Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware found earlier...just want to be safe


  • This topic is locked This topic is locked
2 replies to this topic

#1 jim87

jim87

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 31 October 2015 - 02:21 PM

Thanks for helping....My Microsoft Security essentials found some malware earlier...and then a subsequent Malware bytes scan found some more including the first ones......at this point I would run Combofix...I am experienced IT and have used it before...but I have Windows 2008 server OS.  I am running MalwareBytes 2nd time and it hasn't found anything.  

MSE found:

1. Trojan:Peaac.gen!A!plock

2. TrojanDropper: Rovnix.P

3. Trojan: Rovnix

 

The capture file is screenshot of malware found

 

Logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-10-2015
Ran by jam (administrator) on JAKE (31-10-2015 14:58:34)
Running from D:\software\Utilities\virus\bleeping computer
Loaded Profiles: jam &  (Available Profiles: jam & ev & JakeBackup & Cate Pearson & UpdatusUser & Administrator & Classic .NET AppPool)
Platform: Windows Web Server 2008 R2 Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Windows\System32\TCPSVCS.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
() C:\Program Files (x86)\Twonky\TwonkyServer\twonkyproxy.exe
(PacketVideo) C:\Program Files (x86)\Twonky\TwonkyServer\twonkystarter.exe
() C:\Program Files (x86)\Twonky\TwonkyServer\twonkywebdav.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\hookldr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Hauppauge Computer Works) C:\Program Files (x86)\WinTV\Ir.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(PacketVideo) C:\Program Files (x86)\Twonky\TwonkyServer\twonkytray.exe
(Hauppauge Computer Works, Inc.) C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
() C:\Program Files (x86)\SuperFlexible\SuperFlexibleSynchronizer.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1436224 2010-11-30] (Microsoft Corporation)
HKLM\...\Run: [tvncontrol] => C:\Program Files\TightVNC\tvnserver.exe [1696824 2012-11-20] (GlavSoft LLC.)
HKLM\...\Run: [Nvtmru] => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1012000 2013-05-16] (NVIDIA Corporation)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [P17RunE] => RunDll32 P17RunE.dll,RunDLLEntry
HKLM-x32\...\Run: [p2hbAwRMF646] => regsvr32.exe /s "C:\PROGRA~3\p2hbAwRMF646.dll"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\Run: [1407164024] => regsvr32.exe "C:\ProgramData\PukXart\Tollu.dll"
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\MountPoints2: E - E:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\MountPoints2: {1ff4dbc0-e773-11e2-a6ab-d189269bb1ee} - F:\SETUP.EXE
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\MountPoints2: {76b0614a-0ece-11e4-bc57-001aa0b6cc21} - E:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\MountPoints2: {a6d0700c-e66a-11e2-8f97-806e6f6e6963} - E:\ZToolBar.exe
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\MountPoints2: {ab4897b2-7698-11e5-b23c-001aa0b6cc21} - E:\VerizonWirelessUpgradeAssistantSetup.exe -a
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\MountPoints2: {ab9006ac-6ca1-11e3-b134-8af9b63f0be0} - E:\iStudio.exe
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [1407164024] => regsvr32.exe "C:\ProgramData\PukXart\Tollu.dll"
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: E - E:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {1ff4dbc0-e773-11e2-a6ab-d189269bb1ee} - F:\SETUP.EXE
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {76b0614a-0ece-11e4-bc57-001aa0b6cc21} - E:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {a6d0700c-e66a-11e2-8f97-806e6f6e6963} - E:\ZToolBar.exe
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {ab4897b2-7698-11e5-b23c-001aa0b6cc21} - E:\VerizonWirelessUpgradeAssistantSetup.exe -a
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {ab9006ac-6ca1-11e3-b134-8af9b63f0be0} - E:\iStudio.exe
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
Lsa: [Notification Packages] scecli rassfm
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk [2013-07-07]
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoStart IR.lnk [2014-03-01]
ShortcutTarget: AutoStart IR.lnk -> C:\Program Files (x86)\WinTV\Ir.exe (Hauppauge Computer Works)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Super Flexible File Synchronizer.lnk [2013-11-04]
ShortcutTarget: Super Flexible File Synchronizer.lnk -> C:\Program Files (x86)\SuperFlexible\SuperFlexibleSynchronizer.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TwonkyServer.lnk [2014-06-01]
ShortcutTarget: TwonkyServer.lnk -> C:\Program Files (x86)\Twonky\TwonkyServer\twonkytray.exe (PacketVideo)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinTV Recording Status.lnk [2014-03-01]
ShortcutTarget: WinTV Recording Status.lnk -> C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{0AE4835D-7D6F-436D-B49B-9FEC7DE6FD49}: [NameServer] 192.168.7.254
Tcpip\..\Interfaces\{98BD8EA8-A363-4676-8F21-7A949918050A}: [NameServer] 192.168.7.254
 
Internet Explorer:
==================
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {E705A591-DA3C-4228-B0D5-A356DBA42FBF} hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
 
FireFox:
========
FF ProfilePath: C:\Users\jam\AppData\Roaming\Mozilla\Firefox\Profiles\m126w172.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_207.dll [2015-10-13] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_207.dll [2015-10-13] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-04-02] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-04-02] (Foxit Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-06-21] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-06-21] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR Profile: C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-15]
CHR Extension: (Google Drive) - C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-31]
CHR Extension: (YouTube) - C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28]
CHR Extension: (Google Search) - C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-31]
CHR Extension: (Google Docs Offline) - C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-13]
CHR Extension: (Gmail) - C:\Users\jam\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-25]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [307200 2008-11-18] (Creative Technology Ltd) [File not signed]
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 HauppaugeTVServer; C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe [579072 2013-12-11] (Hauppauge Computer Works) [File not signed]
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12784 2010-11-11] (Microsoft Corporation)
S4 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [192192 2015-05-05] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [282616 2010-11-11] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [613056 2015-05-05] (Microsoft Corporation)
S4 TFSJobAgent; C:\Program Files\Microsoft Team Foundation Server 11.0\Application Tier\TfsJobAgent\TfsJobAgent.exe [41560 2013-06-09] (Microsoft Corporation)
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1696824 2012-11-20] (GlavSoft LLC.)
R2 TwonkyProxy; C:\Program Files (x86)\Twonky\TwonkyServer\twonkyproxy.exe [545608 2012-03-29] ()
R2 TwonkyServer; C:\Program Files (x86)\Twonky\TwonkyServer\twonkystarter.exe [537416 2012-03-29] (PacketVideo)
R2 TwonkyWebDav; C:\Program Files (x86)\Twonky\TwonkyServer\twonkywebdav.exe [267080 2012-03-29] ()
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 archlp; C:\Windows\SysWow64\drivers\archlp.sys [161792 2009-02-06] ()
R3 b57nd; C:\Windows\System32\DRIVERS\b57amd64.sys [356392 2014-03-07] (Broadcom Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [912896 2013-07-06] (Hauppauge Computer Works, Inc)
S3 hcwhdpvr; C:\Windows\System32\DRIVERS\hcwhdpvr.sys [192072 2014-02-27] (Hauppauge, Inc.)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-10-31] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [188928 2010-10-24] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [72064 2010-10-24] (Microsoft Corporation)
S4 RsFx0201; C:\Windows\System32\DRIVERS\RsFx0201.sys [336880 2012-10-20] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
S1 mygfdqsd; \??\C:\Windows\system32\drivers\mygfdqsd.sys [X]
S3 RTL8192su; system32\DRIVERS\RTL8192su.sys [X]
S1 tjdosyuu; \??\C:\Windows\system32\drivers\tjdosyuu.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-31 14:58 - 2015-10-31 14:58 - 00000000 ____D C:\FRST
2015-10-31 13:50 - 2015-10-31 14:42 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-31 13:50 - 2015-10-31 13:50 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-31 13:50 - 2015-10-31 13:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-31 13:49 - 2015-10-31 13:50 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-31 13:49 - 2015-10-31 13:49 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-10-31 13:49 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-31 13:49 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-31 13:49 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-10-31 13:46 - 2015-10-31 13:42 - 22908888 _____ (Malwarebytes ) C:\Users\jam\Desktop\mbam-setup-2.2.0.1024.exe
2015-10-31 13:31 - 2015-10-31 13:33 - 05637361 _____ (Swearware) C:\Users\jam\Desktop\ComboFix.exe
2015-10-31 12:57 - 2015-10-31 12:57 - 00004096 _____ C:\ProgramData\p2hbAwRMF646.dll
2015-10-31 12:52 - 2015-10-31 12:52 - 00004096 _____ C:\ProgramData\F7B6FdZuF646.dll
2015-10-31 12:51 - 2015-10-31 12:51 - 00450560 _____ (Microsoft Corporation) C:\Users\jam\AppData\Roaming\mxgjufk.exe
2015-10-31 12:49 - 2015-10-31 12:52 - 00000000 ____D C:\ProgramData\PukXart
2015-10-05 12:39 - 2015-10-05 12:39 - 00000000 ____D C:\Users\jam\AppData\Roaming\TightVNC
2015-10-05 12:39 - 2013-07-07 10:20 - 00002481 _____ C:\Users\jam\Desktop\TightVNC Viewer.lnk
2015-10-03 08:30 - 2013-07-07 10:20 - 00002481 _____ C:\Users\ev\Desktop\TightVNC Viewer.lnk
2015-10-01 21:13 - 2015-10-01 21:13 - 00002652 _____ C:\Users\jam\Desktop\µTorrent.lnk
2015-10-01 21:13 - 2015-10-01 21:13 - 00002652 _____ C:\Users\jam\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-31 14:39 - 2013-07-06 17:39 - 01155443 _____ C:\Windows\WindowsUpdate.log
2015-10-31 14:38 - 2009-07-14 00:49 - 00017040 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-31 14:38 - 2009-07-14 00:49 - 00017040 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-31 14:32 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\inetsrv
2015-10-31 14:31 - 2014-06-01 14:02 - 00000000 ____D C:\ProgramData\TwonkyServer
2015-10-31 14:29 - 2015-08-31 21:48 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-31 14:29 - 2009-07-14 01:06 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-31 14:29 - 2009-07-14 00:56 - 00079399 _____ C:\Windows\setupact.log
2015-10-31 14:28 - 2010-11-20 23:47 - 00160064 _____ C:\Windows\PFRO.log
2015-10-31 14:27 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Globalization
2015-10-31 13:18 - 2013-07-06 21:18 - 00000000 ____D C:\Program Files\PeerBlock
2015-10-31 13:05 - 2013-07-06 21:16 - 00000000 ____D C:\Users\jam\AppData\Roaming\uTorrent
2015-10-25 16:42 - 2009-07-14 01:10 - 00972936 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-24 17:37 - 2013-11-23 20:47 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-23 20:43 - 2013-07-06 20:09 - 00000000 ____D C:\Users\jam\AppData\Roaming\vlc
2015-10-17 21:14 - 2013-07-06 17:57 - 00000247 _____ C:\Windows\ODBC.INI
2015-10-17 10:34 - 2013-11-23 20:43 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-17 10:34 - 2013-11-23 20:43 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-17 10:34 - 2013-10-19 19:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-16 17:47 - 2013-11-23 20:43 - 00003908 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-10-16 17:47 - 2013-11-23 20:43 - 00003654 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-10-16 17:47 - 2013-10-19 19:21 - 00003668 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-10-13 19:46 - 2013-07-06 21:30 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-10-13 19:46 - 2013-07-06 21:30 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-04 21:31 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2015-10-04 21:29 - 2013-07-06 16:52 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-10-01 20:59 - 2013-07-15 19:20 - 00000000 ____D C:\Users\ev\AppData\Roaming\vlc
 
==================== Files in the root of some directories =======
 
2013-09-10 21:33 - 2015-09-13 11:59 - 0000573 _____ () C:\Users\jam\AppData\Roaming\AutoGK.ini
2015-10-31 12:51 - 2015-10-31 12:51 - 0450560 _____ (Microsoft Corporation) C:\Users\jam\AppData\Roaming\mxgjufk.exe
2014-03-01 19:38 - 2014-03-01 19:39 - 0357152 _____ () C:\Users\jam\AppData\Local\dd_vcredistMSI3B48.txt
2013-07-06 20:50 - 2013-07-06 20:50 - 0357994 _____ () C:\Users\jam\AppData\Local\dd_vcredistMSI4DFF.txt
2013-07-06 18:50 - 2013-07-06 18:51 - 0405708 _____ () C:\Users\jam\AppData\Local\dd_vcredistMSI72DE.txt
2014-03-01 19:38 - 2014-03-01 19:39 - 0012114 _____ () C:\Users\jam\AppData\Local\dd_vcredistUI3B48.txt
2013-07-06 20:50 - 2013-07-06 20:50 - 0011154 _____ () C:\Users\jam\AppData\Local\dd_vcredistUI4DFF.txt
2013-07-06 18:50 - 2013-07-06 18:51 - 0011426 _____ () C:\Users\jam\AppData\Local\dd_vcredistUI72DE.txt
2015-10-31 12:52 - 2015-10-31 12:52 - 0004096 _____ () C:\ProgramData\F7B6FdZuF646.dll
2015-10-31 12:57 - 2015-10-31 12:57 - 0004096 _____ () C:\ProgramData\p2hbAwRMF646.dll
 
Files to move or delete:
====================
C:\ProgramData\F7B6FdZuF646.dll
C:\ProgramData\p2hbAwRMF646.dll
 
 
Some files in TEMP:
====================
C:\Users\ev\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\jam\AppData\Local\Temp\dotNetFx40_Full_x86_x64.exe
C:\Users\jam\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\jam\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\jam\AppData\Local\Temp\nvStInst.exe
C:\Users\jam\AppData\Local\Temp\tmpFD32.tmp.exe
C:\Users\jam\AppData\Local\Temp\totalmediaextreme_1.0.9.4_1.0.9.9_update_e.exe
C:\Users\jam\AppData\Local\Temp\uttD4D3.tmp.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-10-21 17:49
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:31-10-2015
Ran by jam (2015-10-31 14:59:08)
Running from D:\software\Utilities\virus\bleeping computer
Windows Web Server 2008 R2 Service Pack 1 (X64) (2013-07-06 21:37:36)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1913501936-506947432-3812299986-500 - Administrator - Enabled) => C:\Users\Administrator
Cate Pearson (S-1-5-21-1913501936-506947432-3812299986-1006 - Limited - Disabled) => C:\Users\Cate Pearson
ev (S-1-5-21-1913501936-506947432-3812299986-1001 - Limited - Enabled) => C:\Users\ev
Guest (S-1-5-21-1913501936-506947432-3812299986-501 - Limited - Disabled)
JakeBackup (S-1-5-21-1913501936-506947432-3812299986-1005 - Limited - Enabled) => C:\Users\JakeBackup
jam (S-1-5-21-1913501936-506947432-3812299986-1000 - Administrator - Enabled) => C:\Users\jam
UpdatusUser (S-1-5-21-1913501936-506947432-3812299986-1007 - Limited - Enabled) => C:\Users\UpdatusUser
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\uTorrent) (Version: 3.4.5.41073 - BitTorrent Inc.)
µTorrent (HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\uTorrent) (Version: 3.4.5.41073 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Flash Player 19 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 19.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.207 - Adobe Systems Incorporated)
ArcSoft TotalMedia Extreme (HKLM-x32\...\{88B05038-C890-468B-A563-0015FD53CDC3}) (Version:  - ArcSoft)
Auto Gordian Knot 2.55 (HKLM-x32\...\AutoGK) (Version: 2.55 - len0x)
Avidemux 2.6 - 64 bits (HKLM-x32\...\Avidemux 2.6 - 64 bits (64-bit)) (Version: 2.6.10.150607 - )
Avidemux 2.6 - 64bits (HKLM-x32\...\Avidemux 2.6 - 64bits (64-bit)) (Version: 2.6.8.9046 - )
AviSynth 2.5 (HKLM-x32\...\AviSynth) (Version:  - )
Bulk Rename Utility 2.7.1.2 (HKLM\...\Bulk Rename Utility_is1) (Version:  - TGRMN Software)
Creative Audio Control Panel (HKLM-x32\...\AudioCS) (Version: 2.56 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Creative Sound Blaster Properties x64 Edition (HKLM-x32\...\Creative Sound Blaster Properties x64 Edition) (Version:  - )
DVD Decrypter (Remove Only) (HKLM-x32\...\DVD Decrypter) (Version:  - )
FastStone Image Viewer 5.3 (HKLM-x32\...\FastStone Image Viewer) (Version: 5.3 - FastStone Soft)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 6.0.5.618 - Foxit Corporation)
GDR 3128 for SQL Server 2012 (KB2793634) (64-bit) (HKLM\...\KB2793634) (Version: 11.1.3128.0 - Microsoft Corporation)
GDR 3153 for SQL Server 2012 (KB2977326) (64-bit) (HKLM\...\KB2977326) (Version: 11.1.3153.0 - Microsoft Corporation)
GDR 3156 for SQL Server 2012 (KB3045318) (64-bit) (HKLM\...\KB3045318) (Version: 11.1.3156.0 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.80 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.28.15 - Google Inc.) Hidden
HandBrake 0.9.9.1 (HKLM-x32\...\HandBrake) (Version: 0.9.9.1 - )
Hauppauge WinTV 7 (HKLM-x32\...\Hauppauge WinTV 7) (Version: v7.0.31347 (CD 3.2) - Hauppauge Computer Works)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.1.0 - LIGHTNING UK!)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
MagicDisc 2.7.106 (HKLM-x32\...\MagicDisc 2.7.106) (Version:  - )
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
MediaMonkey 2.5 (HKLM-x32\...\MediaMonkey_is1) (Version: 2.5 - Ventis Media Inc.)
Microsoft .NET Framework 4 Multi-Targeting Pack (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Help Viewer 1.1 (HKLM\...\Microsoft Help Viewer 1.1) (Version: 1.1.40219 - Microsoft Corporation)
Microsoft Report Viewer 2012 Runtime (HKLM-x32\...\{9CCE40CE-A9E6-4916-8729-B008558EEF3F}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 2.0.657.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Management Objects (HKLM-x32\...\{83F2B8F4-5CF3-4BE9-9772-9543EAE4AC5F}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files  (HKLM\...\{B40EE88B-400A-4266-A17B-E3DE64E94431}) (Version: 10.1.2731.0 - Microsoft Corporation)
Microsoft SQL Server 2012 (64-bit) (HKLM\...\Microsoft SQL Server SQLServer2012) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{D411E9C9-CE62-4DBF-9D92-4CB22B750ED5}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Policies  (HKLM-x32\...\{DC487E40-046E-42A9-9C7C-5D2B1A7EB211}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Setup (English) (HKLM\...\{8AC82589-7217-48FE-9051-AE6D3B211B14}) (Version: 11.1.3156.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL Compiler Service  (HKLM\...\{BA39D494-DDE8-407A-AE5A-18A43DFF74EA}) (Version: 11.1.3156.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{54C5041B-0E91-4E92-8417-AAA12493C790}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{C3F6F200-6D7B-4879-B9EE-700C0CE1FCDA}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x86) ENU  (HKLM-x32\...\{FF63121D-91C6-42CC-B341-F1AA729728E7}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x86) ENU  (HKLM-x32\...\{D3A80508-CD83-4CA3-8671-914A1BC78B61}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{E2082604-4BA5-44BB-BBFB-AF0F3CB8C6AB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{F1949145-EB64-4DE7-9D81-E6D27937146C}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft Team Foundation Server Express 2012 Update 3 (HKLM-x32\...\{ddfe8d42-471e-496c-bae9-cd74ae5e6941}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Runtime - 10.0.40219 (HKLM-x32\...\{5D9ED403-94DE-3BA0-B1D6-71F4BDA412E6}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Shell (Isolated) - ENU (HKLM-x32\...\{D64B6984-242F-32BC-B008-752806E5FC44}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft VSS Writer for SQL Server 2012 (HKLM\...\{3E0DD83F-BE4C-4478-86A0-AD0D79D1353E}) (Version: 11.1.3000.0 - Microsoft Corporation)
Mozilla Firefox 25.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 25.0.1 (x86 en-US)) (Version: 25.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 25.0.1 - Mozilla)
NVIDIA 3D Vision Controller Driver 320.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 320.49 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 320.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 320.49 - NVIDIA Corporation)
NVIDIA GeForce Experience 1.5 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 1.5 - NVIDIA Corporation)
NVIDIA Graphics Driver 320.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 320.49 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.24.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.24.2 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.0604 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0604 - NVIDIA Corporation)
Oracle VM VirtualBox 4.3.10 (HKLM\...\{5632714F-6A48-4BF2-89E0-F8B6CE9FE6D1}) (Version: 4.3.10 - Oracle Corporation)
PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)
Service Pack 1 for SQL Server 2012 (KB2674319) (64-bit) (HKLM\...\KB2674319) (Version: 11.1.3000.0 - Microsoft Corporation)
SQL Server 2012 Client Tools (Version: 11.1.3000.0 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (Version: 11.1.3000.0 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (Version: 11.1.3000.0 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (Version: 11.1.3000.0 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (Version: 11.1.3000.0 - Microsoft Corporation) Hidden
SQL Server Browser for SQL Server 2012 (HKLM-x32\...\{4B9E6EB0-0EED-4E74-9479-F982C3254F71}) (Version: 11.1.3000.0 - Microsoft Corporation)
Sql Server Customer Experience Improvement Program (Version: 11.1.3000.0 - Microsoft Corporation) Hidden
Super Flexible File Synchronizer v3.33b (HKLM-x32\...\Super Flexible File Synchronizer_is1) (Version: 3.33b - Super Flexible Software)
SyncToy 2.1 (x86) (HKLM-x32\...\{A066194B-DC8F-449A-8E0F-B57BDD3A2072}) (Version: 2.1.0 - Microsoft)
TagScanner 5.1.630 (HKLM-x32\...\TagScanner_is1) (Version:  - Sergey Serkov)
TightVNC (HKLM\...\{D71C967C-8709-4334-BF16-952469E96DCD}) (Version: 2.6.4.0 - GlavSoft LLC.)
Twonky 7.0 (HKLM-x32\...\TwonkyServer) (Version: 7.0.7.0 - PacketVideo)
Visual Studio 2010 Prerequisites - English (HKLM\...\{662014D2-0450-37ED-ABAE-157C88127BEB}) (Version: 10.0.40219 - Microsoft Corporation)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
VobSub v2.23 (Remove Only) (HKLM-x32\...\VobSub) (Version:  - )
XBMC (HKU\S-1-5-21-1913501936-506947432-3812299986-1000\...\XBMC) (Version:  - Team XBMC)
XBMC (HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\XBMC) (Version:  - Team XBMC)
XviD MPEG4 Video Codec (remove only) (HKLM-x32\...\XviD MPEG4 Video Codec) (Version:  - )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {1DEDD2C7-4153-454F-B69E-595F0248F4A7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-10-13] (Adobe Systems Incorporated)
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)
Task: {C71EC39F-7106-48E5-9E9C-CD259809A8D1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {CC800422-3F7A-4845-9382-02E496F0B0B1} - System32\Tasks\Microsoft\Microsoft Antimalware\MP Scheduled Scan => C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11] (Microsoft Corporation)
Task: {D13ED2B1-AEE5-4E45-AE5A-0D525E8E7BCB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-08-31 21:47 - 2013-06-21 06:23 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2012-03-29 07:43 - 2012-03-29 07:43 - 00545608 _____ () C:\Program Files (x86)\Twonky\TwonkyServer\twonkyproxy.exe
2012-03-29 07:43 - 2012-03-29 07:43 - 00267080 _____ () C:\Program Files (x86)\Twonky\TwonkyServer\twonkywebdav.exe
2013-11-04 19:53 - 2007-02-08 04:41 - 06875664 _____ () C:\Program Files (x86)\SuperFlexible\SuperFlexibleSynchronizer.exe
2013-07-06 18:50 - 2011-08-23 11:04 - 00057344 _____ () C:\Program Files (x86)\WinTV\TVServer\libhdhomerun.dll
2013-07-06 18:50 - 2013-11-25 02:10 - 00025600 _____ () C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServerps.dll
2014-11-02 18:11 - 2009-02-06 19:52 - 00073728 _____ () C:\Windows\SysWOW64\CmdRtr.DLL
2014-11-02 18:11 - 2009-03-26 15:46 - 00148480 _____ () C:\Windows\SysWOW64\APOMngr.DLL
2015-10-31 12:57 - 2015-10-31 12:57 - 00004096 _____ () C:\ProgramData\p2hbAwRMF646.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1913501936-506947432-3812299986-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\jam\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1913501936-506947432-3812299986-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> C:\Users\jam\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1913501936-506947432-3812299986-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-1913501936-506947432-3812299986-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-1913501936-506947432-3812299986-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-1913501936-506947432-3812299986-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.7.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [WindowsServerBackup-wbengine-In-TCP-NoScope] => (Allow) %systemroot%\system32\wbengine.exe
FirewallRules: [{27FCD92B-D9EF-4790-AE39-0F923A7B2FD1}] => (Allow) C:\Program Files\TightVNC\tvnserver.exe
FirewallRules: [{6971C695-143C-4F6B-92EA-801ABC9F9D3F}] => (Allow) LPort=8080
FirewallRules: [{7571109E-F3B0-4FB5-AD8D-699896B711B7}] => (Allow) LPort=47136
FirewallRules: [{4A12C4D8-3524-43DD-B745-3E7ACD77C89A}] => (Allow) C:\Program Files (x86)\uTorrent\uTorrent.exe
FirewallRules: [{DF608AD8-8D2D-4D75-A00D-1D26B6F79A5A}] => (Allow) C:\Program Files (x86)\uTorrent\uTorrent.exe
FirewallRules: [{4DF42842-57DE-4F37-BCC7-2993803E306A}] => (Allow) C:\Program Files (x86)\WinTV\WinTV7\WinTV7.exe
FirewallRules: [{28F70814-14DA-4C7D-A412-DF6243194F72}] => (Allow) C:\Program Files (x86)\WinTV\WinTV7\WinTV7.exe
FirewallRules: [{5A0DE22A-A138-4E8F-BD7E-BDD620B878B4}] => (Allow) C:\Program Files (x86)\WinTV\WinTV7\WinTV7.exe
FirewallRules: [{28161C3C-1092-4890-B84D-6D49EAC87C40}] => (Allow) C:\Program Files (x86)\WinTV\WinTV7\WinTV7.exe
FirewallRules: [{28082135-7266-420B-B4DB-3BBFDE4D6819}] => (Allow) C:\Program Files (x86)\WinTV\TVServer\CaptureDCR.exe
FirewallRules: [{964BD12F-D952-4B5D-B597-9DC145B5D06D}] => (Allow) C:\Program Files (x86)\WinTV\TVServer\CaptureDCR.exe
FirewallRules: [{68C49CE9-C6CF-4AC7-89BD-608AAFD0B9D0}] => (Allow) C:\Program Files (x86)\WinTV\TVServer\CaptureDCR.exe
FirewallRules: [{FA18E8BD-D427-40FD-8655-5AC8A0A90B4A}] => (Allow) C:\Program Files (x86)\WinTV\TVServer\CaptureDCR.exe
FirewallRules: [{1EC8DD29-AF10-43B3-97C3-08DA4BB5A78E}] => (Allow) LPort=9
FirewallRules: [{70D64681-77DD-4528-BB20-9F24B527E23D}] => (Allow) C:\Program Files (x86)\Twonky\TwonkyServer\twonkystarter.exe
FirewallRules: [{06C93E27-03F3-4DEC-929D-2457B05BBCF0}] => (Allow) C:\Program Files (x86)\Twonky\TwonkyServer\twonkystarter.exe
FirewallRules: [{123E26D7-6DEC-4F59-87B9-473696878111}] => (Allow) C:\Program Files (x86)\Twonky\TwonkyServer\twonkyserver.exe
FirewallRules: [{24EFB458-A49B-4009-B02F-C35CB39436CC}] => (Allow) C:\Program Files (x86)\Twonky\TwonkyServer\twonkyserver.exe
FirewallRules: [{00DE5B2F-C982-4AF0-9D99-F54EE3528829}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{6B24D85A-7B68-4358-83F9-FBDA0FA746D3}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{72C88549-F3E1-4DDE-A62F-A2CDED74E8C8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Faulty Device Manager Devices =============
 
Name: VirtualBox Host-Only Ethernet Adapter
Description: VirtualBox Host-Only Ethernet Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Oracle Corporation
Service: VBoxNetAdp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: TP-LINK N600 Wireless Dual Band USB Adapter - VirtualBox Bridged Networking Driver Miniport
Description: VirtualBox Bridged Networking Driver Miniport
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Oracle Corporation
Service: VBoxNetFlt
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/31/2015 02:30:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/31/2015 01:21:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/31/2015 12:30:23 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/25/2015 05:32:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/25/2015 08:17:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/24/2015 05:32:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/23/2015 08:43:47 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vlc.exe, version: 2.1.3.0, time stamp: 0x00000004
Faulting module name: vlc.exe, version: 2.1.3.0, time stamp: 0x00000004
Exception code: 0xc0000005
Fault offset: 0x00001a8f
Faulting process id: 0x900
Faulting application start time: 0xvlc.exe0
Faulting application path: vlc.exe1
Faulting module path: vlc.exe2
Report Id: vlc.exe3
 
Error: (10/23/2015 05:32:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/21/2015 05:32:23 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/20/2015 05:32:23 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (10/31/2015 01:45:01 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR3.
 
Error: (10/31/2015 01:37:05 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/31/2015 01:37:04 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/31/2015 01:37:03 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/31/2015 01:36:56 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/31/2015 01:36:56 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/31/2015 01:36:55 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/31/2015 01:36:55 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/31/2015 01:36:54 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (10/04/2015 07:58:51 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.207.1823.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 3.0.8107.00
 
Source Path: 3.0.8107.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of memory in use: 23%
Total physical RAM: 8125.61 MB
Available physical RAM: 6234.48 MB
Total Virtual: 16249.43 MB
Available Virtual: 14485.18 MB
 
==================== Drives ================================
 
Drive c: (Win2008) (Fixed) (Total:76.59 GB) (Free:24.13 GB) NTFS
Drive d: (Video) (Fixed) (Total:1863.01 GB) (Free:923.16 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: 7DC98933)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 76.7 GB) (Disk ID: CBD3A30C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=76.6 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 jim87

jim87
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 01 November 2015 - 07:59 AM

Okay never mind...I just restored a backup...but thanks for all the help!



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 PM

Posted 02 November 2015 - 10:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users