Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC freezes and restarts. PUM and IAT Hook infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 dragoonus

dragoonus

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 16 November 2015 - 10:34 AM

Hello.

 

About 2 months ago I attempted a Sai download from Filesonic and was infected by malware. I did a system restore and Trend at the time quarantined a few bugs such as open_candy, but the computer still randomly freezes and restarts soon after. I've used programs such as Malwarebytes and Hitman Pro, but with no luck of the problem being fixed. I recently did a scan using Roguekiller and it's found PUM.Homepage and PUM.Dns in the registry. It has detected several cases of Hook.IEAT as well in the antirootkit section as well. Roguekiller has also detected "VT unknown" within one of the files in Trend (I'm not sure if that's related to the computer randomly freezing and restarting though).

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-11-2015
Ran by Joshua (administrator) on DESKTOP-JAQQTL2 (16-11-2015 09:39:02)
Running from C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads
Loaded Profiles: Joshua (Available Profiles: Joshua)
Platform: Windows 10 Home (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSvcHost.exe
() C:\Program Files (x86)\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
(Wacom Technology, Corp.) C:\Windows\System32\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\TMIDS\PwmSvc.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtWatchDog.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Dell) C:\Program Files\Dell\Dell Data Services\DDSSvc.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
() C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe
() C:\Program Files\Dell\Dell Product Registration\PRSvc.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(Wacom Technology, Corp.) C:\Windows\System32\WTablet\Wacom_TabletUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Wacom Technology, Corp.) C:\Windows\System32\Wacom_Tablet.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
() C:\Program Files\Trend Micro\TMIDS\tower\PwmTower.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
() C:\Program Files\Trend Micro\TMIDS\tower\PwmTower.exe
() C:\Program Files\Trend Micro\TMIDS\tower\PwmTower.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSessionAgent.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(BitTorrent Inc.) C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\uTorrent\uTorrent.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(BitTorrent Inc.) C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe
() C:\Program Files (x86)\Roxio 2010\5.0\CPMonitor.exe
() C:\Program Files (x86)\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
(BitTorrent Inc.) C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
() C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe
(CyberLink) C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLMLSvc_P2G8.exe
(Sonic Solutions) C:\Program Files (x86)\Common Files\PX Storage Engine\VxBlockServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\chrome_extension2\host\chrome_native_msg_host.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\module\20013\ChromeExt\chromeextension\TmopChromeMsgHost32.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\chromeextension\NativeMessageHost\ToolbarNativeMsgHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8483032 2015-05-28] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1393880 2015-04-28] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [611248 2015-05-21] (Waves Audio Ltd.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [322472 2015-06-23] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1795912 2015-09-05] (NVIDIA Corporation)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [246264 2015-07-16] (Trend Micro Inc.)
HKLM\...\Run: [Platinum] => C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSessionAgent.exe [1258496 2015-07-16] (Trend Micro Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-08-13] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe [240112 2009-07-24] (Sonic Solutions)
HKLM-x32\...\Run: [CPMonitor] => C:\Program Files (x86)\Roxio 2010\5.0\CPMonitor.exe [84464 2009-07-21] ()
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe [494064 2009-06-23] ()
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2621240 2015-10-30] (Malwarebytes Corporation)
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3011152 2015-11-09] (Valve Corporation)
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\Run: [uTorrent] => C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\uTorrent\uTorrent.exe [1822048 2015-11-07] (BitTorrent Inc.)
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\RunOnce: [Uninstall C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64"
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\RunOnce: [Uninstall C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5892.0626] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5892.0626"
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\RunOnce: [Uninstall C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64"
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\RunOnce: [Uninstall C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5951.0827] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Microsoft\OneDrive\17.3.5951.0827"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2015-08-13]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3050 J610 series.lnk [2015-11-16]
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3050 J610 series.lnk -> C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3050 J610 series.lnk [2015-11-16]
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3050 J610 series.lnk -> C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{345a08ce-acc9-44da-ae58-6a37c85f6ba5}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{380f72b4-ea77-407f-87c3-f3f462b639f2}: [DhcpNameServer] 10.13.109.99
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell15.msn.com/?pc=DCTE
SearchScopes: HKU\S-1-5-21-1532959501-2282570097-1314125110-1001 -> DefaultScope {D0002A95-4ED0-40DD-99E7-70C1E0E4B792} URL = 
SearchScopes: HKU\S-1-5-21-1532959501-2282570097-1314125110-1001 -> {D0002A95-4ED0-40DD-99E7-70C1E0E4B792} URL = 
BHO: Trend Micro Security Toolbar Helper -> {43C6D902-A1C5-45c9-91F6-FD9E90337E18} -> C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ToolbarIE.dll [2015-09-08] (Trend Micro Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-02-12] (Microsoft Corporation)
BHO: Trend Micro Network Filter Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg.dll [2015-07-16] (Trend Micro Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\TmBpIe64.dll [2015-08-16] (Trend Micro Inc.)
BHO-x32: Trend Micro Security Toolbar Helper -> {43C6D902-A1C5-45c9-91F6-FD9E90337E18} -> C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll [2015-09-08] (Trend Micro Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2011-02-12] (Microsoft Corporation)
BHO-x32: Trend Micro Network Filter Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg32.dll [2015-07-16] (Trend Micro Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\TmBpIe32.dll [2015-08-16] (Trend Micro Inc.)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll [2012-01-25] (Microsoft Corporation.)
Toolbar: HKLM - Trend Micro Security Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ToolbarIE.dll [2015-09-08] (Trend Micro Inc.)
Toolbar: HKLM-x32 - Trend Micro Security Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll [2015-09-08] (Trend Micro Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll [2012-01-25] (Microsoft Corporation.)
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\TmBpIe64.dll [2015-08-16] (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\TmBpIe32.dll [2015-08-16] (Trend Micro Inc.)
Handler: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg.dll [2015-07-16] (Trend Micro Inc.)
Handler-x32: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg32.dll [2015-07-16] (Trend Micro Inc.)
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ToolbarIE.dll [2015-09-08] (Trend Micro Inc.)
Handler-x32: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll [2015-09-08] (Trend Micro Inc.)
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ProToolbarIMRatingActiveX.dll [2015-07-16] (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll [2015-07-16] (Trend Micro Inc.)
 
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-07-30] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-07-22] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-07-22] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-14] (Google Inc.)
FF Plugin-x32: @wacom.com/wacom-plugin,version=1.1.0.3 -> C:\Program Files (x86)\TabletPlugins\npwacom.dll [2010-09-01] (Wacom, Inc.)
FF Plugin-x32: @wacom.com/wacom-plugin,version=1.1.0.5 -> C:\Program Files (x86)\TabletPlugins\npwacom.dll [2010-09-01] (Wacom, Inc.)
FF HKLM\...\Firefox\Extensions: [tmbepff@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\firefoxextension
FF Extension: Trend Micro BEP Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\firefoxextension [2015-09-22]
FF HKLM-x32\...\Firefox\Extensions: [tmbepff@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1035\9.1.1035\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [{22181a4d-af90-4ca3-a569-faed9118d6bc}] - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension
FF Extension: Trend Micro Toolbar - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2015-09-22]
FF HKLM-x32\...\Firefox\Extensions: [{BBB77B49-9FF4-4d5c-8FE2-92B1D6CD696C}] - C:\Program Files\Trend Micro\AMSP\module\20013\FxExt\firefoxextension
FF Extension: Trend Micro Osprey Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20013\FxExt\firefoxextension [2015-09-22]
 
Chrome: 
=======
CHR Profile: C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-09-05]
CHR Extension: (Google Docs) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-09-05]
CHR Extension: (Google Drive) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
CHR Extension: (Google Search) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google Sheets) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-09-05]
CHR Extension: (Google Docs Offline) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-09-05]
CHR Extension: (Trend Micro Toolbar) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf [2015-09-05]
CHR Extension: (Gmail) - C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-05]
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [457200 2009-06-02] ()
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-05-29] (Apple Inc.)
R2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2251992 2015-08-13] (Broadcom Corporation.)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [137968 2015-09-22] (Dell Inc.)
R2 Dell Data Services; C:\Program Files\Dell\Dell Data Services\DDSSvc.exe [46792 2015-06-19] (Dell)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [114888 2015-10-20] (Dell)
R2 Dell Help & Support; C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe [49864 2015-07-03] ()
R2 Dell Product Registration; C:\Program Files\Dell\Dell Product Registration\PRSvc.exe [69320 2015-07-08] ()
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-08-27] (Dell Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [24888 2015-07-26] (Hewlett-Packard Company)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [18856 2015-06-23] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed]
S2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223008 2015-06-24] (Intel Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [740152 2015-10-30] (Malwarebytes Corporation)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-06-02] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [373704 2015-06-04] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [254792 2015-06-02] (McAfee, Inc.)
R2 Platinum Host Service; C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSvcHost.exe [1137664 2015-07-16] (Trend Micro Inc.)
R2 PwmSvc; C:\Program Files\Trend Micro\TMIDS\PwmSvc.exe [1436936 2015-10-27] (Trend Micro Inc.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294616 2015-05-22] (Realtek Semiconductor)
R2 TabletServiceWacom; C:\Windows\system32\Wacom_Tablet.exe [6159656 2010-02-01] (Wacom Technology, Corp.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [173312 2015-08-13] (Broadcom Corporation.)
R3 BCMWL63A; C:\Windows\system32\DRIVERS\bcmwl63a.sys [11236088 2015-07-08] (Broadcom Corp)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [237568 2015-07-10] (Microsoft Corporation)
S3 cfwids; C:\Windows\system32\drivers\cfwids.sys [77544 2015-05-29] (McAfee, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [63064 2015-10-30] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [41080 2015-11-07] ()
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-11-07] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverW8x64.sys [183584 2015-06-12] (Intel Corporation)
R2 mfeaack; C:\Windows\system32\drivers\mfeaack.sys [412152 2015-06-02] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [347544 2015-05-29] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80792 2015-05-29] (McAfee, Inc.)
R3 mfefirek; C:\Windows\system32\drivers\mfefirek.sys [496888 2015-05-29] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [875416 2015-05-29] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [492000 2015-05-27] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109480 2015-05-27] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344704 2015-05-29] (McAfee, Inc.)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [886528 2015-05-29] (Realtek                                            )
R3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [402136 2015-05-27] (Realsil Semiconductor Corporation)
R1 tmactmon; C:\Windows\system32\DRIVERS\tmactmon.sys [134280 2015-07-21] (Trend Micro Inc.)
R0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [326896 2015-07-21] (Trend Micro Inc.)
R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [59712 2015-06-11] (Trend Micro Inc.)
R3 tmeevw; C:\Windows\system32\DRIVERS\tmeevw.sys [116576 2015-06-08] (Trend Micro Inc.)
S0 tmel; C:\Windows\System32\DRIVERS\tmel.sys [39056 2015-06-22] (Trend Micro Inc.)
R1 tmevtmgr; C:\Windows\system32\DRIVERS\tmevtmgr.sys [100320 2015-07-21] (Trend Micro Inc.)
R3 tmnciesc; C:\Windows\system32\DRIVERS\tmnciesc.sys [416608 2015-05-28] (Trend Micro Inc.)
R1 tmumh; C:\Windows\system32\DRIVERS\TMUMH.sys [91536 2015-06-28] (Trend Micro Inc.)
R2 tmusa; C:\Windows\system32\DRIVERS\tmusa.sys [116528 2015-06-26] (Trend Micro Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-11-15] ()
S3 UdeCx; C:\Windows\System32\drivers\udecx.sys [44032 2015-07-10] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
U2 TMAgent; no ImagePath
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-16 09:38 - 2015-11-16 09:38 - 02198528 _____ (Farbar) C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\FRST64.exe
2015-11-16 08:17 - 2015-11-16 08:17 - 00016148 _____ C:\Windows\system32\DESKTOP-JAQQTL2_Joshua_HistoryPrediction.bin
2015-11-15 12:51 - 2015-11-15 12:52 - 00399360 _____ (Trend Micro Inc.) C:\Windows\RegBootClean64.exe
2015-11-15 12:51 - 2015-11-15 12:51 - 00012120 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\Addition.txt
2015-11-15 12:50 - 2015-11-16 09:39 - 00029263 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\FRST.txt
2015-11-15 12:50 - 2015-11-16 09:39 - 00000000 ____D C:\FRST
2015-11-15 12:16 - 2015-11-15 12:16 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Apps\2.0
2015-11-15 10:13 - 2015-11-15 10:13 - 00001136 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\RogueKiller - Shortcut.lnk
2015-11-15 09:05 - 2015-11-15 13:34 - 00000000 ____D C:\ProgramData\RogueKiller
2015-11-15 09:05 - 2015-11-15 09:05 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-11-15 09:04 - 2015-11-15 09:05 - 18979400 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\RogueKiller.exe
2015-11-15 09:00 - 2015-11-15 09:01 - 00335944 _____ C:\Windows\Minidump\111515-23625-01.dmp
2015-11-15 07:53 - 2015-11-16 08:18 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\LocalLow\uTorrent
2015-11-15 01:48 - 2015-11-15 01:56 - 113054705 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\xvideos.com_9a2c75c911ea97ab589fe9802383bfac.mp4
2015-11-15 01:30 - 2015-11-15 01:30 - 00005543 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\.recently-used.xbel
2015-11-15 01:07 - 2015-11-15 01:07 - 00344664 _____ C:\Windows\Minidump\111515-24671-01.dmp
2015-11-11 19:31 - 2015-11-05 00:15 - 08020832 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-11-11 19:31 - 2015-11-05 00:15 - 00541024 _____ (Microsoft Corporation) C:\Windows\system32\mcupdate_GenuineIntel.dll
2015-11-11 19:31 - 2015-11-05 00:14 - 00459104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2015-11-11 19:31 - 2015-11-05 00:13 - 00577888 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2015-11-11 19:31 - 2015-11-05 00:11 - 01392480 _____ (Microsoft Corporation) C:\Windows\system32\LicenseManager.dll
2015-11-11 19:31 - 2015-11-05 00:06 - 03621248 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-11-11 19:31 - 2015-11-05 00:06 - 00966416 _____ (Microsoft Corporation) C:\Windows\system32\twinapi.appcore.dll
2015-11-11 19:31 - 2015-11-05 00:01 - 00607408 _____ (Microsoft Corporation) C:\Windows\system32\fontdrvhost.exe
2015-11-11 19:31 - 2015-11-04 23:56 - 01083072 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-11-11 19:31 - 2015-11-04 23:56 - 00116064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2015-11-11 19:31 - 2015-11-04 23:56 - 00025280 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2015-11-11 19:31 - 2015-11-04 23:30 - 00961376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LicenseManager.dll
2015-11-11 19:31 - 2015-11-04 23:24 - 02878512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-11-11 19:31 - 2015-11-04 23:23 - 00762888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinapi.appcore.dll
2015-11-11 19:31 - 2015-11-04 23:23 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\browserbroker.dll
2015-11-11 19:31 - 2015-11-04 23:20 - 21873664 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2015-11-11 19:31 - 2015-11-04 23:18 - 24597504 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-11-11 19:31 - 2015-11-04 23:18 - 03248128 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Media.dll
2015-11-11 19:31 - 2015-11-04 23:18 - 00539728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontdrvhost.exe
2015-11-11 19:31 - 2015-11-04 23:17 - 02418688 _____ (Microsoft Corporation) C:\Windows\system32\MFMediaEngine.dll
2015-11-11 19:31 - 2015-11-04 23:12 - 00515072 _____ (Microsoft Corporation) C:\Windows\system32\internetmail.dll
2015-11-11 19:31 - 2015-11-04 23:11 - 00333312 _____ (Microsoft Corporation) C:\Windows\system32\MusUpdateHandlers.dll
2015-11-11 19:31 - 2015-11-04 23:10 - 12504064 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-11-11 19:31 - 2015-11-04 23:10 - 02987520 _____ (Microsoft Corporation) C:\Windows\system32\esent.dll
2015-11-11 19:31 - 2015-11-04 23:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-11-11 19:31 - 2015-11-04 23:06 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Devices.Usb.dll
2015-11-11 19:31 - 2015-11-04 23:05 - 01602560 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-11-11 19:31 - 2015-11-04 23:05 - 00826880 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-11-11 19:31 - 2015-11-04 23:03 - 02180608 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2015-11-11 19:31 - 2015-11-04 23:03 - 01015808 _____ (Microsoft Corporation) C:\Windows\system32\RDXService.dll
2015-11-11 19:31 - 2015-11-04 23:01 - 00949760 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-11-11 19:31 - 2015-11-04 23:01 - 00713216 _____ (Microsoft Corporation) C:\Windows\system32\usermgr.dll
2015-11-11 19:31 - 2015-11-04 23:01 - 00579072 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2015-11-11 19:31 - 2015-11-04 22:59 - 03587072 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2015-11-11 19:31 - 2015-11-04 22:59 - 02675200 _____ (Microsoft Corporation) C:\Windows\system32\Windows.StateRepository.dll
2015-11-11 19:31 - 2015-11-04 22:58 - 01383936 _____ (Microsoft Corporation) C:\Windows\system32\win32kbase.sys
2015-11-11 19:31 - 2015-11-04 22:58 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.dll
2015-11-11 19:31 - 2015-11-04 22:56 - 01795072 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentExtensions.dll
2015-11-11 19:31 - 2015-11-04 22:55 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\dssvc.dll
2015-11-11 19:31 - 2015-11-04 22:54 - 00502272 _____ (Microsoft Corporation) C:\Windows\system32\dlnashext.dll
2015-11-11 19:31 - 2015-11-04 22:47 - 19326464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-11-11 19:31 - 2015-11-04 22:42 - 02647040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.dll
2015-11-11 19:31 - 2015-11-04 22:40 - 01918976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MFMediaEngine.dll
2015-11-11 19:31 - 2015-11-04 22:35 - 18803712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2015-11-11 19:31 - 2015-11-04 22:35 - 02639872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\esent.dll
2015-11-11 19:31 - 2015-11-04 22:34 - 00311296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Devices.Usb.dll
2015-11-11 19:31 - 2015-11-04 22:33 - 01380864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-11-11 19:31 - 2015-11-04 22:33 - 00650240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-11-11 19:31 - 2015-11-04 22:30 - 00767488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-11-11 19:31 - 2015-11-04 22:28 - 11262976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-11-11 19:31 - 2015-11-04 22:27 - 02049536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.StateRepository.dll
2015-11-11 19:31 - 2015-11-04 22:27 - 00464896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.dll
2015-11-11 19:31 - 2015-11-04 22:23 - 00441344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dlnashext.dll
2015-11-07 22:32 - 2015-11-07 22:33 - 00335536 _____ C:\Windows\Minidump\110715-16593-01.dmp
2015-11-07 20:54 - 2015-11-07 20:55 - 00325600 _____ C:\Windows\Minidump\110715-20671-01.dmp
2015-11-07 20:51 - 2015-11-07 20:51 - 00334072 _____ C:\Windows\Minidump\110715-25781-01.dmp
2015-11-07 20:46 - 2015-11-07 20:46 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2015-11-07 20:37 - 2015-11-07 20:37 - 00041080 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2015-11-07 20:37 - 2015-11-07 20:37 - 00001968 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-11-07 20:37 - 2015-11-07 20:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-11-07 20:37 - 2015-11-07 20:37 - 00000000 ____D C:\Program Files\HitmanPro
2015-11-07 20:35 - 2015-11-07 20:36 - 11337112 _____ (SurfRight B.V.) C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\HitmanPro_x64.exe
2015-11-07 20:34 - 2015-11-07 20:45 - 00000000 ____D C:\ProgramData\HitmanPro
2015-11-07 20:05 - 2015-11-07 20:06 - 00332256 _____ C:\Windows\Minidump\110715-19109-01.dmp
2015-11-07 20:02 - 2015-11-07 20:03 - 01801288 _____ (Malwarebytes) C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\JRT.exe
2015-11-07 19:39 - 2015-11-07 19:39 - 00335384 _____ C:\Windows\Minidump\110715-21671-01.dmp
2015-11-07 16:05 - 2015-11-07 16:05 - 00335304 _____ C:\Windows\Minidump\110715-19546-01.dmp
2015-11-07 13:34 - 2015-11-07 19:37 - 00000000 ____D C:\AdwCleaner
2015-11-07 13:21 - 2015-11-07 13:34 - 01713664 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\adwcleaner_5.018.exe
2015-11-07 10:23 - 2015-11-07 10:23 - 00002751 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2015-11-06 12:15 - 2015-11-06 12:15 - 00336560 _____ C:\Windows\Minidump\110615-15953-01.dmp
2015-11-06 10:56 - 2015-11-06 11:25 - 425362562 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\[PublicBang] Blondie Fesser (Blondie Fesser Public bleepFest - 04.11.15) rq.mp4
2015-11-06 10:54 - 2015-11-06 10:54 - 00017024 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\[kat.cr]publicbang.blondie.fesser.blondie.fesser.public.bleepfest.04.11.15.rq.mp4.torrent
2015-11-05 19:41 - 2015-11-07 10:55 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-11-05 19:39 - 2015-11-07 10:55 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\Desktop\mbar
2015-11-05 19:35 - 2015-11-05 19:37 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\mbar-1.09.3.1001.exe
2015-11-05 19:33 - 2015-11-15 01:01 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2015-11-05 19:33 - 2015-11-05 19:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2015-11-05 19:33 - 2015-11-05 19:33 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2015-11-05 19:31 - 2015-11-05 19:31 - 01847144 _____ (Malwarebytes ) C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\mbae-setup-1.08.1.1044.exe
2015-11-05 19:23 - 2015-11-07 22:44 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-05 19:22 - 2015-11-07 10:40 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-11-05 19:18 - 2015-11-05 19:20 - 22908888 _____ (Malwarebytes ) C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\mbam-setup-2.2.0.1024.exe
2015-11-04 17:52 - 2015-11-04 18:07 - 247511588 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\teencurves_harley_jade_full_hiX.mp4
2015-11-04 17:51 - 2015-11-04 17:51 - 00019582 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\[kat.cr]teen.curves.harley.jade.torrent
2015-10-31 07:53 - 2015-10-31 09:00 - 885054314 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\Alex Davis.mp4
2015-10-31 07:53 - 2015-10-31 07:53 - 00068265 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\[kat.cr]monster.alex.davis.kate.alton.sexing.kate.new.31.10.2015.torrent
2015-10-27 20:59 - 2015-10-27 20:59 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\Documents\CyberLink
2015-10-27 20:59 - 2015-10-27 20:59 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\CyberLink
2015-10-27 20:59 - 2015-10-27 20:59 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\CyberLink
2015-10-26 11:47 - 2015-10-26 12:15 - 399516677 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\ap14684-480p.mp4
2015-10-26 11:44 - 2015-10-26 11:44 - 00031243 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\[kat.cr]assparade.bangbros.alexis.texas.brings.her.44.ass.for.a.great.time.sd.new.oct.26.2015.torrent
2015-10-25 01:41 - 2015-10-25 01:41 - 00015245 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\AssParadeBangBros-PaigeTurnahEnglishChickHasAHUGEAssSD480p - ThePirateBay.TO.torrent
2015-10-22 09:04 - 2015-11-15 01:29 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\gtk-2.0
2015-10-22 09:03 - 2015-10-22 09:03 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\.thumbnails
2015-10-22 08:59 - 2015-11-15 02:03 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\.gimp-2.6
2015-10-22 08:59 - 2015-10-22 08:59 - 00001174 _____ C:\Users\Public\Desktop\GIMP 2.lnk
2015-10-22 08:59 - 2015-10-22 08:59 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\Documents\gegl-0.0
2015-10-22 08:59 - 2015-10-22 08:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP
2015-10-22 08:59 - 2015-10-22 08:59 - 00000000 ____D C:\Program Files (x86)\GIMP-2.0
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-16 09:38 - 2015-09-08 07:15 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\uTorrent
2015-11-16 09:18 - 2015-07-10 06:04 - 00000000 ____D C:\Windows\system32\sru
2015-11-16 08:43 - 2015-09-05 18:04 - 00000010 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\sponge.last.runtime.cache
2015-11-16 08:43 - 2015-09-05 16:33 - 00000938 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-16 08:26 - 2015-07-10 06:04 - 00000000 ____D C:\Windows\AppReadiness
2015-11-16 08:20 - 2015-09-05 17:28 - 00004170 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{222E6998-17D8-4FC2-86C0-34027B599556}
2015-11-16 08:18 - 2015-09-08 13:26 - 00000000 ____D C:\Program Files (x86)\Steam
2015-11-16 08:18 - 2015-09-05 16:59 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\DP_Tower
2015-11-16 08:18 - 2015-09-05 16:33 - 00000934 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-15 12:52 - 2015-09-05 16:59 - 00000000 ____D C:\ProgramData\Trend Micro
2015-11-15 11:12 - 2015-08-13 12:30 - 00876942 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-15 11:09 - 2015-07-10 07:20 - 00192636 _____ C:\Windows\setupact.log
2015-11-15 09:06 - 2015-07-10 07:22 - 00000275 _____ C:\Windows\WindowsUpdate.log
2015-11-15 09:03 - 2015-08-13 12:34 - 00018891 _____ C:\Windows\SysWOW64\Gms.log
2015-11-15 09:03 - 2015-07-10 04:05 - 00032768 ___SH C:\Windows\system32\config\ELAM
2015-11-15 09:01 - 2015-09-05 16:23 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2
2015-11-15 09:00 - 2015-09-14 12:10 - 749698041 _____ C:\Windows\MEMORY.DMP
2015-11-15 09:00 - 2015-09-14 12:10 - 00000000 ____D C:\Windows\Minidump
2015-11-15 09:00 - 2015-08-13 12:21 - 00000000 ____D C:\ProgramData\NVIDIA
2015-11-15 09:00 - 2015-08-13 12:20 - 00240392 _____ C:\Windows\PFRO.log
2015-11-15 09:00 - 2015-07-10 07:21 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-15 01:20 - 2015-09-05 16:59 - 00000000 ____D C:\ProgramData\TMDP_Log
2015-11-15 01:20 - 2015-07-10 06:04 - 00000290 _____ C:\Windows\win.ini
2015-11-15 01:16 - 2015-08-13 12:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-11-15 01:09 - 2015-07-10 04:05 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-11-15 01:07 - 2015-07-10 06:04 - 00000000 ____D C:\Windows\system32\appraiser
2015-11-13 12:18 - 2015-07-10 05:55 - 00000000 ____D C:\Windows\CbsTemp
2015-11-11 19:47 - 2015-09-05 16:35 - 00002262 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-11-07 22:57 - 2015-09-05 09:10 - 00000000 ____D C:\ProgramData\1click dvd copy pro
2015-11-07 22:45 - 2015-09-05 17:01 - 00001387 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Desktop\Trend Micro Maximum Security.lnk
2015-11-03 13:20 - 2015-07-10 06:06 - 00810488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-11-03 13:20 - 2015-07-10 06:06 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-11-03 11:34 - 2015-09-05 16:25 - 00002391 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-11-03 11:34 - 2015-09-05 16:25 - 00000000 ___RD C:\Users\Joshua.DESKTOP-JAQQTL2\OneDrive
2015-11-02 15:00 - 2015-07-10 06:04 - 00000000 ____D C:\Windows\rescache
2015-10-27 10:53 - 2015-09-08 08:42 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\Audacity
 
==================== Files in the root of some directories =======
 
2015-09-05 16:57 - 2015-09-05 16:57 - 0000036 _____ () C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\housecall.guid.cache
2015-09-05 18:04 - 2015-11-16 08:43 - 0000010 _____ () C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\sponge.last.runtime.cache
2015-09-05 17:23 - 2015-09-05 17:23 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-08-13 12:28 - 2015-08-13 12:28 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-08-13 12:35 - 2015-08-13 12:35 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2015-08-13 12:32 - 2015-08-13 12:32 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2015-08-13 12:34 - 2015-08-13 12:35 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2015-08-13 12:33 - 2015-08-13 12:34 - 0000113 _____ () C:\ProgramData\{E1646825-D391-42A0-93AA-27FA810DA093}.log
 
Some files in TEMP:
====================
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\COMAP.EXE
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\McCSPInstall.dll
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\mccspuninstall.exe
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\uttACB8.tmp.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-11-13 12:14
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 16 November 2015 - 12:12 PM

Hello dragoonus and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
   
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 dragoonus

dragoonus
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 16 November 2015 - 12:26 PM

Okay, understood. Thank you.



#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 16 November 2015 - 04:54 PM

Hi

Windows Firewall is enabled.

Trend Micro Maximum Security (Enabled)

Multiple Firewall Programs installed!
I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause.  Firewall programs take up an enormous amount of your computer's resources when they are actively scanning your computer.  Having two     Firewall programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
=======================================================================================

Going over your logs I noticed that you have µTorrent and Bittorent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so viaStart > Control Panel > Add/Remove Programs.

Please Uninstall:

µTorrent

BitTorrent

=====================================================================================

Using the Add/Remove Programs and Features remove these programs in bold

Bing Bar
HitmanPro 3.7

 

First, it seems McAfee was once installed on this machine.

Please run ==> McAfee Removal Tool - McAfee Uninstaller

Download the McAfee Removal Tool.

Double click on MCPR.exe to launch it, then Click Run. A window should appear and disappear, this is normal. A new window should popup and begin the uninstall. When prompted to reboot your computer type Y.

Or;
http://mcafee-removal-tool.com/

Next....

Now PC restart

====================================================================================

Step 1:
 FRST Script:
 Please download this attached  Attached File  Fixlist.txt   5.91KB   1 downloads   and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:

Please download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

Step 5:

Malwarebytes Anti-Malware version 1.8.1.1044
Your Malwarebytes Anti-Malware is out of date.

Uninstall outdated Malwarebytes' Anti-Malware

Please download MBAM-clean and save it to your desktop.(Or:Here)

  • Right-click on mbam-clean.exe icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • It will ask you to reboot the machine - please do so.

After that follow my next instructions to download & install the newset MBAM version.

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.
====================================================================================
How is the PC running now ? Any issues ? Please let me know.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 dragoonus

dragoonus
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 17 November 2015 - 10:06 AM

I followed all the steps, and the computer seems to be running a bit smoother now. I'll have to keep it running to test if it will do a restart on its own, but after doing the scans it seems no malicious software has been found. The text files are below and I'll keep you posted of any changes. 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:16-11-2015
Ran by Joshua (2015-11-17 08:37:31) Run:2
Running from C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads
Loaded Profiles: Joshua (Available Profiles: Joshua)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
 
 
Task: {16660561-AC25-4D40-805B-2B56DFDDDF43} - \DropboxOEM -> No File <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
IE trusted site: HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\cinemanow.com -> hxxp://cinemanow.com
IE trusted site: HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\cinemanow.com -> hxxps://cinemanow.com
IE trusted site: HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\...\qflix.com -> hxxp://qflix.com
C:\Windows\System32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
C:\Windows\System32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.EXE
HKLM-x32\...\Run: [] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll [2012-01-25] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll [2012-01-25] (Microsoft Corporation.)
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-06-02] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [373704 2015-06-04] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [254792 2015-06-02] (McAfee, Inc.)
S3 cfwids; C:\Windows\system32\drivers\cfwids.sys [77544 2015-05-29] (McAfee, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [41080 2015-11-07] ()
R2 mfeaack; C:\Windows\system32\drivers\mfeaack.sys [412152 2015-06-02] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [347544 2015-05-29] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80792 2015-05-29] (McAfee, Inc.)
R3 mfefirek; C:\Windows\system32\drivers\mfefirek.sys [496888 2015-05-29] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [875416 2015-05-29] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [492000 2015-05-27] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109480 2015-05-27] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344704 2015-05-29] (McAfee, Inc.)
U2 TMAgent; no ImagePath
2015-11-15 10:13 - 2015-11-15 10:13 - 00001136 _____ C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\RogueKiller - Shortcut.lnk
2015-11-07 20:37 - 2015-11-07 20:37 - 00041080 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2015-11-07 20:37 - 2015-11-07 20:37 - 00001968 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-11-07 20:37 - 2015-11-07 20:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-11-07 20:37 - 2015-11-07 20:37 - 00000000 ____D C:\Program Files\HitmanPro
2015-11-07 20:35 - 2015-11-07 20:36 - 11337112 _____ (SurfRight B.V.) C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\HitmanPro_x64.exe
2015-11-07 20:34 - 2015-11-07 20:45 - 00000000 ____D C:\ProgramData\HitmanPro
2015-11-07 20:46 - 2015-11-07 20:46 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2015-10-22 09:03 - 2015-10-22 09:03 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\.thumbnails
2015-11-16 09:38 - 2015-09-08 07:15 - 00000000 ____D C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\uTorrent
C:\Windows\PFRO.log
C:\ProgramData\TMDP_Log
2015-09-05 17:23 - 2015-09-05 17:23 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-08-13 12:28 - 2015-08-13 12:28 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-08-13 12:35 - 2015-08-13 12:35 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2015-08-13 12:32 - 2015-08-13 12:32 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2015-08-13 12:34 - 2015-08-13 12:35 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2015-08-13 12:33 - 2015-08-13 12:34 - 0000113 _____ () C:\ProgramData\{E1646825-D391-42A0-93AA-27FA810DA093}.log
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\COMAP.EXE
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\McCSPInstall.dll
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\mccspuninstall.exe
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\uttACB8.tmp.exe
cmd: netsh winsock reset
EmptyTemp:
Reboot:
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{16660561-AC25-4D40-805B-2B56DFDDDF43} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DropboxOEM => key not found. 
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc" => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => key not found. 
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfeaack" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfeavfk" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys" => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfefire => key not found. 
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfefirek => key not found. 
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => key not found. 
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfehidk => key not found. 
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => key not found. 
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfemms" => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => key not found. 
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => key not found. 
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mfevtp => key not found. 
"HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cinemanow.com" => key removed successfully
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cinemanow.com => key not found. 
"HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\qflix.com" => key removed successfully
"C:\Windows\System32\mfevtps.exe" => not found.
"C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" => not found.
"C:\Windows\System32\mfevtps.exe" => not found.
"C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe" => not found.
"C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.EXE" => not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f} => key not found. 
HKCR\Wow6432Node\CLSID\{d2ce3e00-f94a-4740-988e-03dc2f38c34f} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{8dcb7100-df86-4384-8842-8fa844297b3f} => value not found.
HKCR\Wow6432Node\CLSID\{8dcb7100-df86-4384-8842-8fa844297b3f} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf" => key removed successfully
mfefire => service not found.
mfemms => service removed successfully
mfevtp => service not found.
cfwids => service not found.
hitmanpro37 => service removed successfully
mfeaack => service removed successfully
mfeavfk => service not found.
mfeelamk => service not found.
mfefirek => service not found.
mfehidk => service not found.
mfencbdc => service not found.
mfencrk => service removed successfully
mfewfpk => service not found.
TMAgent => service removed successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\RogueKiller - Shortcut.lnk => moved successfully
C:\Windows\system32\Drivers\hitmanpro37.sys => moved successfully
"C:\Users\Public\Desktop\HitmanPro.lnk" => not found.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro" => not found.
"C:\Program Files\HitmanPro" => not found.
C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\HitmanPro_x64.exe => moved successfully
C:\ProgramData\HitmanPro => moved successfully
C:\Windows\system32\bootdelete.exe => moved successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\.thumbnails => moved successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\uTorrent => moved successfully
C:\Windows\PFRO.log => moved successfully
C:\ProgramData\TMDP_Log => moved successfully
C:\ProgramData\Ament.ini => moved successfully
C:\ProgramData\DP45977C.lfl => moved successfully
C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log => moved successfully
C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log => moved successfully
C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log => moved successfully
C:\ProgramData\{E1646825-D391-42A0-93AA-27FA810DA093}.log => moved successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\COMAP.EXE => moved successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\dllnt_dump.dll => moved successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\McCSPInstall.dll => moved successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\mccspuninstall.exe => moved successfully
C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Local\Temp\uttACB8.tmp.exe => moved successfully
 
=========  netsh winsock reset =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
EmptyTemp: => 1.2 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 08:39:32 ====
 

# AdwCleaner v5.021 - Logfile created 17/11/2015 at 09:06:04
# Updated 14/11/2015 by Xplode
# Database : 2015-11-13.3 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : Joshua - DESKTOP-JAQQTL2
# Running from : C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\adwcleaner_5.021.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [594 bytes] ##########
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.0 (11.12.2015)
Operating System: Windows 10 Home x64 
Ran by Joshua (Administrator) on Tue 11/17/2015 at  9:00:41.75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 4 
 
Successfully deleted: C:\ProgramData\28341ff220e0446c9fff27c4493d622e (Folder) 
Successfully deleted: C:\ProgramData\esellerate (Folder) 
Successfully deleted: C:\Windows\wininit.ini (File) 
Successfully deleted: C:\Windows\prefetch\TOOLBARNATIVEMSGHOST.EXE-D5F92490.pf (File) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269 (Registry Key) 
Successfully deleted: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D0002A95-4ED0-40DD-99E7-70C1E0E4B792} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/17/2015 at  9:02:49.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

~ ZHPCleaner v2015.11.17.380 by Nicolas Coolman (2015/11/17)
~ Run by Joshua (Administrator)  (17/11/2015 09:23:12)
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\Joshua.DESKTOP-JAQQTL2\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\Joshua.DESKTOP-JAQQTL2\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 10 Home, 64-bit  (Build 10240)
 
 
---\\  Services (0)
~ No malicious or unnecessary items found.
 
 
---\\  Browser internet (0)
~ No malicious or unnecessary items found.
 
 
---\\  Hosts file (1)
~ The hosts file is legitimate (21)
 
 
---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.
 
 
---\\  Explorer ( File, Folder) (24)
MOVED folder: C:\Windows\Installer\MSI13BC.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI26F.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI2ED.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI35B.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI3CBA.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI3D57.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI3DD5.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI3E53.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI3EF0.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI3F9.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI427E.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI432B.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIBDF9.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSID64C.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIDBDB.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIEF40.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIF01C.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIF08A.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIF108.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIF196.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIF9F5.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIFAA2.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIFCA7.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSIFF9F.tmp-  =>Empty
 
 
---\\  Registry ( Key, Value, Data) (3)
DELETED key*: [X64] HKLM\SOFTWARE\Classes\TSToolbar.TSProtectorBar [TSProtectorBar Class]  =>PUP.Optional.MocaFlix
DELETED key*: [X64] HKLM\SOFTWARE\Classes\TSToolbar.TSProtectorBar.1 [TSProtectorBar Class]  =>PUP.Optional.MocaFlix
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} [ITool]  =>Toolbar.Ask
 
 
---\\  Summary of the elements found (1)
 
 
---\\  Other deletions. (0)
~ Registry Keys Tracing deleted (False)
~ Remove the old reports ZHPCleaner. (0)
 
 
---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Mozilla Firefox)
~ Browser not found (Opera Software)
 
 
---\\ Statistics
~ Items scanned : 240
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 27
 
 
~ End of clean in 0 minutes
===================
ZHPCleaner-[R]-17112015-09_23_18.txt
ZHPCleaner-[S]-17112015-09_21_06.txt
 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/17/2015
Scan Time: 9:33 AM
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.11.17.04
Rootkit Database: v2015.11.14.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Joshua
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 368867
Time Elapsed: 9 min, 30 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
 
 


#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 17 November 2015 - 04:05 PM

Hi dragoonus,

Does the computer still freezes randomly?

--------------------------------

 

RogueKiller by Tigzy

  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply

===================================================

Run TDSSKiller by Kaspersky

  • Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
  • Right-click on TDSSKiller.exe and select Run As Administrator.
  • When the program opens, click the Start Scan button.

tdss1.png

  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

tdss2.png

  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

tdss4.png

  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply even if no threats are found.

-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 dragoonus

dragoonus
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 17 November 2015 - 09:26 PM

The computer hasn't frozen or randomly restarted after the scans. It's running alright so far, but Roguekiller is still detecting PUM in the registry and Hook.IAT. I ran TDSSKiller and scanned with it twice and it hasn't detected any malware.

 

 

RogueKiller V10.11.5.0 [Nov  9 2015] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : Joshua [Administrator]
Started from : C:\Users\Joshua.DESKTOP-JAQQTL2\Downloads\RogueKiller.exe
Mode : Scan -- Date : 11/17/2015 21:16:31
 
¤¤¤ Processes : 3 ¤¤¤
[VT.Unknown] PwmTower.exe(4268) -- C:\Program Files\Trend Micro\TMIDS\tower\PwmTower.exe[7] -> ERROR [0]
[VT.Unknown] PwmTower.exe(2716) -- C:\Program Files\Trend Micro\TMIDS\tower\PwmTower.exe[7] -> ERROR [0]
[VT.Unknown] PwmTower.exe(2616) -- C:\Program Files\Trend Micro\TMIDS\tower\PwmTower.exe[7] -> ERROR [0]
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell15.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1532959501-2282570097-1314125110-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell15.msn.com/?pc=DCTE  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{380f72b4-ea77-407f-87c3-f3f462b639f2} | DhcpNameServer : 10.13.109.99 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{380f72b4-ea77-407f-87c3-f3f462b639f2} | DhcpNameServer : 10.13.109.99 ([(Private Address) (XX)])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 41 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32!CreateRemoteThread : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b6ff950|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtMapViewOfSection : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b107914|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtUnmapViewOfSection : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b10788a|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtSetContextThread : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b106c18|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!RtlExitUserThread : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b10f082|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtProtectVirtualMemory : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b108084|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!RtlExitUserProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b1459f8|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!LdrLoadDll : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b13f268|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtTerminateProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b107160|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtCreateSection : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b107cc0|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtSetSystemInformation : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b106b66|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtCreateFile : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b10700e|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtWriteVirtualMemory : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b10824e|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b107c66|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b107aaa|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtOpenProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b10757a|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b107b22|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!RtlCreateHeap : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b11a8a6|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ SHELL32.dll) USER32!SetWindowsHookExW : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b8a33c6|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ chrome.dll) KERNEL32!CreateFileMappingA : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b7292e0|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ WS2_32.dll) ntdll!NtLoadDriver : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b106f2a|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ BtMmHook.dll) USER32!SetWindowsHookExA : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8b88e9be|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe) KERNEL32!CreateRemoteThread : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8994f950|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtMapViewOfSection : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89357914|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtUnmapViewOfSection : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8935788a|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtSetContextThread : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89356c18|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!RtlExitUserThread : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8935f082|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtProtectVirtualMemory : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89358084|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!RtlExitUserProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x893959f8|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!LdrLoadDll : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8938f268|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtTerminateProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89357160|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtCreateSection : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89357cc0|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtSetSystemInformation : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89356b66|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNEL32.DLL) ntdll!NtCreateFile : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8935700e|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtWriteVirtualMemory : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8935824e|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89357c66|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89357aaa|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtOpenProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8935757a|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89357b22|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ KERNELBASE.dll) ntdll!RtlCreateHeap : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x8936a8a6|call eax)
[IAT:Inl(Hook.IEAT)] (chrome.exe @ SHELL32.dll) USER32!SetWindowsHookExW : C:\Windows\SYSTEM32\tmumh\20019\TmMon\1.6.0.1112\tmmon.dll @ 0x73aa7c00 (jmp 0x89af33c6|call eax)
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 7c35b1c80ad92425afbf943d52b8d637
[BSP] 89a461400defc001f5fe41ee7c448d52 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 939571 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1925529600 | Size: 450 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1926451200 | Size: 13219 MB
User = LL1 ... OK
User = LL2 ... OK


#8 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 18 November 2015 - 11:35 AM

RogueKiller Log is clean. The Files are TrendMicro files. So,no problem.

 

TDSSKiller log post.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 dragoonus

dragoonus
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 18 November 2015 - 12:46 PM

Ok. Thanks so much for the help!



#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 20 November 2015 - 10:10 AM

Are you still with me ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 24 November 2015 - 07:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users