Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS redirect virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 doktorwhs

doktorwhs

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 30 October 2015 - 09:41 AM

According to the tech who cleaned my computer, I had a DNS redirect virus. I was getting a fake BSOD Windows security popup. He was able to clean it using a series of utilities. My question is related to the behavior of this virus. I would only get the popup after going to a particular website. He checked the website and found it to be safe and secure, but he was able to replicate the problem on my computer before he cleaned it.  Going to that website caused the popup.  I was convinced that the website had a malicious script or something because the only time I would get the popup was by going to that site.  But I didn't get it every time I went there, maybe every 5th or 6th time.  But 100% of the time I got the popup, it was after going to that website.  Anyway, I'm wondering if any of you have heard of a redirect virus doing this?  Basically, it was being keyed off by going to a particular website, even though the website was safe?


Edited by doktorwhs, 30 October 2015 - 09:45 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:43 AM

Posted 02 November 2015 - 09:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


How is the computer running now?
Wait for further instructions.

#3 doktorwhs

doktorwhs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 02 November 2015 - 11:15 AM

My computer was ok for 2 days, but the redirect virus is back this morning.  It is redirecting me to tradeadexchange dot com after going to a website and clicking on a button on that website.  That website is used by my son's school and is supposedly safe:  sms6team.weebly dot com.  Here are my logs:

 

 

 

# AdwCleaner v5.016 - Logfile created 02/11/2015 at 09:54:46
# Updated 01/11/2015 by Xplode
# Database : 2015-11-01.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Rozanna - ROZANNA-HP
# Running from : C:\Users\Rozanna\Downloads\adwcleaner_5.016.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION [BackgroundHost.exe]
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD [BackgroundHost.exe]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1060120406-1166146070-3728516011-1001\Software\Freecorder extension
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C6].txt - [1349 bytes] ##########
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-10-2015
Ran by Rozanna (administrator) on ROZANNA-HP (02-11-2015 10:01:20)
Running from C:\Users\Rozanna\Downloads
Loaded Profiles: Rozanna (Available Profiles: Rozanna & Administrator)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
() C:\Windows\SysWOW64\afasrv64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files (x86)\USIM Editor\iconcs1804775.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8498392 2015-07-17] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2799912 2011-06-09] (Synaptics Incorporated)
HKLM\...\Run: [SetDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [42808 2011-06-27] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [USBestCR] => C:\Program Files (x86)\USIM Editor\iconcs1804775.exe [7374336 2013-10-14] ()
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1394392 2015-07-17] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [HPQuickWebProxy] => C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe [168504 2011-06-28] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [587320 2011-06-14] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [336440 2011-06-13] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [USBestCR] => C:\Program Files (x86)\USIM Editor\iconcs1804775.exe [7374336 2013-10-14] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597040 2015-10-06] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\tray.exe [1010008 2015-04-08] (Garmin Ltd. or its subsidiaries)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1BA935DA-B78A-4ECC-87E0-85D5C466D639}: [DhcpNameServer] 24.220.0.10 24.220.0.11
Tcpip\..\Interfaces\{B39089AF-EB19-48E3-987B-D9A8E4007CC4}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1060120406-1166146070-3728516011-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
HKU\S-1-5-21-1060120406-1166146070-3728516011-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM -> {E9D196F7-4FC2-4ABE-AA81-EF3823765FC6} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1060120406-1166146070-3728516011-1001 -> DefaultScope {9ECEACDC-A7AB-4B23-AC57-AECA808C63D5} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1060120406-1166146070-3728516011-1001 -> {9ECEACDC-A7AB-4B23-AC57-AECA808C63D5} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1060120406-1166146070-3728516011-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = 
SearchScopes: HKU\S-1-5-21-1060120406-1166146070-3728516011-1001 -> {E9D196F7-4FC2-4ABE-AA81-EF3823765FC6} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_65\bin\ssv.dll [2015-10-29] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-10-29] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-1060120406-1166146070-3728516011-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {E4D88471-7ED7-43E1-B290-205559E8EBB2} hxxps://mig.avera.org/mig/ssd/login/Browser%20Logoff.dll
DPF: HKLM-x32 {ECB7BFF0-FF65-11D1-9004-00A0C92E6878} hxxps://mig.avera.org/mig/ssd/login/MWebEnable.dll
 
FireFox:
========
FF ProfilePath: C:\Users\Rozanna\AppData\Roaming\Mozilla\Firefox\Profiles\db5ty3wm.default
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://www.google.com/
FF Plugin: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-10-29] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-10-29] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-10-10] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-10-10] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll [2015-10-28] ()
 
Chrome: 
=======
CHR Profile: C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-09-13]
CHR Extension: (Google Docs) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-09-13]
CHR Extension: (Google Drive) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Google Sheets) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-09-13]
CHR Extension: (Google Docs Offline) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-09-13]
CHR Extension: (Gmail) - C:\Users\Rozanna\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-13]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AfaService; C:\Windows\SysWOW64\afasrv64.exe [73728 2013-10-14] () [File not signed]
R2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [1436192 2014-05-19] (Fitbit, Inc.) [File not signed]
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [349728 2015-10-28] (WildTangent)
R2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [708616 2015-04-08] (Garmin Ltd. or its subsidiaries)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [158496 2014-10-10] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294616 2015-07-17] (Realtek Semiconductor)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [1205136 2015-08-26] ()
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [41080 2015-10-28] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-10-10] (Intel Corporation)
S3 MHIKEY10; C:\Windows\System32\Drivers\MHIKEY10x64.sys [59136 2009-08-17] (Generic USB smartcard reader)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [752856 2015-06-22] (Realsil Semiconductor Corporation)
U5 RTSUER; C:\Windows\System32\Drivers\RTSUER.sys [402136 2015-06-22] (Realsil Semiconductor Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-02 10:01 - 2015-11-02 10:02 - 00017908 _____ C:\Users\Rozanna\Downloads\FRST.txt
2015-11-02 10:00 - 2015-11-02 10:01 - 00000000 ____D C:\FRST
2015-11-02 10:00 - 2015-11-02 10:00 - 02198016 _____ (Farbar) C:\Users\Rozanna\Downloads\FRST64.exe
2015-11-02 09:44 - 2015-11-02 09:44 - 01708032 _____ C:\Users\Rozanna\Downloads\adwcleaner_5.016.exe
2015-10-31 13:08 - 2015-10-31 13:08 - 00002117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-10-31 13:08 - 2015-10-31 13:08 - 00001945 _____ C:\Windows\epplauncher.mif
2015-10-31 13:08 - 2015-10-31 13:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-10-31 13:08 - 2015-10-31 13:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2015-10-31 13:06 - 2015-10-31 13:06 - 14243008 _____ (Microsoft Corporation) C:\Users\Rozanna\Downloads\mseinstall.exe
2015-10-29 14:53 - 2015-11-02 09:55 - 00000392 _____ C:\Windows\setupact.log
2015-10-29 14:53 - 2015-10-29 14:53 - 00000000 _____ C:\Windows\setuperr.log
2015-10-29 14:52 - 2015-10-29 21:30 - 00005304 _____ C:\Windows\PFRO.log
2015-10-29 14:29 - 2015-10-29 15:33 - 00000398 _____ C:\GSMRIAutomation.cfg
2015-10-29 13:49 - 2015-10-29 13:49 - 00000000 ____D C:\ProgramData\Geek Squad
2015-10-29 12:58 - 2015-10-29 12:58 - 00001047 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-10-29 12:58 - 2015-10-29 12:58 - 00001035 _____ C:\Users\Public\Desktop\TeamViewer 10.lnk
2015-10-29 12:58 - 2015-10-29 12:58 - 00000000 ____D C:\Users\Rozanna\AppData\Roaming\TeamViewer
2015-10-29 12:57 - 2015-10-29 13:50 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2015-10-29 12:56 - 2015-10-29 12:56 - 08159440 _____ (TeamViewer GmbH) C:\Users\Rozanna\Downloads\TeamViewer_Setup_en.exe
2015-10-28 22:28 - 2015-10-28 22:29 - 00000000 ____D C:\Users\Rozanna\Desktop\Photos
2015-10-28 22:10 - 2015-10-28 22:10 - 00000743 _____ C:\Users\Rozanna\Desktop\Start Emsisoft Emergency Kit.lnk
2015-10-28 22:09 - 2015-10-28 22:16 - 00000000 ____D C:\EEK
2015-10-28 22:07 - 2015-10-28 22:09 - 169609376 _____ C:\Users\Rozanna\Downloads\EmsisoftEmergencyKit.exe
2015-10-28 21:47 - 2015-10-29 14:52 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-10-28 21:47 - 2015-10-28 21:47 - 00000000 ____D C:\Users\Rozanna\AppData\Local\Zemana
2015-10-28 21:46 - 2015-10-28 21:46 - 05193784 _____ ( ) C:\Users\Rozanna\Downloads\Zemana.AntiMalware.Setup.exe
2015-10-28 21:40 - 2015-10-28 21:40 - 00041080 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2015-10-28 21:38 - 2015-10-28 21:38 - 00012436 _____ C:\Users\Rozanna\Documents\cc_20151028_223811.reg
2015-10-28 21:34 - 2015-10-28 21:35 - 06762072 _____ (Piriform Ltd) C:\Users\Rozanna\Downloads\ccsetup511.exe
2015-10-28 21:31 - 2015-10-28 21:31 - 00006970 _____ C:\Windows\system32\.crusader
2015-10-28 21:21 - 2015-10-28 21:33 - 00000000 ____D C:\ProgramData\HitmanPro
2015-10-28 21:18 - 2015-10-28 21:21 - 11336600 _____ (SurfRight B.V.) C:\Users\Rozanna\Downloads\HitmanPro_x64.exe
2015-10-28 20:44 - 2015-10-28 20:44 - 04404952 _____ (Kaspersky Lab ZAO) C:\Users\Rozanna\Downloads\tdsskiller.exe
2015-10-25 13:34 - 2015-10-25 13:34 - 00000000 ____D C:\Users\Rozanna\AppData\Roaming\AVG
2015-10-25 13:29 - 2015-10-29 14:52 - 00000000 ____D C:\ProgramData\Avg
2015-10-25 13:28 - 2015-10-29 13:26 - 00000000 ____D C:\Users\Rozanna\AppData\Local\AvgSetupLog
2015-10-14 19:05 - 2015-09-18 13:22 - 00025432 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2015-10-14 19:05 - 2015-09-18 13:19 - 01291264 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-10-14 19:05 - 2015-09-18 13:19 - 00766464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-10-14 19:05 - 2015-09-18 13:19 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-10-14 19:05 - 2015-09-18 13:19 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-10-14 19:05 - 2015-09-18 13:19 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-10-14 19:05 - 2015-09-18 13:09 - 01163776 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-10-14 00:40 - 2015-09-18 13:31 - 00391784 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-14 00:40 - 2015-09-18 12:58 - 00345688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-10-14 00:40 - 2015-09-15 22:48 - 25851904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-14 00:40 - 2015-09-15 22:36 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-10-14 00:40 - 2015-09-15 22:36 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-10-14 00:40 - 2015-09-15 22:22 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-10-14 00:40 - 2015-09-15 22:21 - 02886656 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-14 00:40 - 2015-09-15 22:21 - 00585728 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-14 00:40 - 2015-09-15 22:21 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-10-14 00:40 - 2015-09-15 22:21 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-14 00:40 - 2015-09-15 22:21 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-10-14 00:40 - 2015-09-15 22:14 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-10-14 00:40 - 2015-09-15 22:13 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-10-14 00:40 - 2015-09-15 22:10 - 00616960 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-14 00:40 - 2015-09-15 22:09 - 05990912 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-14 00:40 - 2015-09-15 22:08 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-14 00:40 - 2015-09-15 22:08 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-10-14 00:40 - 2015-09-15 22:08 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-10-14 00:40 - 2015-09-15 22:08 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-10-14 00:40 - 2015-09-15 22:01 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-10-14 00:40 - 2015-09-15 21:58 - 20357632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-10-14 00:40 - 2015-09-15 21:58 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-14 00:40 - 2015-09-15 21:50 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-10-14 00:40 - 2015-09-15 21:46 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-10-14 00:40 - 2015-09-15 21:45 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-10-14 00:40 - 2015-09-15 21:45 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-14 00:40 - 2015-09-15 21:43 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-14 00:40 - 2015-09-15 21:41 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-10-14 00:40 - 2015-09-15 21:33 - 00504832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-10-14 00:40 - 2015-09-15 21:33 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-10-14 00:40 - 2015-09-15 21:32 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-10-14 00:40 - 2015-09-15 21:32 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-10-14 00:40 - 2015-09-15 21:31 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-14 00:40 - 2015-09-15 21:31 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-10-14 00:40 - 2015-09-15 21:29 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-14 00:40 - 2015-09-15 21:29 - 00720896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-14 00:40 - 2015-09-15 21:28 - 02279936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-10-14 00:40 - 2015-09-15 21:28 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-10-14 00:40 - 2015-09-15 21:26 - 02126336 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-14 00:40 - 2015-09-15 21:26 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-10-14 00:40 - 2015-09-15 21:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-10-14 00:40 - 2015-09-15 21:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-10-14 00:40 - 2015-09-15 21:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-10-14 00:40 - 2015-09-15 21:22 - 14458368 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-14 00:40 - 2015-09-15 21:22 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-10-14 00:40 - 2015-09-15 21:22 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-10-14 00:40 - 2015-09-15 21:15 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-10-14 00:40 - 2015-09-15 21:11 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-14 00:40 - 2015-09-15 21:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-10-14 00:40 - 2015-09-15 21:07 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-10-14 00:40 - 2015-09-15 21:06 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-10-14 00:40 - 2015-09-15 21:05 - 04527616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-10-14 00:40 - 2015-09-15 21:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-10-14 00:40 - 2015-09-15 21:04 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2015-10-14 00:40 - 2015-09-15 20:59 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-14 00:40 - 2015-09-15 20:58 - 12853760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-10-14 00:40 - 2015-09-15 20:58 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-10-14 00:40 - 2015-09-15 20:56 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-10-14 00:40 - 2015-09-15 20:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-10-14 00:40 - 2015-09-15 20:55 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-10-14 00:40 - 2015-09-15 20:48 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-14 00:40 - 2015-09-15 20:37 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-10-14 00:40 - 2015-09-15 20:34 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-10-14 00:40 - 2015-09-15 20:32 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-10-14 00:40 - 2015-08-06 12:04 - 14176768 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-14 00:40 - 2015-08-06 12:03 - 01866752 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2015-10-14 00:40 - 2015-08-06 11:44 - 12875776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-10-14 00:40 - 2015-08-06 11:44 - 01498624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2015-10-14 00:38 - 2015-09-25 12:07 - 03168768 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-14 00:38 - 2015-09-25 12:07 - 02607104 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-14 00:38 - 2015-09-25 12:07 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-14 00:38 - 2015-09-25 12:07 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-14 00:38 - 2015-09-25 12:07 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-14 00:38 - 2015-09-25 12:07 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-10-14 00:38 - 2015-09-25 12:07 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-10-14 00:38 - 2015-09-25 12:06 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-14 00:38 - 2015-09-25 12:06 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-10-14 00:38 - 2015-09-25 12:06 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-14 00:38 - 2015-09-25 12:06 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-10-14 00:38 - 2015-09-25 11:59 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-10-14 00:38 - 2015-09-25 11:59 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-10-14 00:38 - 2015-09-25 11:59 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-10-14 00:38 - 2015-09-25 11:59 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-10-14 00:38 - 2015-09-25 11:58 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-10-14 00:37 - 2015-10-01 12:06 - 00692672 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-10-14 00:37 - 2015-10-01 12:04 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-10-14 00:37 - 2015-10-01 12:00 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-10-14 00:37 - 2015-10-01 12:00 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-10-14 00:37 - 2015-10-01 12:00 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-10-14 00:37 - 2015-10-01 12:00 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-10-14 00:37 - 2015-10-01 12:00 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-10-14 00:37 - 2015-10-01 11:50 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-10-14 00:37 - 2015-10-01 11:00 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-10-14 00:37 - 2015-09-28 21:16 - 05569472 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-14 00:37 - 2015-09-28 21:13 - 01730496 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-10-14 00:37 - 2015-09-28 21:11 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 01216512 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 01164800 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-10-14 00:37 - 2015-09-28 21:10 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-10-14 00:37 - 2015-09-28 21:10 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-10-14 00:37 - 2015-09-28 21:10 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-10-14 00:37 - 2015-09-28 21:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-10-14 00:37 - 2015-09-28 21:09 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-10-14 00:37 - 2015-09-28 21:05 - 03990976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-10-14 00:37 - 2015-09-28 21:05 - 03936192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-10-14 00:37 - 2015-09-28 21:05 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-10-14 00:37 - 2015-09-28 21:05 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-10-14 00:37 - 2015-09-28 21:02 - 01311768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:59 - 00552960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-10-14 00:37 - 2015-09-28 20:59 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-10-14 00:37 - 2015-09-28 20:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-10-14 00:37 - 2015-09-28 20:59 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-10-14 00:37 - 2015-09-28 20:59 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-10-14 00:37 - 2015-09-28 20:59 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-10-14 00:37 - 2015-09-28 20:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-10-14 00:37 - 2015-09-28 20:58 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2015-10-14 00:37 - 2015-09-28 20:58 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-10-14 00:37 - 2015-09-28 20:58 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-10-14 00:37 - 2015-09-28 20:57 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-10-14 00:37 - 2015-09-28 20:57 - 00665088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2015-10-14 00:37 - 2015-09-28 20:57 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-10-14 00:37 - 2015-09-28 20:57 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-10-14 00:37 - 2015-09-28 20:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-10-14 00:37 - 2015-09-28 20:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 19:50 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-10-14 00:37 - 2015-09-28 19:49 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-10-14 00:37 - 2015-09-28 19:49 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-10-14 00:37 - 2015-09-28 19:43 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-10-14 00:37 - 2015-09-28 19:43 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-10-14 00:37 - 2015-09-28 19:40 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 19:40 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 19:40 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-10-14 00:37 - 2015-09-28 19:40 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-10-14 00:37 - 2015-09-15 12:17 - 00157016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-10-14 00:37 - 2015-09-15 12:17 - 00097112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-10-14 00:37 - 2015-09-15 12:11 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-10-14 00:37 - 2015-09-15 12:11 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-10-14 00:37 - 2015-09-15 12:11 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-10-14 00:37 - 2015-09-15 12:11 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-10-14 00:37 - 2015-09-15 12:11 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-10-14 00:37 - 2015-09-15 12:11 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-10-14 00:37 - 2015-09-15 12:10 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-10-14 00:37 - 2015-09-15 11:36 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-10-14 00:37 - 2015-09-15 11:36 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-10-14 00:37 - 2015-09-15 11:36 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-10-14 00:37 - 2015-09-15 11:35 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00984448 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00901264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00066400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00063840 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00022368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00020832 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00019808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00016224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00015712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00013664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-eventing-provider-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-eventing-provider-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2015-10-14 00:36 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2015-10-10 07:19 - 2015-10-10 07:19 - 00516096 _____ C:\Users\Rozanna\Downloads\Monthly MedSafe Scan Rates 2013-2015.xls
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-02 10:01 - 2009-07-13 23:13 - 00782510 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-02 09:59 - 2012-12-26 13:25 - 01229208 _____ C:\Windows\WindowsUpdate.log
2015-11-02 09:58 - 2015-08-24 12:43 - 00006463 _____ C:\Windows\SysWOW64\Gms.log
2015-11-02 09:55 - 2015-09-13 23:05 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-02 09:55 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-02 09:54 - 2014-08-07 15:58 - 00000000 ____D C:\AdwCleaner
2015-11-02 09:34 - 2009-07-13 22:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-02 09:34 - 2009-07-13 22:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-02 09:16 - 2015-09-13 23:05 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-02 08:17 - 2013-09-16 08:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-10-30 20:43 - 2015-03-16 16:18 - 00140800 ___SH C:\Users\Rozanna\Documents\Thumbs.db
2015-10-29 21:29 - 2015-09-02 12:15 - 00000000 ____D C:\Users\Rozanna\.oracle_jre_usage
2015-10-29 21:28 - 2014-01-21 10:58 - 00110176 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-10-29 21:28 - 2014-01-21 10:58 - 00000000 ____D C:\Program Files\Java
2015-10-29 21:28 - 2011-07-12 21:37 - 00000000 ____D C:\ProgramData\Adobe
2015-10-29 20:17 - 2015-09-18 21:21 - 00000000 ____D C:\Users\Rozanna\AppData\Local\YouTubeMuiscDownloader
2015-10-29 14:53 - 2009-07-13 22:45 - 00410272 _____ C:\Windows\system32\FNTCACHE.DAT
2015-10-29 14:52 - 2015-05-20 11:23 - 00000000 ____D C:\Users\Rozanna\AppData\Local\Avg
2015-10-29 14:52 - 2013-08-08 12:21 - 00000000 ____D C:\ProgramData\MFAData
2015-10-29 13:26 - 2012-12-26 01:03 - 00109712 _____ C:\Users\Rozanna\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-29 09:57 - 2013-08-13 16:03 - 00000000 ____D C:\Users\Rozanna\AppData\Local\CrashDumps
2015-10-28 23:03 - 2015-09-09 11:07 - 00007598 _____ C:\Users\Rozanna\AppData\Local\Resmon.ResmonCfg
2015-10-28 22:24 - 2011-07-12 21:26 - 00000000 ____D C:\Program Files (x86)\WildTangent Games
2015-10-28 22:23 - 2015-09-30 06:41 - 00000000 ____D C:\Users\Rozanna\AppData\Roaming\WildTangent
2015-10-28 22:23 - 2011-07-12 21:26 - 00000000 ____D C:\ProgramData\WildTangent
2015-10-28 21:35 - 2015-02-20 08:20 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-10-28 09:20 - 2014-08-04 08:03 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-28 09:20 - 2014-08-04 08:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-28 09:20 - 2014-08-04 08:03 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-27 07:40 - 2013-09-20 16:43 - 00000000 ____D C:\Users\Rozanna\AppData\Roaming\Apple Computer
2015-10-25 13:38 - 2014-11-21 16:34 - 00000000 ____D C:\ProgramData\AVG2015
2015-10-25 13:27 - 2015-03-20 12:38 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-10-25 13:27 - 2015-03-20 12:38 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-23 22:07 - 2015-09-13 23:06 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-15 02:00 - 2015-04-15 06:46 - 00000000 ____D C:\Windows\system32\appraiser
2015-10-15 02:00 - 2014-05-07 06:43 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-10-14 14:23 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache
2015-10-14 02:44 - 2015-04-05 08:09 - 00000000 ___SD C:\Windows\system32\GWX
2015-10-14 02:22 - 2013-07-17 02:00 - 00000000 ____D C:\Windows\system32\MRT
2015-10-14 02:22 - 2012-12-28 10:40 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-10-14 02:10 - 2012-12-26 14:24 - 143481208 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-14 02:08 - 2009-07-13 20:34 - 00000478 _____ C:\Windows\win.ini
2015-10-14 02:03 - 2015-04-05 08:09 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-10-10 19:36 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\NDF
2015-10-05 08:50 - 2014-08-04 08:03 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-05 08:50 - 2014-08-04 08:03 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 08:50 - 2014-08-04 08:03 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
 
==================== Files in the root of some directories =======
 
2015-09-09 11:07 - 2015-10-28 23:03 - 0007598 _____ () C:\Users\Rozanna\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Rozanna\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-10-31 02:06
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:31-10-2015
Ran by Rozanna (2015-11-02 10:02:59)
Running from C:\Users\Rozanna\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2012-12-26 06:58:33)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1060120406-1166146070-3728516011-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-1060120406-1166146070-3728516011-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1060120406-1166146070-3728516011-1003 - Limited - Enabled)
Rozanna (S-1-5-21-1060120406-1166146070-3728516011-1001 - Administrator - Enabled) => C:\Users\Rozanna
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 19 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 19.0.0.226 - Adobe Systems Incorporated)
Agatha Christie - Peril at End House (x32 Version: 2.2.0.95 - WildTangent) Hidden
ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
Apple Application Support (HKLM-x32\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{B678797F-DF38-4556-8A31-8B818E261868}) (Version: 8.0.0.23 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG Web TuneUp (HKLM-x32\...\AVG Web TuneUp) (Version: 4.1.6.294 - AVG Technologies)
Avidemux 2.6 (32-bit) (HKLM-x32\...\Avidemux 2.6) (Version: 2.6.8.9046 - )
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Bing Bar (HKLM-x32\...\{1E03DB52-D5CB-4338-A338-E526DD4D4DB1}) (Version: 7.0.610.0 - Microsoft Corporation)
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blasterball 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blio (HKLM-x32\...\{9368DDD5-CE7F-4BD7-A83A-F00FABE338EC}) (Version: 2.2.6699 - K-NFB Reading Technology, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bounce Symphony (x32 Version: 2.2.0.97 - WildTangent) Hidden
Cake Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.11 - Piriform)
Chronicles of Albian (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Compaq Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13476.3753 - Hewlett-Packard Company)
Cradle of Rome 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Elevated Installer (x32 Version: 4.0.15.0 - Garmin Ltd or its subsidiaries) Hidden
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - SEIKO EPSON Corporation)
ESU for Microsoft Windows 7 SP1 (HKLM-x32\...\{E96CAA2A-0244-4A2A-8403-0C3C9534778B}) (Version: 2.1.1 - Hewlett-Packard)
Evernote v. 4.2.3 (HKLM-x32\...\{F761359C-9CED-45AE-9A51-9D6605CD55C4}) (Version: 4.2.3.22 - Evernote Corp.)
Farm Frenzy (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden
FileHippo.com Update Checker (HKLM-x32\...\FileHippo.com) (Version:  - )
Fitbit Connect (HKLM-x32\...\{D3CD091B-296B-48E9-9F0F-E9FE53E02E41}) (Version: 1.0.3.5511 - Fitbit Inc.)
Fotor 2.0.2 (HKLM-x32\...\Fotor) (Version: 2.0.2 - Everimaging Co., Ltd.)
Garmin Express (HKLM-x32\...\{50755d67-ae60-4e47-b3d6-ce44d01b5a95}) (Version: 4.0.15.0 - Garmin Ltd or its subsidiaries)
Garmin Express (x32 Version: 4.0.15.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (x32 Version: 4.0.15.0 - Garmin Ltd or its subsidiaries) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.80 - Google Inc.)
Google Update Helper (x32 Version: 1.3.28.15 - Google Inc.) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.1.1 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Documentation (HKLM-x32\...\{68A55875-B6DD-41E8-8CF6-F193D9C47051}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP Launch Box (HKLM\...\{9CAB2212-0732-4827-8EC4-61D8EF0AA65B}) (Version: 1.0.11 - Hewlett-Packard Company)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard Company)
HP On Screen Display (HKLM-x32\...\{D7670221-BF9B-4DFF-B26B-5BE55A87329F}) (Version: 1.2.2 - Hewlett-Packard Company)
HP Power Manager (HKLM-x32\...\{872B1C80-38EC-4A31-A25C-980820593900}) (Version: 1.2.3 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{BB1C717E-376C-4AA1-8940-81BFC38D9778}) (Version: 2.4.4 - Hewlett-Packard Company)
HP QuickWeb (HKLM-x32\...\{8B52057C-15DB-433E-957C-E279BC7D07E3}) (Version: 3.1.0.9742 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{5036764A-435D-40C9-869C-31085A3D741D}) (Version: 8.7.4751.3798 - Hewlett-Packard Company)
HP Software Framework (HKLM-x32\...\{BFD1ABD7-9417-41CB-B1F6-04BE4CB9820D}) (Version: 4.1.7.1 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}) (Version: 7.0.39.15 - Hewlett-Packard Company)
Intel® Chipset Device Software (x32 Version: 10.0.22 - Intel® Corporation) Hidden
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.30.1072 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.0.0.1046 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
iTunes (HKLM\...\{F46AA0F1-E284-4878-A462-5F11B9166C0E}) (Version: 11.4.0.18 - Apple Inc.)
Java 8 Update 65 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418065F0}) (Version: 8.0.650.17 - Oracle Corporation)
Jewel Quest: The Sleepless Star - Collector's Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-007A-0409-0000-0000000FF1CE}) (Version: 14.0.5118.5000 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1060120406-1166146070-3728516011-1001\...\OneDriveSetup.exe) (Version: 17.0.4035.0328 - Microsoft Corporation)
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit (HKLM-x32\...\{95140000-007D-0409-0000-0000000FF1CE}) (Version: 14.0.5120.5000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Works 6-9 Converter (HKLM-x32\...\{95140000-0137-0409-0000-0000000FF1CE}) (Version: 14.0.6120.5002 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 40.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 40.0.2 (x86 en-US)) (Version: 40.0.2 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.97 - WildTangent) Hidden
Namco All-Stars: PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
Neonatal Resuscitation DVD-ROM (HKLM-x32\...\Neonatal Resuscitation DVD-ROM) (Version: 1 - American Academy of Pediatrics)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Plex Media Server (HKLM-x32\...\{9b2a3960-a744-4df3-88ba-66c0e1794508}) (Version: 0.9.1200 - Plex, Inc.)
Plex Media Server (x32 Version: 0.9.1200 - Plex, Inc.) Hidden
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.370.94 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.42.304.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7560 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4123-B2B9-173F09590E16}) (Version: 1.00.11.0323 - REALTEK Semiconductor Corp.)
Recovery Manager (x32 Version: 2.0.0 - Hewlett-Packard) Hidden
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.22.0 - SAMSUNG Electronics Co., Ltd.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Slingo Supreme (x32 Version: 2.2.0.97 - WildTangent) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.11.0 - Synaptics Incorporated)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.47484 - TeamViewer)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
USIM Editor 1.0.28.0 (HKLM-x32\...\Card Reader Driver and USIM Editor Program_is1) (Version:  - )
Vacation Quest - The Hawaiian Islands (x32 Version: 2.2.0.97 - WildTangent) Hidden
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WildTangent Games App (HP Games) (x32 Version: 4.0.5.2 - WildTangent) Hidden
Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB  (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinZip 18.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240E1}) (Version: 18.0.11023 - WinZip Computing, S.L. )
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
23-10-2015 09:49:14 Scheduled Checkpoint
25-10-2015 13:31:07 Installed AVG 2016
25-10-2015 13:32:03 Installed AVG
28-10-2015 16:16:47 JRT Pre-Junkware Removal
28-10-2015 21:30:07 Checkpoint by HitmanPro
28-10-2015 21:31:34 Checkpoint by HitmanPro
29-10-2015 13:24:28 Removed AVG
29-10-2015 13:26:21 Removed AVG 2016
29-10-2015 13:27:17 Windows Update
29-10-2015 13:33:46 Removed SlimDrivers
02-11-2015 08:16:28 Removed Java 8 Update 60 (64-bit)
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 20:34 - 2014-08-07 16:40 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {23610F95-80E0-465F-B916-CC8F33259327} - System32\Tasks\HPCeeScheduleForRozanna => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {50996F42-7AF7-41A3-A556-0A8EE6238819} - System32\Tasks\Open Chrome => Chrome.exe --new-window hxxp://toolbar.avg.com/almost-done?pid=safeguard&amp;lang=en
Task: {5F64D2C4-54E1-44B5-B7B2-002D98772D26} - System32\Tasks\{B292045B-74AA-4427-A0E8-72830A7B55C9} => C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [2014-03-31] (Microsoft Corporation)
Task: {66C7F73F-6CDA-4A9D-8113-E70812562354} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\WSCStub.exe
Task: {707318AF-915B-4B4A-8DB9-2644758EA7B3} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express Self Updater\ExpressSelfUpdater.exe
Task: {71672DF1-CE9D-4CED-B787-4D7E3E2363B8} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {73F67A31-5A74-42FC-9EF3-9F72E58BAA19} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe
Task: {7796191D-5AF3-4840-912E-53D2E9E30A8F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-13] (Google Inc.)
Task: {7FD166DF-DA7B-480B-8E94-AD48A8738333} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)
Task: {84CF4F70-8F1D-4E5D-AE5C-C2D0D139D184} - System32\Tasks\0915tbUpdateInfo => C:\ProgramData\Avg_Update_0915tb\0915tb_{93D38AF4-C1A6-4B7F-AD1E-816BA2B527AE}.exe
Task: {96D47869-BAC0-48C4-AB68-C4C8191A3C0B} - System32\Tasks\{BCD654E4-AA7E-496A-8E28-B27CE9BBD2ED} => C:\Program Files (x86)\Windows Live\Mail\wlmail.exe [2014-03-31] (Microsoft Corporation)
Task: {979658E0-0A2F-4EE8-9E79-AD86A2B1F442} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-07-11] (Hewlett-Packard Company)
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {B82C97AA-A7D4-4289-BFC4-46E66C2CA392} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {BFEA5CCF-6A67-4B73-9A2F-D4DD717D4CF4} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-13] (Google Inc.)
Task: {C1E7B07C-8545-4DAA-8E55-039EBE7513F6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-10-25] (Adobe Systems Incorporated)
Task: {C71CC94B-FE80-4BC0-A1A7-A7998ECD048A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2012-09-05] (Hewlett-Packard Company)
Task: {C8F3CE07-5246-4013-8DC8-256551A3699E} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\SymErr.exe
Task: {C9851B4E-199A-4768-AC36-EACC1B72FA21} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\SymErr.exe
Task: {CA9B3470-8E3B-4C10-8550-413CEBBA59D3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-10-19] (Piriform Ltd)
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForRozanna.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\Open Chrome.job => c:\program files (x86)\Google\Chrome\Application\chrome.exeF--new-window hxxp:/toolbar.avg.com/
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-06-11 11:15 - 2015-08-26 08:03 - 01205136 _____ () C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
2013-10-14 18:34 - 2013-10-14 18:34 - 00073728 _____ () C:\Windows\SysWOW64\afasrv64.exe
2013-10-14 18:34 - 2013-10-14 18:34 - 07374336 _____ () C:\Program Files (x86)\USIM Editor\iconcs1804775.exe
2011-04-04 21:18 - 2015-06-01 20:00 - 00102912 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-07-31 11:16 - 2014-07-31 11:16 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-31 11:16 - 2014-07-31 11:16 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-05-14 10:45 - 2014-05-14 10:45 - 00090624 _____ () C:\Program Files (x86)\PasswordBox\libwebsocketswin32.dll
2014-10-16 02:45 - 2014-10-16 02:45 - 00169472 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\ba8588c3319d63350220ec2ac3eb2c36\IsdiInterop.ni.dll
2012-12-26 13:26 - 2010-09-13 20:28 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2014-10-10 08:37 - 2014-10-10 08:37 - 01243936 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1060120406-1166146070-3728516011-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Rozanna\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^Users^Rozanna^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: Digital Coupon Print Driver => "C:\Program Files (x86)\Digital Coupon Printer\DigitalCouponPrinter.exe"
MSCONFIG\startupreg: Fitbit Connect => "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
MSCONFIG\startupreg: GarminExpressTrayApp => "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Plex Media Server => "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{41B3D50A-ED76-4BD7-A3EB-8DB03E421DF6}] => (Allow) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe
FirewallRules: [{CE2B7890-30EB-44D4-9C4B-D891A7F67E1F}] => (Allow) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe
FirewallRules: [{63DAC05A-00C9-4200-9577-84E7071FF09B}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{3311F27B-5064-491D-B408-DEC71BB36413}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{4AA1FB60-EE7E-4B52-B238-F3B72F1F77AE}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{57ED61C9-1ED1-477B-98BB-EB0DF2E24232}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{2B79DA30-622A-4816-9E33-03B86E544D9D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{84C8B5FB-008C-470A-9294-C7135355FDC2}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{6952AD2F-1CAB-42D8-9BEE-D8F5927AC04D}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [{E1C49699-D1F6-4DD5-9D5C-21A6B5BFC078}] => (Allow) LPort=15600
FirewallRules: [{C4430781-60BA-47E2-AE95-0670177E670D}] => (Allow) C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
FirewallRules: [{C860EDFF-CC38-4E20-9661-E122B98F9757}] => (Allow) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
FirewallRules: [{3539BA97-89BA-4DA2-B3B9-3948380D365E}] => (Allow) C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
FirewallRules: [{3E5B3949-DE6D-49F9-84ED-71FD0E43EF2C}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe
FirewallRules: [{9A117496-3E79-4507-B222-316134998599}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EF5B64E9-3B6F-418B-AADF-2FB9AEB2FB8B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A4BA78F6-1291-454F-AAE0-648EDC8B2719}] => (Allow) C:\Users\Rozanna\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{B85228AF-4D7E-4144-9777-D89CE7492E69}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{D9A08EBA-A48A-4B25-A5B2-5B693FA19DC5}] => (Allow) LPort=2869
FirewallRules: [{3E50422C-D8DA-4151-8DCE-8C5A10650BC7}] => (Allow) LPort=1900
FirewallRules: [{B2D7F0EF-FE50-400A-BA51-C2D5985C319C}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{28F4EB4D-C7CC-426D-805E-694C96B17987}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{75FBF9E4-65C1-4ACB-B699-1E7A82D9050E}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{C439D1F1-E17D-459B-AF81-E5E4EB872075}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{49836EA6-330A-4BDE-8FF4-6F0AF19140B3}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{D60C6260-3234-43AC-AEFC-78FC1A43F588}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
 
==================== Faulty Device Manager Devices =============
 
Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ZAM_Guard
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ZAM
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/02/2015 09:56:29 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/02/2015 09:20:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/29/2015 09:31:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/29/2015 09:28:29 PM) (Source: MsiInstaller) (EventID: 1024) (User: Rozanna-HP)
Description: Product: Adobe Acrobat Reader DC - Update 'Adobe Acrobat Reader DC
 (15.009.20069)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error: (10/29/2015 09:28:22 PM) (Source: MsiInstaller) (EventID: 11321) (User: Rozanna-HP)
Description: Product: Adobe Acrobat Reader DC -- Error 1321.The Installer has insufficient privileges to modify the file C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.
 
Error: (10/29/2015 03:50:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/29/2015 03:36:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/29/2015 03:06:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/29/2015 02:54:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/29/2015 01:33:46 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddWin32ServiceFiles: Unable to back up image of service ZAM Controller Service since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
.
 
 
System errors:
=============
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Office Software Protection Platform service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Rapid Storage Technology service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HP Software Framework Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Integrated Clock Controller Service - Intel® ICCS service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Live ID Sign-in Assistant service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The SeaPort service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (11/02/2015 09:54:46 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The RoxioNow Service service terminated unexpectedly.  It has done this 1 time(s).
 
 
CodeIntegrity:
===================================
  Date: 2015-10-29 20:01:20.929
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:20.914
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:20.898
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:20.789
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:20.773
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:20.758
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:19.666
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:19.650
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:19.650
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-10-29 20:01:19.510
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume2\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_a384c5aabe759ea5\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Celeron® CPU B800 @ 1.50GHz
Percentage of memory in use: 18%
Total physical RAM: 8043.86 MB
Available physical RAM: 6524.81 MB
Total Virtual: 16085.93 MB
Available Virtual: 14521.38 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:279.47 GB) (Free:175.45 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Recovery) (Fixed) (Total:14.46 GB) (Free:1.6 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.08 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: E9B0A126)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=279.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14.5 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)
 
==================== End of Addition.txt ============================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:43 AM

Posted 02 November 2015 - 02:56 PM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: ipconfig /flushdns

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1060120406-1166146070-3728516011-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

How is the computer now?

#5 doktorwhs

doktorwhs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 02 November 2015 - 06:09 PM

Thank you for your help!  I ran the FRST fix and Malwarebytes, reset chrome and cleared the cache.  Computer seems ok for now, but I thought it was ok a couple of days ago as well and then the redirect came back.  So I'm not sure if problem is still there waiting to pounce. Some additional info:  I went to the troublesome website on my other computer and also got a redirect, this time to safedownloadsrus158 dot com, and then got a pop-up of  "flash video player is out of date".  I'm beginning to wonder if that website has a redirect embedded in a cookie? (If that's possible?)  It looks like they use a web traffic service quantserve and they might be sending an ad redirect or something via a cookie? (Again, I don't know if that's possible?) It seems like after I delete all my cookies and then that website loads fresh ones, that's when the redirect is more likely to happen.  Anyway, I would just blacklist the website myself, but it's used by my son's teachers for homework assignments and such. It's at sms6team.weebly dot com. 

 

Here are the logs requested:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-10-2015
Ran by Rozanna (2015-11-02 16:03:05) Run:1
Running from C:\Users\Rozanna\Downloads
Loaded Profiles: Rozanna (Available Profiles: Rozanna & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: ipconfig /flushdns
 
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1060120406-1166146070-3728516011-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKU\S-1-5-21-1060120406-1166146070-3728516011-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
catchme => service removed successfully
clwvd => service removed successfully
ZAM => service removed successfully
ZAM_Guard => service removed successfully
EmptyTemp: => 201.4 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 16:03:40 ====
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/2/2015
Scan Time: 4:10 PM
Logfile: mbamlog.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.11.02.06
Rootkit Database: v2015.10.28.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Rozanna
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 390906
Time Elapsed: 29 min, 56 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:43 AM

Posted 03 November 2015 - 08:34 AM

I went to the troublesome website on my other computer and also got a redirect, this time to safedownloadsrus158 dot com, and then got a pop-up of "flash video player is out of date".


3 things are possible.

1 - Adobe Flash Player may be compromised.

Text it and get the latest version.
Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

2 - If this condition is on both compyuter, the routermay be compromised.
Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html


3 - The computer is infected and should be cleaned.
If the problem persists on this second computer please start a new topic.
Run the Farbar tool on it and post the FRST.txt and Addition.txt files for my review.

When the topic is created give me the URL in your next reply.
I will expedite the matter.

#7 doktorwhs

doktorwhs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 03 November 2015 - 11:05 AM

Thanks again for your help!

 

I verified that I already have latest version of Flash 19.0.0.226.  I also reset my Netgear router to factor settings.  Problem still persists on both computers.  I goto sms6team.weebly dot com and click on any tab on their website, or doesn't even have to be a tab, can just click anywhere on the page.  Then I am redirected to an ad site and an ad pops up.  Just now, it redirected me to http : //www  . trade adexchange.com/a/display.php?r=36910

 

Then after getting redirected, an ad popped up, this time it's back to the fake "Your system is at risk" and the web address is:

http : // 1947145131  .rsc. cdn77.org/bsods/indexDY4.html?cid=665002k35bw0&caid=10215&oid=f0a6c15&zid=10215_36910_1222&fid=c36b610&os=Windows&osv=7&browser=Chrome&isp=Midcontinent+Communications&ts=ADC&tt=1446565062

 

If I get the ad pop-up once, the website will no longer redirect to the ad. But if I clear my browser cookies, then the next time I goto the site, I get the ad pop-up again. Sometimes, it seems that I also have to wait an hour or so to get the pop-up, even after I delete the cookies.  When this is the case, I always see a brief flash of a webpage and when I goto my Chrome history, I see this website, but it doesn't seem to do anything:

http : // 37.187.248.215  / promo.php?compte=419ee8f1d1f03538b39bf9fd23fdd6d4&path=006121&lg=en&pays=US&lg_nav=en&platform=windows&browser=chrome&version=46&idealsite=FCS

 

But eventually, the redirect will come back, usually within a couple hours. I've been having this issue for about two weeks and it only occurs at that website. Could that website have some type of drive-by script in it? Perhaps the free counter service they are using are the ones sending the redirects for ad revenue? I've contacted the school's IT guy and he assures me the website is fine.


Edited by doktorwhs, 03 November 2015 - 11:16 AM.


#8 doktorwhs

doktorwhs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 03 November 2015 - 03:30 PM

Did a bit of digging around and found the following:  

 

In viewing the page source for sms6team.weebly dot com, I find the following entry:

 

<script type="text/javascript" src= " http :// counter7 . freecounterstat.ovh/private/counter.js?c=419ee8f1d1f03538b39bf9fd23fdd6d4"></script></div>

 

 

Now if you click on that freecounterstat link within the page source, it expands to a page full of code.  And in that code, I find this entry:

 

EcrireCookieGeo('acceptcookie','ok',86400); } var uri84='http : //37.187.248.215 /promo.php?compte=419ee8f1d1f03538b39bf9fd23fdd6d4&path=006121&lg=en&pays=US&lg_nav='+langue+'&platform=windows&browser=chrome&version=46&idealsite=FCS'; //var 

 

Note the presence of 37.187.248.215.  That is what always comes up when I click on something on the weebly website.  Sometimes it will result in a popup ad, sometimes it doesn't. Seems to be based on having deleted cookies and maybe some type of timer.  Anyway, 37.187.248.215 appears to be associated with network.adsmarket.com. 

 

So being that the website appears have code that refers to an ad marketing website, would that mean the website is bad and my computer is fine?  I don't know for sure.  Just trying to figure this out.

 

Thanks again for your help in this!


Edited by doktorwhs, 03 November 2015 - 03:36 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:43 AM

Posted 04 November 2015 - 10:56 AM

It coming from a Java Script.

Clean your Java cache.
https://www.java.com/en/download/help/plugin_cache.xml

===

Restart the computer normally.

If that fails check this.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java x Update xx

p.s.
You can always remove Java using the Add/Remove Programs applet.
Restart the computer normally.
Reinstall the application if you want.

Keep me posted.

#10 doktorwhs

doktorwhs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 04 November 2015 - 12:13 PM

I have two machines.  A laptop with Windows 7 and a desktop with Windows 8.

 

The laptop:  I deleted the Java cache from my machine and went to sms6team.weebly dot com and got the redirect.  Then I uninstalled Java completely, deleted my browser cookies, waited about an hour and went to the same website and got the redirect again. Then I disabled javascript in my browser (it's there whether you have Java installed or not), then went to the website and no redirect! I then re-enabled javascript in my browser and went to the website and got the redirect again.

 

The desktop:  pretty much the same results with the exception that I never had Java installed in the first place.  The computer is 2 years old and did not have Java when I bought it and I never installed it.  But,  I had the same results with enabling and disabling javascript in the browser. Enabled I get the redirect. Disabled I don't.

 

And the redirect only happens at sms6team.weebly dot com.  Never once at any other websites I visit.

 

So I'm thinking yes, it's definitely a javascript issue.  Now back to my main concern:  is it a website with a malvertising redirect javascript encoded into it or are both my machines infected with something?

 

Thanks again!



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:43 AM

Posted 05 November 2015 - 09:10 AM

Try this on your Windows 7 computer first.
Test to see if the problem persist with and without the JavaScript on the browser.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

Let me know if the problem persists.

p.s.
We may have to add a command in the HOST file to stop this.
I'll let you know.

#12 doktorwhs

doktorwhs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 05 November 2015 - 10:34 AM

I ran the fixme.reg file and rebooted.  Went back to sms6team.weebly dot com and clicked on a tab and got redirected to tradeadexchange. Disabled javascript and no redirect, re-enabled javascript and redirect is back.  I also tested this on my iPad with iOS 9.1. with the same results. I get redirected to tradeadexchange.  The only difference is the ad pop-up gets blocked. It tries to open the ad, but Safari says cannot display page, which is good for the iPad. Is it not possible that there is a redirect built into the code of this website and it is redirecting visitors to tradeadexchange?

 

Goto sms6team.weebly.com in Chrome, right click on the website and select “inspect element”. On the window that comes up, select the “resources” tab. Expand “Frames”. Expand “sms6team.weebly.com”.  Expand “scripts”. Click on “counter.js”.  Look at lines 270 – 272. I believe this is the javascript built into the website by the counter service they are using called freecounterstat and that it redirects visitors to ip 94.23.210.144, which I believe is tradeadexchange, which is a blacklisted website for malware ads. They also have it set-up so the redirect happens conditionally, based on cookies and how long it's been since you've last visited the website.  Can you check this theory and let me know what you think?  At this point, I do not believe my computer is infected, but that it is a malware redirect on that website.  I also find it difficult to believe that my iPad is infected with the same issue that would be causing a redirect to tradeadexchange.  I'm sure there are security measures I could place on my computers that would prevent the ad pop-ups, but that doesn't change the fact that the website has a malicious redirect embedded in its code and I think the school should either take the website down or fix it because kids are using it and may not know what to do when confronted with an ad pop-up saying your computer is at risk.

 

Once again, thanks for your help!

 



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:43 AM

Posted 05 November 2015 - 11:13 AM

Lets stop this site from your HOST file.

The Host file may be hidded to unhide it.

Unhide files/folders Windows 7.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Navigate to this \ETC folder.

C:\WINDOWS\SYSTEM32\DRIVERS\ETC

Open the HOSTS file with Notepad (no extension)

Replace the content of the HOSTS file with the following text in the Code box
 

# This MVPS HOSTS file is a free download from: #
# http://winhelp2002.mvps.org/hosts.htm #
# #
# Notes: The Operating System does not read the "#" symbol #
# You can create your own notes, after the # symbol #
# This *must* be the first line: 127.0.0.1 localhost #
# #
#**********************************************************#
# -------------- Updated: October-22-2015 ---------------- #
#**********************************************************#
# #
# Disclaimer: this file is free to use for personal use #
# only. Furthermore it is NOT permitted to copy any of the #
# contents or host on any other site without permission or #
# meeting the full criteria of the below license terms. #
# #
# This work is licensed under the Creative Commons #
# Attribution-NonCommercial-ShareAlike License. #
# http://creativecommons.org/licenses/by-nc-sa/4.0/ #
# #
# License info for commercial purposes contact Winhelp2002 #

127.0.0.1 localhost

::1 localhost #[IPv6]


0.0.0.0 sms6team.weebly.com
0.0.0.0 94.23.210.144


Restsrt the computer normally.

Check it out.

#14 doktorwhs

doktorwhs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 05 November 2015 - 05:36 PM

I replaced the host file with the new text. Then rebooted and went to sms6team.weebly.com.  I got a page cannot be displayed, as expected I suppose.  Not exactly what I am looking for because it's not just some random website.  It's a website that is used by my son's school for homework assignments.  If it's has bad script on it, I would like to do more than just block it from my computer, I would like to let the school know.  Anyway, I went back into the host file and removed just the reference to sms6team.weebly.com, but left the reference to 94.23.210.144, hoping it would allow me to the site but not the ad redirect.  But, no good.  I was able to pull up the website and as soon as I clicked on something, I got redirected to tradeadexchange and then got the scare-ware ad pop-up.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:43 AM

Posted 06 November 2015 - 10:20 AM

Let run this cleaning tool.

Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides[/b][/color][/url].

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
autoclean;
emptyalltemp;
ipconfig /flushdns;b
process;
installer-list;
installedprogs;
startupall;
firefoxlook; 
chromelook;
srinfo;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users