Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

repost: Kaspersky Rescue Disk warns of 'Packed.Win32.Krap.hc' trojan -


  • This topic is locked This topic is locked
16 replies to this topic

#1 Lefty Widdagun

Lefty Widdagun

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 23 November 2015 - 05:43 PM

reposting this from 'Am I  Infected' forum:

Original text/description:

HISTORY: 
Began experiencing general system slow downs almost 2 weeks ago, noting Panda A-V was 
using a lot of system resources. First tried to stop it, but was unable; returned to a 
restore point, but no change. In safe mode ran Malwarebytes: nothing found. Ran Panda 
Cloud: nothing found. In real-time A-V programs didn't work, lost network connection. Very 
slow to load profile, black screen then very slow to load desktop icons, gadgets, etc. A 
'Personalized settings' dialogue box appears against the black field until desktop finally 
appears. Received a 'Windows Copy not valid' message, though this was validly purchased 
and accepted at previous validation upon install. After multiple attempts  and re-burns,  
was able to run Kaspersky Rescue Disk and received the warning about the 
'Packed.Win32.Krap.hc' trojan and removed it...maybe...
 
Ran Rkill64: found nothing; ran Combofix: prompted that Win Essentials was running, so 
disabled it; showed Panda was running but task manager showed that it wasn't? so ran 
Combofix, showed 2 infections and removed them... Ran Panda agian and only found some 
tracking cookies.
Over a week of running scans - Malwawrebytes, Rkill, Trend HouseCalls: nothing found.
 
Current state: 
Upon startup, a long time before the blue circle at Network Connection on Task bar 
disappears, can get to the internet, but that, like all other apps very slow to load, with 
long delays. 
Unable to get to 'ADD/REMOVE PROGRAMS' out of Control Panel; unable to get to Network and 
Sharing, Network List Service disable and can't turn it on; unable to delete 
folders/applications on the external hard drives, unable to install a restore point. Have 
found 'password protected' files that I can not delete from what looks like third party 
apps [at c:   /applets/Youku/ikucmc.exe ]. Also noted "Terendo Tunneling Pseudo-Interface' 
listed in Device Manager with a yellow ! and tried to update the driver, but unable to do 
so, so disabled it; rebooted and it disappeared. Ran sfc /scannow and shows corrupted 
system files that can't be restored.
System is generally responding faster than before, but certain critical functions 
(file/folder removal - 1 2TB EHD is full and needs to be emptied, but can't do so) and Add/Remove Programs does not respond etc.
Logs from previous scans are avialable if required...
 
SYSTEM SPECS:
Home made system almost 4 years running:  Windows 7 SP1 on AMD Athlon II x64 640 (3 GHz) 
in ASUS M4A87TD mobo, 16 GB ram, with ATI Radeon HD 5770 series graphic card; 1 internal 
2TB Samsung HD and 2 2TB EHD: Seagate and WD and 2 optical -DVD - drives, 6 TB total 
scanning space with every A-V scan...
 
And just about exhausted my resources with this effort and ready to reinstall the OS etc. 
but uncertain of what has been backed up after many previous attempts, whether the backup 
EHD folders are infected or the integrity of the MBR etc, even if I ran Kill Disk or WipeDisk or another such utility...  
 
COMBOFIX LOG OF 11/11/15:
 
ComboFix 15-11-05.01 - Peter 11/11/2015  17:52:05.2.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.16382.13867 [GMT -5:00]
Running from: c:\users\Peter\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AV: Panda Free Antivirus *Disabled/Updated* {AAF74A68-8713-CDF1-004F-30003398BE9E}
FW: Panda Firewall *Disabled* {92CCCB4D-CD7C-CCA9-2B10-9935CD4BF9E5}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Panda Free Antivirus *Disabled/Updated* {1196AB8C-A129-C27F-3AFF-0B72481FF423}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2015-10-11 to 2015-11-11  )))))))))))))))))))))))))))))))
.
.
2015-11-11 22:59 . 2015-11-11 22:59 -------- d-----w- c:\users\New Account\AppData\Local\temp
2015-11-11 22:59 . 2015-11-11 22:59 -------- d-----w- c:\users\Localadmin\AppData\Local\temp
2015-11-11 22:59 . 2015-11-11 22:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-11-11 22:14 . 2015-10-13 09:47 11140960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{08231DD9-112C-4348-AAFE-F9807E65DB48}\mpengine.dll
2015-11-11 21:54 . 2015-10-13 09:47 11140960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-11-10 21:48 . 2015-06-24 20:00 1190000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D5BF3F50-2389-4306-A484-2DC2B393B184}\gapaengine.dll
2015-11-07 22:36 . 2015-11-07 22:37 -------- d-----w- c:\program files (x86)\SpeedFan
2015-10-20 00:03 . 2015-01-29 17:21 61712 ----a-w- c:\windows\system32\drivers\PSKMAD.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-11-09 21:49 . 2014-11-07 12:20 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-11-07 20:54 . 2014-07-25 21:44 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2015-11-07 20:53 . 2014-07-25 21:44 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2015-11-07 20:53 . 2014-07-25 21:44 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2015-11-07 20:53 . 2014-07-20 16:51 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2015-10-05 13:50 . 2014-11-07 12:20 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-10-05 13:50 . 2014-09-21 23:16 109272 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-10-05 13:50 . 2014-11-07 12:20 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-10-04 14:41 . 2014-01-07 20:08 780488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-10-04 14:41 . 2014-01-07 20:08 142536 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-09-28 07:22 . 2014-07-20 16:51 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2015-09-28 07:22 . 2014-07-20 16:51 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2015-09-28 07:22 . 2014-07-20 16:51 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2015-09-28 07:22 . 2014-08-04 07:35 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2015-07-02 . 2D9955A17DAFE3AD34DA0420480714E6 . 19291136 . . [10.00.9200.16521] .. c:\windows\erdnt\cache64\mshtml.dll
[-] 2015-07-02 . 0471D3C50AB5D4720DD222E95AABD129 . 19291136 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17429_none_9126c7c29295c71d\mshtml.dll
[7] 2015-07-02 . F9DE9692D1D3E448F0374D2846686A17 . 19530240 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21538_none_7a4f684cac444279\mshtml.dll
[7] 2015-06-17 . 22104455CEE4013DF92E87731A448289 . 19531776 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21524_none_7a4ec322ac44c29e\mshtml.dll
[7] 2015-06-17 . 41C588802EBB3766DCC2E623807EF717 . 19292160 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17414_none_9126396092962da1\mshtml.dll
[7] 2015-05-28 . 22B8CF55E467457EA40D4AC4D13CA5D0 . 19291136 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17377_none_9136c6b09288f69d\mshtml.dll
[7] 2015-05-28 . 0C2DCACDE4880AEC48A2F9823896008D . 19527680 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21489_none_7a5f22e2ac37bedc\mshtml.dll
[7] 2015-04-21 . B0314FA7AE5369E106D0577991386245 . 19528192 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21470_none_7a5eefa0ac37bedc\mshtml.dll
[7] 2015-04-21 . 97EC5A7687742297BE7D31163CD86738 . 19291136 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17357_none_9134c61c928ac3ef\mshtml.dll
[7] 2015-03-10 . E0AED0202A8B74D9D460B123EA426A0C . 19292672 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17296_none_9143adf8927ef3b9\mshtml.dll
[7] 2015-03-10 . AB68E481B2D37A4516F01D472EE6B159 . 19526144 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21413_none_7a58a98cac3d73b5\mshtml.dll
[7] 2015-02-23 . 43818B5022CC69DC3B12D6A0C4235304 . 19301888 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17267_none_914096529281c155\mshtml.dll
[7] 2015-02-21 . 87549AC50C4A4E3C1969D702E8125244 . 19536384 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21384_none_7a6a64b6ac2f22c6\mshtml.dll
[7] 2015-01-13 . 93C42BCC0301339A4D65C49465343276 . 19291136 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17229_none_913c679a92858f3b\mshtml.dll
[7] 2015-01-12 . 61B75B0DC1E84C8395CAD96B9A6302D9 . 19525120 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21342_none_7a66911eac328a28\mshtml.dll
[7] 2014-11-21 . BCF7FA61D9CAC73246D82137638D5DC6 . 19283456 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17183_none_914dc1f29277718e\mshtml.dll
[7] 2014-11-21 . 43B00C5628871047E7EE43AD5A88B967 . 19515904 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21299_none_7a75c304ac26a051\mshtml.dll
[7] 2014-11-20 . 28924B2CF5AF596CF9DC37A2D4264D68 . 19285504 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17173_none_914cc1a892785837\mshtml.dll
[7] 2014-11-20 . 0E89C1A9A473B6972048C73BE275BC28 . 19517440 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21291_none_7a767944ac25d349\mshtml.dll
[7] 2014-10-26 . BB9EDB136C117014C9ECC281E15568F3 . 19284480 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17148_none_91494ee2927b8c57\mshtml.dll
[7] 2014-10-26 . C3CBCE8D5AE75B111F8AE9BF136E1FCF . 19517440 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21267_none_7a72efb6ac29210a\mshtml.dll
[7] 2014-09-20 . 2489EA735F94216925A002781B3B87F9 . 19280896 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17116_none_91467b94927e0d10\mshtml.dll
[7] 2014-09-20 . 277E33CE76820BC95E0BC035B50C6079 . 19514880 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21232_none_7a7060c0ac2b54e0\mshtml.dll
[7] 2014-08-17 . 4556BB9BA0CA2F03B72A15695C7290A0 . 19513856 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21183_none_7a801b56ac1ed143\mshtml.dll
[-] 2014-08-17 . 732D0229C56CA23712AF731A919F0D57 . 19280384 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17089_none_9158092e926fef63\mshtml.dll
[7] 2014-07-24 . 90B1DA995893F25DE3438B152D29B089 . 19279872 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17054_none_91557a3892722339\mshtml.dll
[7] 2014-07-24 . FCD088145986FCDB29DF083B80FFC235 . 19510784 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21173_none_7a7f1b0cac1fb7ec\mshtml.dll
[7] 2014-06-19 . 0DF61F84BC5542FFDA2F64D6697358E1 . 19277312 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.17028_none_91521e3a92753db8\mshtml.dll
[7] 2014-06-19 . 0F633E07B4FE404DC947AB71213C25D0 . 19511808 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21145_none_7a7bec9eac229f29\mshtml.dll
[7] 2014-05-24 . 36EA060DD7FF676E9A5E76F8E018002A . 19290112 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.16921_none_90f16c8092bd88a3\mshtml.dll
[7] 2014-05-24 . 6F29C35FDE80EA7BEEACC8EA152BA0E9 . 19531264 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21044_none_7a86d352ac1a6997\mshtml.dll
[7] 2014-05-06 . EE5B8FE4C7B9769C7DC5C3C856E140C3 . 19274752 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.16899_none_9102883292afeb1b\mshtml.dll
[7] 2014-05-06 . 57050C0441EAA93FFE9273635A966303 . 19523072 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21026_none_7a84a52eac1c6a2b\mshtml.dll
[7] 2014-04-29 . 0B2B9288401D0C67F4E8B83A389EFFD8 . 19275264 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.16897_none_9102b5c292afb7d9\mshtml.dll
[7] 2014-04-29 . B194732553255AE138FA3346BB5240FE . 19517440 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.21024_none_7a84d2beac1c36e9\mshtml.dll
[7] 2014-03-13 . 74D5CDCFE8C4810D8CF87C98F6393442 . 19273728 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.16866_none_90ffcbac92b25233\mshtml.dll
[7] 2014-03-13 . A594D22CDFF55ABD77C04C8F369128A3 . 19515904 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.20985_none_7a296c80ac5fe6e6\mshtml.dll
[7] 2014-02-23 . 87478BFD51053034E45AAB2740285AF1 . 19273216 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.16844_none_90fdf8a892b3ec43\mshtml.dll
[7] 2014-02-23 . 18491841F95F39D3B19CDA941F008E99 . 19515392 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.20964_none_7a2782b4ac619a97\mshtml.dll
[7] 2014-02-01 . 1B59269891A17BD804F3F640A66F2A08 . 19274240 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.16798_none_910d6ee692a7b589\mshtml.dll
[7] 2014-02-01 . AC32D00AFDF1B9B62F87B1072F755808 . 19514368 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.20916_none_7a2253b2ac664f26\mshtml.dll
[7] 2013-12-30 . F164B9D9EB6AA4FED10AC2DA8CB4A89A . 19271168 . . [10.00.9200.16521] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_10.2.9200.16750_none_910a23fe92aa8325\mshtml.dll
[7] 2013-12-30 . 82682BA2DF50B94CD798B8315B3F7896 . 17773056 . . [9.00.8112.16421] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16421_none_87e150ddf4cd3dc7\mshtml.dll
[7] 2013-11-02 . 8C33345D4473308D10A9C89EF12AC32A . 9076224 . . [8.00.7601.22500] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.22500_none_8cb3b223c8e438d1\mshtml.dll
[7] 2013-11-02 . CA07DC687377B75A362C3616BDD12F53 . 9073152 . . [8.00.7601.18305] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.18305_none_8c2f14e4afc21a93\mshtml.dll
[7] 2010-11-21 . 1C8B787BAA52DEAD1A6FEC1502D652F0 . 8988160 . . [8.00.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.17514_none_8c235f42afcafdda\mshtml.dll
[-] 2015-07-02 . 0471D3C50AB5D4720DD222E95AABD129 . 19291136 . . [10.00.9200.16521] .. c:\windows\system32\mshtml.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2015-02-10 20:02 115224 ----a-w- c:\program files (x86)\pandasecuritytb\pandasecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files (x86)\pandasecuritytb\pandasecurityDx.dll" [2015-02-10 115224]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-03-09 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-05-15 60712]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"PSUAMain"="c:\program files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" [2015-02-26 40184]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2015-06-17 421888]
"StartCCC"="c:\program files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2015-06-23 767176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"panda"="reg.exe delete HKCU\Software\AppDataLow\Software\panda" [X]
"panda_XP"="reg.exe delete HKCU\Software\panda" [X]
.
c:\users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
taskmgr.exe [2010-11-20 257024]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
procexp64.exe [2011-12-23 1073992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"MaxGPOScriptWait"= 600 (0x258)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 PSKMAD;PSKMAD;c:\windows\system32\DRIVERS\PSKMAD.sys;c:\windows\SYSNATIVE\DRIVERS\PSKMAD.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 NNSALPC;NNSALPC;c:\windows\system32\DRIVERS\NNSAlpc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSAlpc.sys [x]
S1 NNSHTTP;NNSHTTP;c:\windows\system32\DRIVERS\NNSHttp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttp.sys [x]
S1 NNSHTTPS;NNSHTTPS;c:\windows\system32\DRIVERS\NNSHttps.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttps.sys [x]
S1 NNSIDS;NNSIDS;c:\windows\system32\DRIVERS\NNSIds.sys;c:\windows\SYSNATIVE\DRIVERS\NNSIds.sys [x]
S1 NNSNAHSL;Network Activity Hook Server LightWeight Filter Driver;c:\windows\system32\DRIVERS\NNSNAHSL.sys;c:\windows\SYSNATIVE\DRIVERS\NNSNAHSL.sys [x]
S1 NNSPICC;NNSPICC;c:\windows\system32\DRIVERS\NNSPicc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPicc.sys [x]
S1 NNSPIHSW;NNSPIHSW;c:\windows\system32\DRIVERS\NNSPihsw.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPihsw.sys [x]
S1 NNSPOP3;NNSPOP3;c:\windows\system32\DRIVERS\NNSPop3.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPop3.sys [x]
S1 NNSPROT;NNSPROT;c:\windows\system32\DRIVERS\NNSProt.sys;c:\windows\SYSNATIVE\DRIVERS\NNSProt.sys [x]
S1 NNSPRV;NNSPRV;c:\windows\system32\DRIVERS\NNSPrv.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPrv.sys [x]
S1 NNSSMTP;NNSSMTP;c:\windows\system32\DRIVERS\NNSSmtp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSSmtp.sys [x]
S1 NNSSTRM;NNSSTRM;c:\windows\system32\DRIVERS\NNSStrm.sys;c:\windows\SYSNATIVE\DRIVERS\NNSStrm.sys [x]
S1 NNSTLSC;NNSTLSC;c:\windows\system32\DRIVERS\NNSTlsc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSTlsc.sys [x]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys;c:\windows\SYSNATIVE\DRIVERS\psinknc.sys [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\AMD\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.3;AODDriver4.3;c:\program files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S2 NanoServiceMain;Panda Protection Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [x]
S2 panda_url_filtering;panda_url_filtering Service;c:\programdata\Panda Security URL Filtering\Panda_URL_Filteringb.exe;c:\programdata\Panda Security URL Filtering\Panda_URL_Filteringb.exe [x]
S2 PandaAgent;Panda Devices Agent;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [x]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINAflt.sys [x]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys;c:\windows\SYSNATIVE\DRIVERS\PSINFile.sys [x]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProc.sys [x]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProt.sys [x]
S2 PSINReg;PSINReg;c:\windows\system32\DRIVERS\PSINReg.sys;c:\windows\SYSNATIVE\DRIVERS\PSINReg.sys [x]
S2 PSUAService;Panda Product Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 panda_url_filteringd;panda_url_filteringd driver;c:\programdata\Panda Security URL Filtering\panda_url_filteringd.sys;c:\programdata\Panda Security URL Filtering\panda_url_filteringd.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PANDA_URL_FILTERINGD
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-23 22:04 997704 ----a-w- c:\program files (x86)\Google\Chrome\Application\46.0.2490.80\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000Core.job
- c:\users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-03-08 22:41]
.
2015-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000UA.job
- c:\users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-03-08 22:41]
.
2015-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-22 17:52]
.
2015-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-22 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2015-02-10 20:02 131096 ----a-w- c:\program files (x86)\pandasecuritytb\pandasecurityDx64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files (x86)\pandasecuritytb\pandasecurityDx64.dll" [2015-02-10 131096]
.
[HKEY_CLASSES_ROOT\CLSID\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_185_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_185_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.19"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-11-11  18:01:50
ComboFix-quarantined-files.txt  2015-11-11 23:01
ComboFix2.txt  2015-11-07 19:54
.
Pre-Run: 120,070,549,504 bytes free
Post-Run: 119,634,964,480 bytes free
.
- - End Of File - - 9E203AB85CAC4AA4B758E8E73049C513
A36C5E4F47E84449FF07ED3517B43A31
 
COMBOFIX LOG OF 11/13/15:
 
ComboFix 15-11-05.01 - Peter 11/13/2015   9:45.2.4 - x64 MINIMAL
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.16382.14525 [GMT -5:00]
Running from: c:\users\Peter\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AV: Panda Free Antivirus *Enabled/Updated* {AAF74A68-8713-CDF1-004F-30003398BE9E}
FW: Panda Firewall *Disabled* {92CCCB4D-CD7C-CCA9-2B10-9935CD4BF9E5}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Panda Free Antivirus *Enabled/Updated* {1196AB8C-A129-C27F-3AFF-0B72481FF423}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe
.
.
(((((((((((((((((((((((((   Files Created from 2015-10-13 to 2015-11-13  )))))))))))))))))))))))))))))))
.
.
2015-11-13 14:49 . 2015-11-13 14:49 -------- d-----w- c:\users\New Account\AppData\Local\temp
2015-11-13 14:49 . 2015-11-13 14:49 -------- d-----w- c:\users\Localadmin\AppData\Local\temp
2015-11-13 14:49 . 2015-11-13 14:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-11-13 14:09 . 2015-10-13 09:47 11140960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6BA22C7-75A7-4CC9-8B54-C88C7F9A49A8}\mpengine.dll
2015-11-12 17:07 . 2015-11-12 17:07 -------- d-----w- c:\programdata\Kaspersky Lab
2015-11-12 17:07 . 2015-11-12 17:07 -------- d-----w- c:\program files (x86)\Kaspersky Lab
2015-11-11 21:54 . 2015-10-13 09:47 11140960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-11-11 18:41 . 2015-11-11 18:42 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2015-11-10 21:48 . 2015-06-24 20:00 1190000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D5BF3F50-2389-4306-A484-2DC2B393B184}\gapaengine.dll
2015-11-07 22:36 . 2015-11-13 17:07 -------- d-----w- c:\program files (x86)\SpeedFan
2015-10-20 00:03 . 2015-01-29 17:21 61712 ----a-w- c:\windows\system32\drivers\PSKMAD.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-11-09 21:49 . 2014-11-07 12:20 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-11-07 20:54 . 2014-07-25 21:44 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2015-11-07 20:53 . 2014-07-25 21:44 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2015-11-07 20:53 . 2014-07-25 21:44 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2015-11-07 20:53 . 2014-07-20 16:51 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2015-10-05 13:50 . 2014-11-07 12:20 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-10-05 13:50 . 2014-09-21 23:16 109272 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-10-05 13:50 . 2014-11-07 12:20 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-10-04 14:41 . 2014-01-07 20:08 780488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-10-04 14:41 . 2014-01-07 20:08 142536 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-09-28 07:22 . 2014-07-20 16:51 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2015-09-28 07:22 . 2014-07-20 16:51 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2015-09-28 07:22 . 2014-07-20 16:51 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2015-09-28 07:22 . 2014-08-04 07:35 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2015-02-10 20:02 115224 ----a-w- c:\program files (x86)\pandasecuritytb\pandasecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files (x86)\pandasecuritytb\pandasecurityDx.dll" [2015-02-10 115224]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-03-09 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-05-15 60712]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"PSUAMain"="c:\program files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" [2015-02-26 40184]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2015-06-17 421888]
"StartCCC"="c:\program files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2015-06-23 767176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"panda"="reg.exe delete HKCU\Software\AppDataLow\Software\panda" [X]
"panda_XP"="reg.exe delete HKCU\Software\panda" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
procexp64.exe [2011-12-23 1073992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"MaxGPOScriptWait"= 600 (0x258)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
R1 NNSALPC;NNSALPC;c:\windows\system32\DRIVERS\NNSAlpc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSAlpc.sys [x]
R1 NNSHTTP;NNSHTTP;c:\windows\system32\DRIVERS\NNSHttp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttp.sys [x]
R1 NNSHTTPS;NNSHTTPS;c:\windows\system32\DRIVERS\NNSHttps.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttps.sys [x]
R1 NNSIDS;NNSIDS;c:\windows\system32\DRIVERS\NNSIds.sys;c:\windows\SYSNATIVE\DRIVERS\NNSIds.sys [x]
R1 NNSNAHSL;Network Activity Hook Server LightWeight Filter Driver;c:\windows\system32\DRIVERS\NNSNAHSL.sys;c:\windows\SYSNATIVE\DRIVERS\NNSNAHSL.sys [x]
R1 NNSPICC;NNSPICC;c:\windows\system32\DRIVERS\NNSPicc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPicc.sys [x]
R1 NNSPIHSW;NNSPIHSW;c:\windows\system32\DRIVERS\NNSPihsw.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPihsw.sys [x]
R1 NNSPOP3;NNSPOP3;c:\windows\system32\DRIVERS\NNSPop3.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPop3.sys [x]
R1 NNSPROT;NNSPROT;c:\windows\system32\DRIVERS\NNSProt.sys;c:\windows\SYSNATIVE\DRIVERS\NNSProt.sys [x]
R1 NNSPRV;NNSPRV;c:\windows\system32\DRIVERS\NNSPrv.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPrv.sys [x]
R1 NNSSMTP;NNSSMTP;c:\windows\system32\DRIVERS\NNSSmtp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSSmtp.sys [x]
R1 NNSSTRM;NNSSTRM;c:\windows\system32\DRIVERS\NNSStrm.sys;c:\windows\SYSNATIVE\DRIVERS\NNSStrm.sys [x]
R1 NNSTLSC;NNSTLSC;c:\windows\system32\DRIVERS\NNSTlsc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSTlsc.sys [x]
R1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys;c:\windows\SYSNATIVE\DRIVERS\psinknc.sys [x]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\AMD\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [x]
R2 AODDriver4.3;AODDriver4.3;c:\program files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 panda_url_filtering;panda_url_filtering Service;c:\programdata\Panda Security URL Filtering\Panda_URL_Filteringb.exe;c:\programdata\Panda Security URL Filtering\Panda_URL_Filteringb.exe [x]
R2 PandaAgent;Panda Devices Agent;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [x]
R2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINAflt.sys [x]
R2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys;c:\windows\SYSNATIVE\DRIVERS\PSINFile.sys [x]
R2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProc.sys [x]
R2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProt.sys [x]
R2 PSINReg;PSINReg;c:\windows\system32\DRIVERS\PSINReg.sys;c:\windows\SYSNATIVE\DRIVERS\PSINReg.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 panda_url_filteringd;panda_url_filteringd driver;c:\programdata\Panda Security URL Filtering\panda_url_filteringd.sys;c:\programdata\Panda Security URL Filtering\panda_url_filteringd.sys [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 PSKMAD;PSKMAD;c:\windows\system32\DRIVERS\PSKMAD.sys;c:\windows\SYSNATIVE\DRIVERS\PSKMAD.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
S2 NanoServiceMain;Panda Protection Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [x]
S2 PSUAService;Panda Product Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-23 22:04 997704 ----a-w- c:\program files (x86)\Google\Chrome\Application\46.0.2490.80\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000Core.job
- c:\users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-03-08 22:41]
.
2015-11-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000UA.job
- c:\users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-03-08 22:41]
.
2015-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-22 17:52]
.
2015-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-22 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2015-02-10 20:02 131096 ----a-w- c:\program files (x86)\pandasecuritytb\pandasecurityDx64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files (x86)\pandasecuritytb\pandasecurityDx64.dll" [2015-02-10 131096]
.
[HKEY_CLASSES_ROOT\CLSID\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-08-18 17:22 164760 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_185_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_185_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.19"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_185.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-11-13  09:50:57
ComboFix-quarantined-files.txt  2015-11-13 14:50
ComboFix2.txt  2015-11-12 01:39
ComboFix3.txt  2015-11-07 19:54
.
Pre-Run: 119,270,973,440 bytes free
Post-Run: 119,203,450,880 bytes free
.
- - End Of File - - 342D21328CBF14A7F38B7782419B6866
A36C5E4F47E84449FF07ED3517B43A31
 
 
 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 25 November 2015 - 11:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


How is the computer running now?
Wait for further instructions.

#3 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 26 November 2015 - 08:59 AM

Attempting to perform instructions. ..after 5 minutes online lost Internet connection on the infected PC..shows 'unknown network'... replying now via tablet...will attempt connection on infected PC by safe mode with networking. .can your instructions be done in that mode?

#4 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 26 November 2015 - 09:08 AM

Attempting to perform instructions. ..after 5 minutes online lost Internet connection on the infected PC..shows 'unknown network'... replying now via tablet...will attempt connection on infected PC by safe mode with networking. .can your instructions be done in that mode?

#5 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 26 November 2015 - 11:40 AM

System highly unstable: unable to perform downloads, launching or open folders on desktop or access drives in standard mode; all functions performed in Safe Mode with Networking.

Ran AdwCleaner and cleaned; nothing appeared in the main list of infected files etc. but many things in the txt file following

Ran Farbar Recovery Scan Tool 64 bit, text following.

 

ADWCLEANER TEXT FILE [S1]:

# AdwCleaner v5.022 - Logfile created 26/11/2015 at 10:03:44
# Updated 22/11/2015 by Xplode
# Database : 2015-11-22.2 [Local]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Peter - UPAYA
# Running from : C:\Users\Peter\Desktop\adwcleaner_5.022.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\Program Files (x86)\AVG SafeGuard toolbar
Folder Found : C:\Program Files (x86)\AVG Security Toolbar
Folder Found : C:\Program Files (x86)\GreenTree Applications
Folder Found : C:\Program Files (x86)\Toolbar Cleaner
Folder Found : C:\Program Files (x86)\FLV Player
Folder Found : C:\ProgramData\RightClick
Folder Found : C:\ProgramData\SaveAs
Folder Found : C:\ProgramData\ytd video downloader
Folder Found : C:\ProgramData\SaveAs
Folder Found : C:\ProgramData\Avg_Update_0814tb
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLV Player
Folder Found : C:\Users\Localadmin\AppData\LocalLow\AVG SafeGuard toolbar
Folder Found : C:\Users\New Account\AppData\LocalLow\AVG SafeGuard toolbar
Folder Found : C:\Windows\FLV Player
 
***** [ Files ] *****
 
File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\adawaretb.xml
File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\safeguard-secure-search.xml
File Found : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml
File Found : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml
File Found : C:\Users\Public\Desktop\YTD Video Downloader.lnk
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKCU\Software\Avg Secure Update
Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
Key Found : HKU\.DEFAULT\Software\Avg Secure Update
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
 
***** [ Web browsers ] *****
 
[C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [3407 bytes] ##########
 

ADWCLEANER TEXT FILE [C1]

# AdwCleaner v5.022 - Logfile created 26/11/2015 at 10:10:45
# Updated 22/11/2015 by Xplode
# Database : 2015-11-22.2 [Local]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Peter - UPAYA
# Running from : C:\Users\Peter\Desktop\adwcleaner_5.022.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Program Files (x86)\AVG SafeGuard toolbar
[-] Folder Deleted : C:\Program Files (x86)\AVG Security Toolbar
[-] Folder Deleted : C:\Program Files (x86)\GreenTree Applications
[-] Folder Deleted : C:\Program Files (x86)\Toolbar Cleaner
[-] Folder Deleted : C:\Program Files (x86)\FLV Player
[-] Folder Deleted : C:\ProgramData\RightClick
[-] Folder Deleted : C:\ProgramData\SaveAs
[-] Folder Deleted : C:\ProgramData\ytd video downloader
[!] Folder Not Deleted : C:\ProgramData\SaveAs
[-] Folder Deleted : C:\ProgramData\Avg_Update_0814tb
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLV Player
[-] Folder Deleted : C:\Users\Localadmin\AppData\LocalLow\AVG SafeGuard toolbar
[-] Folder Deleted : C:\Users\New Account\AppData\LocalLow\AVG SafeGuard toolbar
[-] Folder Deleted : C:\Windows\FLV Player
 
***** [ Files ] *****
 
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\adawaretb.xml
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\safeguard-secure-search.xml
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml
[-] File Deleted : C:\Users\Public\Desktop\YTD Video Downloader.lnk
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKCU\Software\Avg Secure Update
[-] Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
[-] Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3725 bytes] ##########
 

FRST TEXT FILE:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-11-2015 02
Ran by Peter (administrator) on UPAYA (26-11-2015 11:02:53)
Running from C:\Users\Peter\Desktop\FRST folder
Loaded Profiles: Peter (Available Profiles: Peter & Localadmin & New Account)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PAV3WSC.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-04-26] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-05-15] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [PSUAMain] => C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe [40184 2015-02-26] (Panda Security, S.L.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-06-16] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-06-22] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-1857090042-2038237738-235256863-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-03-08] (Google Inc.)
HKU\S-1-5-21-1857090042-2038237738-235256863-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [panda] => reg.exe delete "HKCU\Software\AppDataLow\Software\panda" /f
HKU\S-1-5-18\...\RunOnce: [panda_XP] => reg.exe delete "HKCU\Software\panda" /f
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\procexp64.exe [2011-12-23] (Sysinternals - www.sysinternals.com)
GroupPolicyScripts-x32: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{C932EB2D-24B9-42C1-9998-C8D16689170D}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1857090042-2038237738-235256863-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1857090042-2038237738-235256863-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1857090042-2038237738-235256863-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mail.google.com/mail/u/0/?shva=1#inbox
SearchScopes: HKU\S-1-5-21-1857090042-2038237738-235256863-1000 -> {CB7F4157-2D06-492E-8223-0180B04F8400} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-21] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Panda Security Toolbar -> {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} -> C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll [2015-02-10] ()
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-21] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Panda Security Toolbar -> {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} -> C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll [2015-02-10] ()
Toolbar: HKLM - Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll [2015-02-10] ()
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-21] (Google Inc.)
Toolbar: HKLM-x32 - Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll [2015-02-10] ()
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-21] (Google Inc.)
Toolbar: HKU\S-1-5-21-1857090042-2038237738-235256863-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-21] (Google Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-26] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1857090042-2038237738-235256863-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Peter\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxps://www.facebook.com/","hxxp://www.nytimes.com/","hxxp://www.huffingtonpost.com/"
CHR Profile: C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-17]
CHR Extension: (Google Docs) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-17]
CHR Extension: (Google Drive) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Sheets) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-17]
CHR Extension: (Google Docs Offline) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-24]
CHR Extension: (Gmail) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-17]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AMD FUEL Service; C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [344064 2015-06-22] (Advanced Micro Devices, Inc.) [File not signed]
S3 AppMgmt; C:\Windows\System32\appmgmts.dll [193536 2009-07-13] (Microsoft Corporation) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 Microsoft SharePoint Workspace Audit Service; C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [30814400 2013-12-19] (Microsoft Corporation) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R2 NanoServiceMain; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [142584 2015-02-26] (Panda Security, S.L.)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [66808 2014-10-09] (Panda Security, S.L.)
S2 panda_url_filtering; C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe [296760 2014-09-19] (Panda Security)
R2 PSUAService; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [38136 2015-02-26] (Panda Security, S.L.)
S3 wbengine; C:\Windows\system32\wbengine.exe [1504256 2010-11-20] (Microsoft Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AODDriver4.3; C:\Program Files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-09] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-09] (Panda Security, S.L.)
R1 NNSNAHSL; C:\Windows\System32\DRIVERS\NNSNAHSL.sys [48400 2014-12-31] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-09] (Panda Security, S.L.)
S1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-09] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-09] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-09] (Panda Security, S.L.)
S1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-09] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-09] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-09] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-09] (Panda Security, S.L.)
S3 panda_url_filteringd; C:\ProgramData\Panda Security URL Filtering\panda_url_filteringd.sys [51288 2014-03-19] (Visicom Media Inc.)
S2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163088 2015-02-25] (Panda Security, S.L.)
S2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2015-02-25] (Panda Security, S.L.)
S1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197392 2015-02-25] (Panda Security, S.L.)
S2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124176 2015-02-25] (Panda Security, S.L.)
S2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [133904 2015-02-25] (Panda Security, S.L.)
S2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-25] (Panda Security, S.L.)
S3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [61712 2015-01-29] (Panda Security, S.L.)
S3 TDTCP; C:\Windows\System32\drivers\tdtcp.sys [23552 2012-02-16] (Microsoft Corporation) [File not signed]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-26 11:02 - 2015-11-26 11:02 - 00000000 ____D C:\FRST
2015-11-26 10:14 - 2015-11-26 10:14 - 00002863 _____ C:\Users\Peter\Documents\CloudAV1126151430_2040.csv
2015-11-26 10:03 - 2015-11-26 10:10 - 00000000 ____D C:\AdwCleaner
2015-11-26 10:02 - 2015-01-29 12:21 - 00061712 _____ (Panda Security, S.L.) C:\Windows\system32\Drivers\PSKMAD.sys
2015-11-26 09:16 - 2015-11-26 11:02 - 00000000 ____D C:\Users\Peter\Desktop\FRST folder
2015-11-26 09:01 - 2015-11-26 09:01 - 01733632 _____ C:\Users\Peter\Desktop\adwcleaner_5.022.exe
2015-11-21 09:37 - 2015-11-21 09:37 - 00005889 _____ C:\Users\Peter\Documents\CloudAV1121143708_1452.csv
2015-11-19 19:58 - 2015-11-19 21:29 - 00000000 ____D C:\Users\Peter\Desktop\mbar
2015-11-19 19:56 - 2015-11-19 19:56 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Peter\Desktop\mbar-1.09.3.1001.exe
2015-11-18 22:01 - 2015-11-18 22:01 - 00001100 _____ C:\Users\Peter\Desktop\Up_texts - Shortcut.lnk
2015-11-18 19:41 - 2015-11-18 19:41 - 01357875 _____ C:\Users\Peter\AppData\Local\census.cache
2015-11-18 19:41 - 2015-11-18 19:41 - 00194491 _____ C:\Users\Peter\AppData\Local\ars.cache
2015-11-16 18:33 - 2015-11-16 18:33 - 00000010 _____ C:\Users\Peter\AppData\Local\sponge.last.runtime.cache
2015-11-16 17:36 - 2015-11-16 17:36 - 00000036 _____ C:\Users\Peter\AppData\Local\housecall.guid.cache
2015-11-16 17:36 - 2015-05-29 02:43 - 00307352 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-11-16 17:34 - 2015-11-16 17:36 - 02494944 _____ (Trend Micro Inc.) C:\Users\Peter\Downloads\HousecallLauncher64 (1).exe
2015-11-16 06:13 - 2015-11-16 06:13 - 00000310 _____ C:\Users\Peter\Documents\CloudAV1116011014_292.csv
2015-11-15 20:22 - 2015-11-15 20:24 - 00007972 _____ C:\Users\Peter\Desktop\Rkill.txt
2015-11-15 14:54 - 2015-11-15 14:54 - 00009675 _____ C:\Users\Peter\Documents\CloudAV1115195425_1368.csv
2015-11-14 19:44 - 2015-11-14 19:44 - 00001388 _____ C:\Users\Peter\Documents\CloudAV1115004431_1460.csv
2015-11-14 19:29 - 2015-11-14 19:29 - 00002541 _____ C:\Users\Peter\Documents\CloudAV1115002929_1260.csv
2015-11-14 09:26 - 2015-11-14 09:26 - 00001489 _____ C:\Users\Peter\Documents\CloudAV1114142620_1492.csv
2015-11-14 07:56 - 2015-11-14 07:56 - 00004041 _____ C:\Users\Peter\Documents\CloudAV1114125601_1160.csv
2015-11-14 07:36 - 2015-11-14 07:36 - 00006713 _____ C:\Users\Peter\Documents\CloudAV1114123600_2036.csv
2015-11-13 10:08 - 2015-11-13 10:08 - 00008130 _____ C:\Users\Peter\Documents\CloudAV1113150811_1272.csv
2015-11-13 09:59 - 2015-11-13 09:59 - 00001200 _____ C:\Users\Peter\Documents\CloudAV1113145921_1436.csv
2015-11-13 09:50 - 2015-11-13 09:50 - 00023680 _____ C:\ComboFix 11 13 15.txt
2015-11-13 09:15 - 2015-11-13 09:15 - 00001374 _____ C:\Users\Peter\Documents\CloudAV1113141527_1460.csv
2015-11-13 07:17 - 2015-11-13 07:17 - 00001034 _____ C:\Users\Peter\Documents\CloudAV1113121716_2004.csv
2015-11-12 14:43 - 2015-11-12 14:43 - 00000789 _____ C:\Users\Peter\Documents\CloudAV1112194335_1508.csv
2015-11-12 14:08 - 2015-11-12 14:08 - 00008867 _____ C:\Users\Peter\Documents\CloudAV1112190832_1624.csv
2015-11-12 13:14 - 2015-11-12 13:14 - 00003624 _____ C:\Users\Peter\Documents\CloudAV1112181357_1464.csv
2015-11-12 12:07 - 2015-11-12 12:07 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2015-11-12 12:07 - 2015-11-12 12:07 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2015-11-11 17:07 - 2015-11-11 17:07 - 00012555 _____ C:\Users\Peter\Documents\CloudAV1111220732_1660.csv
2015-11-11 16:55 - 2015-11-11 16:55 - 00003315 _____ C:\Users\Peter\Documents\CloudAV1111215453_2056.csv
2015-11-11 13:41 - 2015-11-14 14:47 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-11-10 23:05 - 2015-11-11 16:45 - 434008694 _____ C:\Users\Peter\Documents\CloudAV1110231834_1268.csv
2015-11-10 06:29 - 2015-11-10 07:24 - 38409187 _____ C:\Users\Peter\Documents\CloudAV1108044919_2132.csv
2015-11-08 11:05 - 2015-11-26 10:08 - 00000000 ____D C:\Users\Peter\Desktop\~RESTORATION 2015117
2015-11-07 19:42 - 2015-11-07 19:42 - 00433493 _____ C:\Users\Peter\Desktop\papa-francesco_20150524_enciclica-laudato-si.pdf
2015-11-07 17:36 - 2015-11-13 10:20 - 00000000 ____D C:\Program Files (x86)\SpeedFan
2015-11-07 17:36 - 2015-11-07 17:36 - 00001007 _____ C:\Users\Peter\Desktop\SpeedFan.lnk
2015-11-07 17:36 - 2015-11-07 17:36 - 00000045 _____ C:\Windows\SysWOW64\initdebug.nfo
2015-11-07 17:36 - 2015-11-07 17:36 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpeedFan
2015-11-07 14:26 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2015-11-07 14:26 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2015-11-07 14:26 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-11-07 14:26 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-11-07 14:26 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-11-07 14:26 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2015-11-07 14:26 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2015-11-07 14:26 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2015-11-07 13:52 - 2015-11-06 09:26 - 05637844 ____R (Swearware) C:\Users\Peter\Desktop\ComboFix.exe
2015-11-06 17:28 - 2015-11-13 09:50 - 00000000 ____D C:\Qoobox
2015-11-06 17:27 - 2015-11-13 12:07 - 00000000 ____D C:\Windows\erdnt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-26 11:02 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2015-11-26 10:53 - 2015-03-10 19:10 - 01242354 _____ C:\Windows\ntbtlog.txt
2015-11-26 10:14 - 2014-01-07 15:08 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-26 10:14 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-26 09:39 - 2009-07-13 23:45 - 00031760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-26 09:39 - 2009-07-13 23:45 - 00031760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-26 08:44 - 2014-04-28 16:30 - 00003914 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{606250FA-EAD0-4D4B-849B-465877D2F378}
2015-11-26 08:29 - 2015-01-21 17:52 - 00000000 ____D C:\ProgramData\panda_url_filtering
2015-11-26 08:03 - 2014-01-07 15:08 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-26 05:46 - 2014-03-08 17:41 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000UA.job
2015-11-25 17:46 - 2014-03-08 17:41 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000Core.job
2015-11-21 16:18 - 2014-01-01 18:46 - 00007611 _____ C:\Users\Peter\AppData\Local\resmon.resmoncfg
2015-11-19 21:29 - 2014-07-25 16:33 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-11-19 20:03 - 2014-11-07 07:20 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-19 19:58 - 2014-09-21 18:16 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-11-19 16:58 - 2012-05-03 06:12 - 00000000 ____D C:\Users\Peter\Desktop\OFFICE 2010 INSTALLATION PACKAGE
2015-11-15 20:22 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\et-EE
2015-11-14 17:04 - 2011-12-26 15:25 - 00000000 ____D C:\Users\Peter\Documents\Outlook Files
2015-11-14 11:06 - 2014-01-17 21:02 - 00000000 ____D C:\Users\Peter\AppData\Local\ElevatedDiagnostics
2015-11-13 12:07 - 2015-04-12 19:29 - 00000000 ___SD C:\Windows\system32\GWX
2015-11-13 12:07 - 2014-01-19 00:26 - 00000000 ____D C:\Users\New Account
2015-11-13 12:07 - 2014-01-06 15:03 - 00000000 ____D C:\Users\Localadmin
2015-11-13 12:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2015-11-13 12:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2015-11-13 09:49 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2015-11-13 09:09 - 2013-12-29 18:19 - 00000000 ____D C:\Users\Peter
2015-11-11 16:58 - 2009-07-14 00:08 - 00032542 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-11-11 07:18 - 2015-10-12 06:56 - 00024700 _____ C:\Users\Peter\Desktop\BP Weight Chart.xlsx
2015-11-07 14:04 - 2014-07-20 11:59 - 00000000 ____D C:\Users\Peter\AppData\Local\Windows Live
2015-11-07 14:03 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-11-06 21:30 - 2014-02-23 12:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-11-06 21:30 - 2014-01-07 15:08 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2015-11-06 21:30 - 2014-01-07 15:08 - 00000000 ____D C:\Windows\system32\Macromed
2015-11-06 21:30 - 2014-01-01 18:49 - 00000000 ____D C:\Users\Peter\AppData\Roaming\IrfanView
2015-11-06 21:30 - 2013-12-29 19:16 - 00000000 ____D C:\Users\Peter\AppData\Local\Microsoft Help
2015-10-31 23:00 - 2014-12-23 22:56 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
 
==================== Files in the root of some directories =======
 
2013-07-30 01:28 - 2013-12-09 02:49 - 0003736 _____ () C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
2015-11-18 19:41 - 2015-11-18 19:41 - 0194491 _____ () C:\Users\Peter\AppData\Local\ars.cache
2015-11-18 19:41 - 2015-11-18 19:41 - 1357875 _____ () C:\Users\Peter\AppData\Local\census.cache
2014-07-05 05:35 - 2015-08-02 07:57 - 0006144 _____ () C:\Users\Peter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-11-16 17:36 - 2015-11-16 17:36 - 0000036 _____ () C:\Users\Peter\AppData\Local\housecall.guid.cache
2014-01-01 18:46 - 2015-11-21 16:18 - 0007611 _____ () C:\Users\Peter\AppData\Local\resmon.resmoncfg
2015-11-16 18:33 - 2015-11-16 18:33 - 0000010 _____ () C:\Users\Peter\AppData\Local\sponge.last.runtime.cache
2015-08-01 06:59 - 2015-08-01 06:59 - 0065536 _____ () C:\ProgramData\micr
 
Some files in TEMP:
====================
C:\Users\Peter\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Peter\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-11-21 16:36
 
==================== End of FRST.txt ============================
 
Addition.txt attached...
sending...
 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 27 November 2015 - 08:17 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset
CMD: ipconfig /release
CMD: ipconfig /renew

GroupPolicyScripts-x32: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1857090042-2038237738-235256863-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:373E1720

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problem persists.

#7 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 27 November 2015 - 09:09 AM

Performed the instruction as directed.

After reboot and login to my profile, again a long delay at a black screen with cursor - as previously at several instances - until desktop appears.

Still unable to launch "Add/Remove Programs" from the Control Panel as before... have not tried to delete folders from one of the EHD's that is filling up until restoration is complete.

Following is the content of the Fixitlog.txt:

 

 

 Fix result of Farbar Recovery Scan Tool (x64) Version:25-11-2015 02

Ran by Peter (2015-11-27 08:37:19) Run:1
Running from C:\Users\Peter\Desktop\FRST folder
Loaded Profiles: Peter (Available Profiles: Peter & Localadmin & New Account)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset
CMD: ipconfig /release
CMD: ipconfig /renew
 
GroupPolicyScripts-x32: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1857090042-2038237738-235256863-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
=========  netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  ipconfig /release =========
 
 
Windows IP Configuration
 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::9481:4158:b9b6:3de2%11
   Default Gateway . . . . . . . . . : 
 
========= End of CMD: =========
 
 
=========  ipconfig /renew =========
 
 
Windows IP Configuration
 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::9481:4158:b9b6:3de2%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.7
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
 
========= End of CMD: =========
 
C:\Windows\SysWOW64\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1857090042-2038237738-235256863-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
catchme => service removed successfully
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
EmptyTemp: => 1.5 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 08:40:57 ====
 
Please advise next steps... and thank you for your guidance.
 
Lefty


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 27 November 2015 - 10:45 AM

Try re-registering the dll files
Open command prompt type CMD in the Start menu run box click the OK button.
Type the following at the prompt.
regsvr32 mshtml.dll
Press Enter
regsvr32 shdocvw.dll -I
Press Enter
regsvr32 shell32.dll -I
Press Enter

Restart the computer normally.

Test and find out if problem solved.

===

If not continue.


Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    10 - Remove Policies Set By Infections
    11 - Repair Start Menu Icons Removed by Infections
    12 - Repair Icons
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.
    Any change?







#9 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 27 November 2015 - 07:50 PM

Attempted repairs as per instruction:

1. entered 'regsvr32 mshtml.dll' and received a popup "the module mshtml.dll was loaded but the entry point DLL Register Server was not found. Make sure that 'mshtml.dll is a valid DLL or OCX file and then try again.

2 second reg command, entered 'regsvr32shdocvw.dll -l' and  received the popup 'The command flag -l is not valid. Please review the command usage and try again' ( and then a list of command switches etc - - - DID I ENTER THE WRONG SWITCH HERE? Is that a -l ( as in 'L' or something else...'1' or 'i' ?)

3 entered 'regsvr32 shell32.dll -l' and received the same fail warning about correct switches...

Rebooted, but still unable to get to 'Programs and Features' in Control Panel or Network and Sharing either..long delays continue

 

Downloaded and installed 'Tweaking.com' application... Windows Explorer crashes and restarts, Ran the installation in Safe Mode with Networking ...noted that 'Package 4 and Package 5 possibly corrupt' message. Repaired Reparse Points... missed the 'Repairs - unselect All and then select the few required and ran the whole Repair function. Rebooted and re-ran with just the few required... No errors noted at this point... Rebooted again

Windows Explorer crashed again and returns, but still extremeely slow in launching browsers, if they come up at all, still unable to get to Programs and Features though Network and Sharing Center does launch, but the blue circle at the Taskbar icon for network still appears and hangs there as if trying to acquire a network IP or network access.. A-V programs still appear as disabled

 

Result: no improvement, uncertain of security issues, unable to delete large directories on an EHD to free up space... still sluggish and after desktop comes up as black until displaying after a long wait... Sending this from SMwN as browsers fail to load in standard startup mode

Your recommendations???


Edited by Lefty Widdagun, 27 November 2015 - 07:52 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 28 November 2015 - 08:08 AM

unable to delete large directories on an EHD to free up space


Place the cursor on the large folder an Highlight the folder.
Press The Shift + Del key simultaneously.
If you get a message warning this action the select yes.

If that does not work try the same thing with the files in the folder.
Open the folder Highlight some 10 to 20 files and remove them.

Using Shift + Del key will remove the files completely. They will not be sent to your recycle bin.

===

I see that you have some Restore points.

==================== Restore Points =========================

11-11-2015 17:50:31 ComboFix created restore point
16-11-2015 06:36:27 Windows Backup
23-11-2015 18:22:58 Scheduled Checkpoint


Your ran Combofix because you had problems.

Restore you computer.
Select a date one or two weeks before you ran the Combofix.

How is the computer running now.

===

#11 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 28 November 2015 - 11:03 AM

Re folder that won't delete
Have tried your suggestion many times, didn't work. Even confirmed that I had ownership of it and all subfolders, it's an installation package for a Photoshop version
Re restore points
First thing that I tried at the start of this 3 weeks ago after first A-V scans found nothing and before I ran Combo fix. ..did not work, Internet access blocked in normal mode so ran in safe mode but still no access to Programs and Features
Currently running MS Malware Removal Tool -3 hours into it - about 1/3 done of entire system scan...about 6TB.. so far found nothing

Any other idea prior to a complete reinstall? Hoping to avoid that
Thanks
Lefty

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 28 November 2015 - 02:52 PM


Did you try to remove the folder/files in Safe Mode.
===


Lets check further.

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Empty Temp
Do a Deep Scan



Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

p.s.
Please post the complete path of the folder you wish to deleted.
I' see if I can use a tool to remove it.
===


This is also a possibility. Do not try it yet.
Download and run this unlocker tool.

http://www.majorgeeks.com/files/details/unlocker.html

Try to remove the folder/files after unlocking them.
===

p.s.
This program comes with some 3rd party software that will generate Adds.
Suggest you run the AdwCleaner tool and remove everything you did not ask for.

#13 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 29 November 2015 - 06:12 PM

Tried twice to attach the zoek-results.log but receiving a 'Upload Skipped (No file was selected for upload)" message...? I'm sure that I did -twice ...so here's a copy-and-paste of the results:

 

 
Zoek.exe v5.0.0.1 Updated 28-November-2015
Tool run by Peter on Sun 11/29/2015 at 17:27:05.93.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Peter\Desktop\zoek.exe [Scan all users]  [Checkboxes used]
 
==== Running Processes ======================
 
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe
C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\procexp64.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Users\Peter\Desktop\zoek.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
 
==== System Restore Info ======================
 
11/29/2015 5:31:31 PM Zoek.exe System Restore Point Created Successfully.
 
==== Installed Programs ======================
 
Adobe Flash Player 19 ActiveX  
Adobe Reader XI (11.0.13)  
Adobe Refresh Manager  
AMD Catalyst Control Center  
AMD Catalyst Install Manager  
AMD Drag and Drop Transcoding  
AMD Fuel  
AMD USB Filter Driver  
AMD Wireless Display v3.0  
Apple Application Support (32-bit)  
Apple Application Support (64-bit)  
Apple Mobile Device Support  
Apple Software Update  
Bonjour  
Catalyst Control Center - Branding  
Catalyst Control Center Graphics Previews Common  
Catalyst Control Center InstallProxy  
Catalyst Control Center Localization All  
ccc-utility64  
CCC Help Chinese Standard  
CCC Help Chinese Traditional  
CCC Help Czech  
CCC Help Danish  
CCC Help Dutch  
CCC Help English  
CCC Help Finnish  
CCC Help French  
CCC Help German  
CCC Help Greek  
CCC Help Hungarian  
CCC Help Italian  
CCC Help Japanese  
CCC Help Korean  
CCC Help Norwegian  
CCC Help Polish  
CCC Help Portuguese  
CCC Help Russian  
CCC Help Spanish  
CCC Help Swedish  
CCC Help Thai  
CCC Help Turkish  
Cisco Jabber Video for TelePresence  
Definition Update for Microsoft Office 2010 (KB3054883) 32-Bit Edition  
Dropbox  
EPSON Scan  
Facebook Video Calling 3.1.0.521  
FLV Player  
Google Chrome  
Google Earth  
Google Toolbar for Internet Explorer  
Google Update Helper  
IrfanView (remove only)  
iTunes  
Leawo PowerPoint to Video Free version 2.4.0.62  
Logitech Webcam Software  
LWS Webcam Software  
Malwarebytes Anti-Malware version 2.2.0.1024  
Microsoft .NET Framework 4.5.2  
Microsoft Mouse and Keyboard Center  
Microsoft Office Access MUI (English) 2010  
Microsoft Office Access Setup Metadata MUI (English) 2010  
Microsoft Office Excel MUI (English) 2010  
Microsoft Office Groove MUI (English) 2010  
Microsoft Office InfoPath MUI (English) 2010  
Microsoft Office Office 64-bit Components 2010  
Microsoft Office OneNote MUI (English) 2010  
Microsoft Office Outlook Connector  
Microsoft Office Outlook MUI (English) 2010  
Microsoft Office PowerPoint MUI (English) 2010  
Microsoft Office Professional Plus 2010  
Microsoft Office Proof (English) 2010  
Microsoft Office Proof (French) 2010  
Microsoft Office Proof (Spanish) 2010  
Microsoft Office Proofing (English) 2010  
Microsoft Office Publisher MUI (English) 2010  
Microsoft Office Shared 64-bit MUI (English) 2010  
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010  
Microsoft Office Shared MUI (English) 2010  
Microsoft Office Shared Setup Metadata MUI (English) 2010  
Microsoft Office Word MUI (English) 2010  
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit  
Microsoft Security Client  
Microsoft Silverlight  
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17  
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148  
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161  
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219  
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219  
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727  
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727  
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727  
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727  
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727  
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727  
Microsoft Visual C++ Run Time  Lib Setup  
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)  
Panda Cloud Cleaner  
Panda Devices Agent  
Panda Free Antivirus  
Panda Security Toolbar  
Panda Security URL Filtering  
PlayReady PC Runtime x86  
QuickTime 7  
Realtek Ethernet Controller Driver For Windows 7  
Renesas Electronics USB 3.0 Host Controller Driver  
Security Update for Microsoft .NET Framework 4.5.2 (KB3023224)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3035490)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3037581)  
Security Update for Microsoft Excel 2010 (KB3054981) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB2863817) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB2881071) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB2920748) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB3054834) 32-Bit Edition  
Security Update for Microsoft Office 2010 (KB3054848) 32-Bit Edition  
Security Update for Microsoft PowerPoint 2010 (KB3054963) 32-Bit Edition  
Security Update for Microsoft Word 2010 (KB3054973) 32-Bit Edition  
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition  
SkypeT 7.6  
SpeedFan (remove only)  
Tweaking.com - Windows Repair  
Ultra Defragmenter  
Update for Microsoft Access 2010 (KB2965300) 32-Bit Edition  
Update for Microsoft Excel 2010 (KB2589348) 32-Bit Edition  
Update for Microsoft Filter Pack 2.0 (KB2881026) 32-Bit Edition  
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition  
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2553140) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2553347) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2589282) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2589386) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2597089) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2687275) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2883019) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2889828) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2910896) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2965296) 32-Bit Edition  
Update for Microsoft Office 2010 (KB2965301) 32-Bit Edition  
Update for Microsoft Office 2010 (KB3054873) 32-Bit Edition  
Update for Microsoft Office 2010 (KB3054964) 32-Bit Edition  
Update for Microsoft OneNote 2010 (KB2956075) 32-Bit Edition  
Update for Microsoft OneNote 2010 (KB2965297) 32-Bit Edition  
Update for Microsoft Outlook 2010 (KB2965295) 32-Bit Edition  
Update for Microsoft Outlook 2010 (KB3054976) 32-Bit Edition  
Update for Microsoft Outlook Social Connector 2010 (KB2553308) 32-Bit Edition  
Update for Microsoft PowerPoint 2010 (KB2880517) 32-Bit Edition  
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition  
Update for Microsoft Visio 2010 (KB2965292) 32-Bit Edition  
Update for Microsoft Visio Viewer 2010 (KB2881021) 32-Bit Edition  
Visual Studio 2012 x64 Redistributables  
Visual Studio 2012 x86 Redistributables  
WD SmartWare  
 
==== System Specs ======================
 
Windows: Windows 7 Professional Edition (64-bit) Service Pack 1 (Build 7601)
Memory (RAM): 16383 MB
CPU Info: AMD Athlon™ II X4 640 Processor
CPU Speed: 3084.4 MHz
Sound Card: Speakers (High Definition Audio | 
Digital Audio (HDMI) (High Defi | 
Digital Audio (S/PDIF) (High De | 
Display Adapters: ATI Radeon HD 5700 Series | ATI Radeon HD 5700 Series | ATI Radeon HD 5700 Series | RDPDD Chained DD | RDP Encoder Mirror Driver | RDP Reflector Display Driver
Monitors: 2x; Acer S201HL(Analog) | HL227D | 
Screen Resolution: 1067 X 600 - 32 bit
Network: Network Present
Network Adapters: Realtek PCIe GBE Family Controller
CD / DVD Drives: 3x (X: | Y: | Z: | ) X: TSSTcorpCDDVDW SH-222AB  | Y: ATAPI   iHAS424   B      | Z: WD      Virtual CD 1110
Ports: COM1 LPT Port NOT Present. 
Mouse: 3 Button Wheel Mouse Present
Hard Disks: C:  488.3GB | D:  94.7GB | E:  94.7GB | F:  85.8GB | G:  79.4GB | H:  88.4GB | I:  1863.0GB | K:  1062.2GB | L:  390.6GB | M:  409.6GB
Hard Disks - Free: C:  113.5GB | D:  29.3GB | E:  83.6GB | F:  56.6GB | G:  73.3GB | H:  86.9GB | I:  89.3GB | K:  553.4GB | L:  76.1GB | M:  129.9GB
Manufacturer *: American Megatrends Inc.
BIOS Info: AT/AT COMPATIBLE | 08/16/32 | 030811 - 20110308
Time Zone: Eastern Standard Time
Motherboard *: ASUSTeK Computer INC. M4A87TD EVO
Country: United States 
Language: ENU 
 
==== System Specs (Software) ======================
 
AV: Panda Free Antivirus *Disabled/Updated* {AAF74A68-8713-CDF1-004F-30003398BE9E}
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Panda Free Antivirus *Disabled/Updated* {1196AB8C-A129-C27F-3AFF-0B72481FF423}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Panda Firewall *Disabled* {92CCCB4D-CD7C-CCA9-2B10-9935CD4BF9E5}
Internet Explorer Version: 10.0.9200.17414 
Google Chrome version: 46.0.2490.86
Adobe Reader version: 11.0.13.17
 
==== Files Recently Created / Modified ======================
 
====== C:\Windows ====
2015-11-27 21:35:16 CA2A8AF1DBAD0F31F9B33A2827DFBC16 207 ----a-w- C:\Windows\tweaking.com-regbackup-UPAYA-Windows-7-Professional-(64-bit).dat
2015-11-07 19:26:01 F042EE4C8D66248D9B86DCF52ABAE416 256000 ----a-w- C:\Windows\PEV.exe
2015-11-07 19:26:01 9E05A9C264C8A908A8E79450FCBFF047 80412 ----a-w- C:\Windows\grep.exe
2015-11-07 19:26:01 5E832F4FAF5F481F2EAF3B3A48F603B8 68096 ----a-w- C:\Windows\zip.exe
2015-11-07 19:26:01 0297C72529807322B152F517FDB0A9FC 406528 ----a-w- C:\Windows\SWSC.exe
2015-11-07 19:26:01 0277C027A26428DB64EF4F64F52BB4FD 208896 ----a-w- C:\Windows\MBR.exe
====== C:\Users\Peter\AppData\Local\Temp ====
====== Java Cache =====
====== C:\Windows\SysWOW64 =====
====== C:\Windows\SysWOW64\drivers =====
====== C:\Windows\Sysnative =====
====== C:\Windows\Sysnative\drivers =====
2015-11-29 16:17:31 F29E7E36F8A8A7BAC112327E842FF0B5 61712 ----a-w- C:\Windows\Sysnative\drivers\PSKMAD.sys
2015-11-16 22:36:38 799F70FF787F4F68E7EA02FEABAC9FAB 307352 ----a-w- C:\Windows\Sysnative\drivers\tmcomm.sys
====== C:\Windows\Tasks ======
2015-11-27 22:22:04 3EF4219DA320EDC2995AA881FC63748A 574 ----a-w- C:\Windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job
2015-11-27 21:02:21 C91B1D3A58288B9F1B6FDDD3EFD7E682 3648 ----a-w- C:\Windows\Sysnative\Tasks\Tweaking.com - Windows Repair Tray Icon
====== C:\Windows\Temp ======
======= C:\Program Files =====
======= C:\PROGRA~2 =====
2015-11-27 21:01:52 -------- d-----w- C:\PROGRA~2\Tweaking.com
2015-11-12 17:07:27 -------- d-----w- C:\PROGRA~2\Kaspersky Lab
2015-11-07 22:36:02 -------- d-----w- C:\PROGRA~2\SpeedFan
======= C: =====
====== C:\Users\Peter\AppData\Roaming ======
2015-11-19 00:41:35 8FE8AAA0BC177C7D364F2E915A9C357D 1357875 ----a-w- C:\Users\Peter\AppData\Local\census.cache
2015-11-19 00:41:02 EEFB2227B0B850AEB59CB88F9F1186A8 194491 ----a-w- C:\Users\Peter\AppData\Local\ars.cache
2015-11-16 23:33:55 205F9282E897F98172657E9103A88C84 10 ----a-w- C:\Users\Peter\AppData\Local\sponge.last.runtime.cache
2015-11-16 22:36:26 B7C79B5410EF46A75AB847AE9287CD0E 36 ----a-w- C:\Users\Peter\AppData\Local\housecall.guid.cache
2015-11-13 14:50:59 -------- d-----w- C:\Users\Public\AppData\Local\temp
2015-11-13 14:50:59 -------- d-----w- C:\Users\New Account\AppData\Local\temp
2015-11-13 14:50:59 -------- d-----w- C:\Users\Localadmin\AppData\Local\temp
2015-11-13 14:50:59 -------- d-----w- C:\Users\Default\AppData\Local\temp
2015-11-13 14:50:59 -------- d-----w- C:\Users\Default User\AppData\Local\temp
2015-11-07 22:36:06 -------- d-----w- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpeedFan
====== C:\Users\Peter ======
2015-11-28 12:46:48 90AAD7EE6E7CE954965CB333AA301F0F 55560920 ----a-w- C:\Users\Peter\Desktop\Windows-KB890830-x64-V5.30.exe
2015-11-27 21:02:18 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-11-27 20:55:46 236B0D15A2347B7CE94BA11499403606 21206712 ----a-w- C:\Users\Peter\Downloads\tweaking.com_windows_repair_aio_setup.exe
2015-11-26 14:01:26 4BC0D0607747670F4E8AD123CB22FA66 1733632 ----a-w- C:\Users\Peter\Desktop\adwcleaner_5.022.exe
2015-11-20 00:56:49 67B0906B68164E807BD5691C67696DA4 16563352 ----a-w- C:\Users\Peter\Desktop\mbar-1.09.3.1001.exe
2015-11-16 22:34:57 9E62D6FBD3014087133D9BD2F601BAAE 2494944 ----a-w- C:\Users\Peter\Downloads\HousecallLauncher64 (1).exe
2015-11-12 17:07:27 -------- d-----w- C:\ProgramData\Kaspersky Lab
2015-11-07 19:54:23 -------- d-----w- C:\Users\Public\AppData
 
====== C: exe-files ==
2015-11-28 12:46:48 90AAD7EE6E7CE954965CB333AA301F0F 55560920 ----a-w- C:\Users\Peter\Desktop\Windows-KB890830-x64-V5.30.exe
2015-11-27 21:01:52 9BDCF813D65265255B820BC7A704DA3C 1388544 ----a-w- C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\uninstall.exe
2015-11-27 20:55:46 236B0D15A2347B7CE94BA11499403606 21206712 ----a-w- C:\Users\Peter\Downloads\tweaking.com_windows_repair_aio_setup.exe
2015-11-26 14:14:54 13F129018B652DAD7AB491763670B061 2348544 ----a-w- C:\Users\Peter\Desktop\FRST folder\FRST64.exe
2015-11-26 14:01:26 4BC0D0607747670F4E8AD123CB22FA66 1733632 ----a-w- C:\Users\Peter\Desktop\adwcleaner_5.022.exe
2015-11-25 09:14:44 D35987841B3CCA26CECAE6D1C8EEDF25 70040 ----a-w- C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\TweakingRemoveSafeBoot_64.exe
2015-11-25 09:14:44 1B5612FD70AD7789E4DCD52B5BFFA815 61848 ----a-w- C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\TweakingRemoveSafeBoot_32.exe
=== C: other files ==
2015-11-29 16:17:31 F29E7E36F8A8A7BAC112327E842FF0B5 61712 ----a-w- C:\Windows\System32\drivers\PSKMAD.sys
 
==== Startup Registry Enabled ======================
 
[HKEY_USERS\S-1-5-21-1857090042-2038237738-235256863-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun"
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"panda"="reg.exe delete HKCU\Software\AppDataLow\Software\panda /f"
"panda_XP"="reg.exe delete HKCU\Software\panda /f"
 
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"panda"="reg.exe delete HKCU\Software\AppDataLow\Software\panda /f"
"panda_XP"="reg.exe delete HKCU\Software\panda /f"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"BCSSync"="C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe /DelayServices"
"PSUAMain"="C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe /LaunchSysTray"
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe -atboottime"
"StartCCC"="C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe MSRun"
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun"
 
==== Startup Registry Enabled x64 ======================
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="C:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey"
 
==== Startup Registry Disabled x64 ======================
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Facebook Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Facebook Update"
"hkey"="HKCU"
"command"="\"C:\\Users\\Peter\\AppData\\Local\\Facebook\\Update\\FacebookUpdate.exe\" /c /nocrashserver"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LWS]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LWS"
"hkey"="HKLM"
"command"="C:\\Program Files (x86)\\Logitech\\LWS\\Webcam Software\\LWS.exe -hide"
 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Peter^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
"path"="C:\\Users\\Peter\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Dropbox.lnk"
"backup"="C:\\Windows\\pss\\Dropbox.lnk.Startup"
"backupExtension"=".Startup"
"command"="C:\\Users\\Peter\\AppData\\Roaming\\Dropbox\\bin\\Dropbox.exe /systemstartup"
"item"="Dropbox"
 
 
==== Startup Folders ======================
 
2011-12-23 23:34:22 1073992 ----a-w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\procexp64.exe
 
==== Task Scheduler Jobs ======================
 
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000Core.job --a------ C:\Users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe [03/08/2014 05:41 PM]
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000UA.job --a------ C:\Users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe [03/08/2014 05:41 PM]
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job --a------ C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [08/27/2015 12:52 PM]
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job --a------ C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [08/27/2015 12:52 PM]
C:\Windows\tasks\Tweaking.com - Windows Repair Tray Icon.job --a------ C:\Program Files (x86)\Tweaking.com\Windows Repair All in One\WR_Tray_Icon.exe []
 
==== Other Scheduled Tasks ======================
 
"C:\Windows\SysNative\tasks\Adobe Acrobat Update Task" [C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe]
"C:\Windows\SysNative\tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000Core" [C:\Users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe]
"C:\Windows\SysNative\tasks\FacebookUpdateTaskUserS-1-5-21-1857090042-2038237738-235256863-1000UA" [C:\Users\Peter\AppData\Local\Facebook\Update\FacebookUpdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskMachineCore" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskMachineUA" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\SidebarExecute" [C:\Program Files\Windows Sidebar\sidebar.exe]
"C:\Windows\SysNative\tasks\Tweaking.com - Windows Repair Tray Icon" [C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe]
"C:\Windows\SysNative\tasks\User_Feed_Synchronization-{606250FA-EAD0-4D4B-849B-465877D2F378}" [C:\Windows\system32\msfeedssync.exe]
"C:\Windows\SysNative\tasks\{14E581E7-24F4-4B5F-AD00-DF0DDFF9A0F8}" [C:\Program Files (x86)\iTunes\iTunes.exe]
"C:\Windows\SysNative\tasks\{70748D9C-AB6A-44DF-A6A3-434B83B23CFD}" [C:\Program Files (x86)\iTunes\iTunes.exe]
"C:\Windows\SysNative\tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask" [%systemroot%\system32\sc.exe start osppsvc]
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.86
 
 
Google Slides - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek
Google Docs - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
Google Drive - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
YouTube - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
Google Search - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
Google Sheets - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap
Google Docs Offline - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Chrome Web Store Payments - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Gmail - Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
 
==== IE Start and Search Settings ======================
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{DC17EA6E-35CC-493D-847F-755AE48195EF}"
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{DC17EA6E-35CC-493D-847F-755AE48195EF}"
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
HKCU\SearchScopes\{CB7F4157-2D06-492E-8223-0180B04F8400} - https://www.google.com/search?q={searchTerms}
 
==== HijackThis Entries ======================
 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll
O3 - Toolbar: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [PSUAMain] "C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" /LaunchSysTray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-18\..\RunOnce: [panda] reg.exe delete "HKCU\Software\AppDataLow\Software\panda" /f (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [panda_XP] reg.exe delete "HKCU\Software\panda" /f (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [panda] reg.exe delete "HKCU\Software\AppDataLow\Software\panda" /f (User 'Default user')
O4 - Global Startup: procexp64.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Broken Internet access because of LSP provider 'c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll' missing
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Panda Protection Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Panda Devices Agent (PandaAgent) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
O23 - Service: panda_url_filtering Service (panda_url_filtering) - Panda Security - C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Panda Product Service (PSUAService) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=0 folders=0 0 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\Localadmin\AppData\Local\temp emptied successfully
C:\Users\New Account\AppData\Local\temp emptied successfully
C:\Users\Peter\AppData\Local\Temp will be emptied at reboot
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Peter\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Sun 11/29/2015 at 17:52:35.15 ======================
 
 
*******************************************************************************************************
PS
As well, in Safe mode was unable to delete from one of the EHDs the large folder that seems somehow to be protected from deletion though I have been able to delete other large folders to open up space on that drive.
 
In normal mode often impossible to load my profile from the users presented: the screen id black with only a cursor requiring me to Ctrl-Alt-Del to reboot and select my profile again and then it will load, but only after a considerable delay... suspecting that my profile may be corrupted as well...
Please advise next steps.
Thank you
Lefty
 


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 30 November 2015 - 09:49 AM

No malware was found on your Zoek log.

I suggest you create a new profile.
How to:
http://windows.microsoft.com/en-ca/windows/fix-corrupted-user-profile#1TC=windows-7

When done and you have restarted the computer in that new profile make sure that one of your AV and Firewall is enable.

Your last Zoek log shows all being disabled.

Panda Free Antivirus *Disabled/Updated
Microsoft Security Essentials *Disabled/Updated
Windows Defender *Disabled/Outdated
Panda Firewall *Disabled


Keep me posted.

#15 Lefty Widdagun

Lefty Widdagun
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 30 November 2015 - 08:39 PM

I have created the new user profile. However there is not enough space on the disk to copy the original profile's contents to the new profile. I will try to delete or transfer to an EHD to complete this.

 

However, there are more than 50 datxxxx files in addition to the ones that you listed to not copy. Should these all NOT be copied to the new profile?

 

As well, there were 2 other profiles previously created in addition to my main one. One of these was used as the 'third profile' to use to swap files between the main and the newly created profile. All of these profiles have admin privileges. But in the 'local admin' login the 'Add/Remove Programs'  function still does not launch. If my original profile was corrupted I understand that, but in this other profile that function does not launch either. Are all profiles then corrupted?

Is this loss of function usually associated with a Trojan/malware exploit? Even though the recent scan... and all other scans since the first 'removal' by the Kaspersky Rescue disk... not find anything?

SO, aside from paring down my original profile, is there something else going on here? why the loss of that system function to remove programs if there is not malware present or are all profiles corrupted on this system disk? 

Thank you,

Lefty






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users