)\Avid\Fast Track Duo\AudioDevMon.exe [2036496 2013-05-24] (Avid)
S2 Freemake Improver; C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [108032 2014-03-26] (Freemake) [File not signed]
R2 LMS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [262144 2009-09-30] (Intel Corporation) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.163\McCHSvc.exe [289256 2015-07-31] (McAfee, Inc.)
S2 MOTU_ZeroConf; C:\Program Files (x86)\MOTU\motuDNSResponder.exe [390544 2014-02-13] (MOTU Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [12600 2012-03-26] (Microsoft Corporation)
S2 NACAgent; C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [783616 2010-08-19] (Cisco Systems, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-07-31] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [291696 2012-03-26] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-07-31] (Hewlett-Packard) [File not signed]
S2 UNS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2314240 2010-10-21] (Intel Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 AVIDUSBFASTTRACKDUO; C:\Windows\System32\DRIVERS\AvidFastTrackDuo.sys [527120 2013-05-24] (Avid)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-02-13] (DT Soft Ltd)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 iLokDrvr; C:\Windows\System32\DRIVERS\iLokDrvr.sys [25808 2013-04-11] ()
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-10-29] (Malwarebytes)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-06-22] (Corel Corporation)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-22] (Realtek Semiconductor Corp.)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-12-25] () [File not signed]
S3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [17920 2010-01-20] (LG Electronics Inc.)
S3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [27648 2010-01-20] (LG Electronics Inc.)
S3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [33280 2010-01-20] (LG Electronics Inc.)
S1 apaqsbge; \??\C:\windows\system32\drivers\apaqsbge.sys [X]
S1 avuvhoja; \??\C:\windows\system32\drivers\avuvhoja.sys [X]
S3 BS169996300; \??\C:\Users\Jude\AppData\Local\Temp\NTFS.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [X]
S1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-29 11:45 - 2015-10-29 11:45 - 00008814 _____ C:\Users\Jude\Desktop\JRT.txt
2015-10-29 11:17 - 2015-10-29 11:25 - 00000000 ____D C:\AdwCleaner
2015-10-29 10:39 - 2015-10-29 10:40 - 00001132 _____ C:\Users\Jude\Desktop\FSS.txt
2015-10-29 10:39 - 2015-10-29 10:29 - 00899072 _____ (Farbar) C:\Users\Jude\Desktop\FSS.exe
2015-10-28 18:00 - 2015-10-28 18:00 - 00001092 _____ C:\Users\Jude\Desktop\mbam scan 1.txt
2015-10-28 13:05 - 2015-10-29 11:35 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-28 13:04 - 2015-10-28 13:04 - 00001077 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-28 13:04 - 2015-10-28 13:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-28 13:04 - 2015-10-28 13:04 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-28 13:04 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2015-10-28 13:04 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-10-28 12:48 - 2015-10-28 13:00 - 00000000 ____D C:\KVRT_Data
2015-10-28 12:46 - 2015-10-28 12:47 - 92483736 _____ (Kaspersky Lab ZAO) C:\Users\Jude\Downloads\KVRT.exe
2015-10-28 12:22 - 2015-10-28 12:29 - 00003390 _____ C:\Users\Jude\Desktop\Rkill.txt
2015-10-28 12:22 - 2015-10-28 12:22 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\Jude\Downloads\iExplore.exe
2015-10-28 12:17 - 2015-10-28 12:18 - 00056770 _____ C:\Users\Jude\Downloads\MTB.txt
2015-10-28 12:16 - 2015-10-28 12:16 - 00891392 _____ (Farbar) C:\Users\Jude\Downloads\MiniToolBox.exe
2015-10-28 00:44 - 2015-10-28 00:45 - 02687418 _____ (Kephyr) C:\Users\Jude\Downloads\freefixersetup.exe
2015-10-27 23:07 - 2015-10-27 23:07 - 00000000 ____D C:\ProgramData\Emsisoft
2015-10-27 22:27 - 2015-10-28 01:11 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2015-10-27 22:24 - 2015-10-27 22:25 - 180000792 _____ (Emsisoft Ltd. ) C:\Users\Jude\Downloads\EmsisoftAntiMalwareSetup.exe
2015-10-26 22:33 - 2015-10-26 22:33 - 00000000 __SHD C:\found.001
2015-10-22 17:05 - 2015-10-22 17:05 - 00000000 ____D C:\ProgramData\Windows Genuine Advantage
2015-10-22 17:04 - 2015-10-28 13:02 - 00000000 ____D C:\Users\Jude\AppData\Local\IehaWwuj
2015-10-22 17:03 - 2015-10-25 21:08 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-22 17:02 - 2015-10-29 11:33 - 00000000 ____D C:\Users\Jude\AppData\LocalLow\BitTorrent
2015-10-18 23:43 - 2015-10-22 11:17 - 00000000 ____D C:\Users\Jude\Desktop\la shots
2015-10-14 21:30 - 2015-10-17 03:19 - 03996360 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerInstaller.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-29 12:00 - 2012-07-19 22:56 - 00000000 ____D C:\FRST
2015-10-29 11:53 - 2010-01-26 15:27 - 01142058 _____ C:\windows\WindowsUpdate.log
2015-10-29 11:48 - 2009-07-13 21:45 - 00016304 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-29 11:48 - 2009-07-13 21:45 - 00016304 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-29 11:41 - 2010-12-06 22:18 - 00000000 ____D C:\Users\Jude\AppData\Roaming\BitTorrent
2015-10-29 11:41 - 2010-05-01 13:06 - 00000000 ____D C:\Users\Jude
2015-10-29 11:36 - 2010-07-02 07:48 - 00000000 ___HD C:\Users\Jude\AppData\Local\CrashDumps
2015-10-29 11:32 - 2015-05-17 16:34 - 00011995 _____ C:\windows\setupact.log
2015-10-29 11:32 - 2009-07-13 22:08 - 00032626 _____ C:\windows\Tasks\SCHEDLGU.TXT
2015-10-29 11:32 - 2009-07-13 22:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-10-29 11:31 - 2015-09-17 15:14 - 00001410 _____ C:\windows\PFRO.log
2015-10-29 10:34 - 2009-07-13 22:13 - 00733692 _____ C:\windows\system32\PerfStringBackup.INI
2015-10-28 19:13 - 2009-07-13 20:20 - 00000000 ____D C:\windows\system32\NDF
2015-10-28 18:39 - 2012-11-07 16:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-10-28 18:35 - 2013-02-16 08:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-28 17:19 - 2012-07-14 17:10 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2015-10-28 17:07 - 2010-05-01 13:33 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-28 14:06 - 2010-05-01 13:33 - 00000890 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-28 13:04 - 2010-08-15 13:51 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-10-28 13:02 - 2012-06-16 07:48 - 00000000 ____D C:\Program Files (x86)\BitTorrentBar2
2015-10-28 10:58 - 2011-09-05 16:52 - 00127704 _____ C:\windows\system32\GDIPFONTCACHEV1.DAT
2015-10-28 00:50 - 2011-10-06 16:17 - 00000000 ____D C:\Users\Jude\AppData\Local\Mozilla
2015-10-28 00:48 - 2009-11-18 19:35 - 00000000 ____D C:\Program Files (x86)\Google
2015-10-26 20:59 - 2015-08-20 20:59 - 00000000 ____D C:\Users\Jude\Desktop\NEW
2015-10-26 20:59 - 2015-08-01 14:33 - 00000000 ____D C:\Users\Jude\Desktop\New folder (2)
2015-10-18 11:59 - 2015-07-02 19:34 - 00000000 ____D C:\Users\Jude\Desktop\Accident stuff
2015-10-17 03:19 - 2012-07-14 17:10 - 00780488 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-10-17 03:19 - 2011-07-06 17:15 - 00142536 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-11 14:22 - 2014-09-12 10:18 - 00000000 ____D C:\Users\Jude\Desktop\Work
2015-10-11 13:59 - 2015-07-02 16:43 - 00000000 ____D C:\Users\Jude\Desktop\house and accident pics
2015-10-11 13:56 - 2013-08-17 06:41 - 00000000 ___RD C:\Users\Jude\Desktop\TV and Movies
2015-10-11 12:48 - 2013-11-09 07:48 - 00000000 ____D C:\Users\Jude\AppData\Roaming\vlc
2015-10-10 18:08 - 2015-01-05 19:53 - 00000000 ____D C:\Users\Jude\AppData\Roaming\Adobe
2015-10-07 02:00 - 2015-09-18 17:52 - 00000000 ____D C:\Users\Jude\AppData\Local\Plex Media Server
2015-10-05 09:50 - 2010-08-15 13:51 - 00025816 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
2015-09-30 23:54 - 2014-09-12 10:19 - 00000000 ____D C:\Users\Jude\Desktop\Finance
2015-09-30 23:53 - 2015-08-24 13:16 - 00000000 ____D C:\Users\Jude\Desktop\Foodtown Images and Video

==================== Files in the root of some directories =======

2010-07-16 06:48 - 2006-11-27 12:06 - 0000449 ____H () C:\Program Files (x86)\file_id.diz
2010-08-13 13:58 - 2010-08-13 13:58 - 0000024 ____H () C:\Users\Jude\AppData\Roaming\bawuho.dat
2014-06-27 12:04 - 2014-06-27 12:04 - 0091080 _____ () C:\Users\Jude\AppData\Roaming\CodecsLE_Install.log
2014-07-01 10:32 - 2014-07-01 10:33 - 0279322 _____ () C:\Users\Jude\AppData\Roaming\DXDriver_Install.log
2010-12-25 15:00 - 2010-12-25 15:00 - 0225280 _____ (Propellerhead Software AB) C:\Users\Jude\AppData\Roaming\Rewire.dll
2010-12-25 15:00 - 2010-12-25 15:00 - 0233472 _____ (Propellerhead Software AB) C:\Users\Jude\AppData\Roaming\REX Shared Library.dll
2011-04-09 11:36 - 2011-04-09 11:52 - 0001057 ____H () C:\Users\Jude\AppData\Roaming\vso_ts_preview.xml
2010-05-01 13:18 - 2011-01-31 11:22 - 0001568 ____H () C:\Users\Jude\AppData\Roaming\wklnhst.dat
2011-12-24 21:45 - 2011-12-24 21:47 - 0011204 ___SH () C:\Users\Jude\AppData\Local\13732673a7a4
2011-12-30 09:48 - 2011-12-30 10:16 - 0006934 ___SH () C:\Users\Jude\AppData\Local\213ms54md02a01808426vojooi4k641umf6gp23374q
2011-05-01 17:24 - 2011-05-01 17:26 - 0009818 ___SH () C:\Users\Jude\AppData\Local\7436f707h6re145pe55c
2011-12-28 07:24 - 2011-12-28 07:25 - 0008444 ___SH () C:\Users\Jude\AppData\Local\8u83261532llm338
2010-08-14 10:09 - 2010-08-15 12:02 - 0000120 ____H () C:\Users\Jude\AppData\Local\Bcimevasu.dat
2011-12-22 00:04 - 2011-12-22 00:08 - 0009904 ___SH () C:\Users\Jude\AppData\Local\d5ie34x6bh5jvr
2011-07-12 22:05 - 2014-05-27 14:45 - 0019968 _____ () C:\Users\Jude\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-02-20 11:16 - 2011-02-20 12:22 - 0010546 ___SH () C:\Users\Jude\AppData\Local\g30pwi873d3qxbg1yqm5qb0f22g2u6546al537qu0uu
2012-05-27 09:46 - 2012-05-27 09:46 - 0000504 _____ () C:\Users\Jude\AppData\Local\psppirerc
2012-05-27 10:04 - 2012-05-27 10:04 - 0000825 _____ () C:\Users\Jude\AppData\Local\recently-used.xbel
2010-08-14 10:09 - 2010-08-15 09:32 - 0000000 ____H () C:\Users\Jude\AppData\Local\Rmirupe.bin
2011-12-30 09:48 - 2011-12-30 10:16 - 0006934 ___SH () C:\ProgramData\213ms54md02a01808426vojooi4k641umf6gp23374q
2011-12-28 07:24 - 2011-12-28 07:28 - 0012532 ___SH () C:\ProgramData\8u83261532llm338
2011-12-22 00:04 - 2011-12-22 00:08 - 0009904 ___SH () C:\ProgramData\d5ie34x6bh5jvr
2011-02-20 11:16 - 2011-02-20 12:22 - 0010546 ___SH () C:\ProgramData\g30pwi873d3qxbg1yqm5qb0f22g2u6546al537qu0uu
2011-05-24 15:54 - 2011-05-24 15:54 - 0000120 ____H () C:\ProgramData\~49340152
2011-05-24 15:54 - 2011-05-24 15:54 - 0000152 ____H () C:\ProgramData\~49340152r

ZeroAccess:
C:\Windows\assembly\temp
C:\Windows\assembly\temp\bckfg.tmp
C:\Windows\assembly\temp\cfg.ini
C:\Windows\assembly\temp\keywords
C:\Windows\assembly\temp\lsflt7.ver
C:\Windows\assembly\temp\oemid
C:\Windows\assembly\temp\version
C:\Windows\assembly\temp\U\00000001.@
C:\Windows\assembly\temp\U\00000004.@
C:\Windows\assembly\temp\U\000000c0.@
C:\Windows\assembly\temp\U\000000cb.@
C:\Windows\assembly\temp\U\000000cf.@
C:\Windows\assembly\temp\U\80000000.@
C:\Windows\assembly\temp\U\80000004.@
C:\Windows\assembly\temp\U\800000c0.@
C:\Windows\assembly\temp\U\800000cb.@
C:\Windows\assembly\temp\U\800000cf.@
C:\Windows\assembly\temp\L\00000004.@
C:\Windows\assembly\temp\L\201d3dde

Some files in TEMP:
====================
C:\Users\Jude\AppData\Local\Temp\6FF0.exe
C:\Users\Jude\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\windows\system64


LastRegBack: 2015-10-28 16:32

==================== End of FRST.txt ============================

Attached Files

  • Attached File  FRST.txt   36.58KB   10 downloads

Edited by nasdaq, 01 November 2015 - 09:24 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:10 PM

Posted 01 November 2015 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download to a CD the following tools using a good computer.
Copy the Files to the Desktop of the compromised computer.
Run the tools in the order listed.
When running the RogueKiller remove/delete everything that will be found.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [UM] => C:\Users\Jude\AppData\Roaming\Update Manager\UM.EXE
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [9nBEv6pEC58D] => regsvr32.exe /s "C:\PROGRA~3\9nBEv6pEC58D.dll"
HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\...\Run: [CubiLnax] => regsvr32.exe "C:\Users\Jude\AppData\Local\IehaWwuj\EozUzgo.dll"
AppInit_DLLs: C:\PROGRA~3\WINCLE~1\WINCLE~2.DLL => No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Winsock: Catalog5 01 C:\windows\SysWOW64\mswsock.dll [232448 2010-11-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog9 01 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 02 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 03 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 04 C:\windows\system32\plsapp.dll No File
Winsock: Catalog9 15 C:\windows\system32\plsapp.dll No File
Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 02 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 03 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 04 C:\windows\system32\plsapp64.dll No File
Winsock: Catalog9-x64 15 C:\windows\system32\plsapp64.dll No File
URLSearchHook: HKLM-x32 - (No Name) - {656461ef-40f6-4115-9ff1-bced9812ccbb} - No File
URLSearchHook: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 - (No Name) - {656461ef-40f6-4115-9ff1-bced9812ccbb} - No File
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-2540521652-1859901435-2141200411-1001 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nbc.com/DirectPlayer -> C:\Program Files (x86)\NBC Direct\npDirectPlayerMozilla.dll [No File]
FF Extension: SaveNewiaoAAppZ - C:\Users\Jude\AppData\Roaming\Mozilla\Firefox\Profiles\8zecnceh.default\Extensions\cnhggndex@lgaeouo.net [2014-05-07] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF => not found
CHR HKU\S-1-5-21-2540521652-1859901435-2141200411-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ngmmcbedgcbfghamlghhpbpifnbhhpik] - C:\Users\Jude\AppData\Local\CRE\ngmmcbedgcbfghamlghhpbpifnbhhpik.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [icmlaeflemplmjndnaapfdbbnpncnbda] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [ngmmcbedgcbfghamlghhpbpifnbhhpik] - C:\Users\Jude\AppData\Local\CRE\ngmmcbedgcbfghamlghhpbpifnbhhpik.crx <not found>
S1 apaqsbge; \??\C:\windows\system32\drivers\apaqsbge.sys [X]
S1 avuvhoja; \??\C:\windows\system32\drivers\avuvhoja.sys [X]
S3 BS169996300; \??\C:\Users\Jude\AppData\Local\Temp\NTFS.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [X]
S1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [X]
C:\Windows\assembly\temp
C:\Windows\assembly\temp\bckfg.tmp
C:\Windows\assembly\temp\cfg.ini
C:\Windows\assembly\temp\keywords
C:\Windows\assembly\temp\lsflt7.ver
C:\Windows\assembly\temp\oemid
C:\Windows\assembly\temp\version
C:\Windows\assembly\temp\U\00000001.@
C:\Windows\assembly\temp\U\00000004.@
C:\Windows\assembly\temp\U\000000c0.@
C:\Windows\assembly\temp\U\000000cb.@
C:\Windows\assembly\temp\U\000000cf.@
C:\Windows\assembly\temp\U\80000000.@
C:\Windows\assembly\temp\U\80000004.@
C:\Windows\assembly\temp\U\800000c0.@
C:\Windows\assembly\temp\U\800000cb.@
C:\Windows\assembly\temp\U\800000cf.@
C:\Windows\assembly\temp\L\00000004.@
C:\Windows\assembly\temp\L\201d3dde
C:\Users\Jude\AppData\Roaming\Update Manager
C:\PROGRA~3\9nBEv6pEC58D.dll
C:\Users\Jude\AppData\Local\IehaWwuj\EozUzgo.dll
cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Post the logs and let me know what problem persists.

p.s.
Post also the content of the Addition.txt file created with the Farbar tool.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:10 PM

Posted 06 November 2015 - 11:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users