Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.ShellA.Gen keeps appearing in MBAM


  • This topic is locked This topic is locked
13 replies to this topic

#1 lffoar

lffoar

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide South Australia
  • Local time:01:23 PM

Posted 27 November 2015 - 05:34 PM

I have scanned with MBAM several times and the above trojan keeps popping up. I mark it for quarantine, reboot but it shows up again on the next scan.

I have Avast AV installed and have also scanned with SuperAntiSpyware and Adwcleaner.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:26-11-2015
Ran by Bob (administrator) on BOB-PC (28-11-2015 08:52:34)
Running from C:\Users\Bob\Desktop\Unused
Loaded Profiles: Bob (Available Profiles: Bob)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Samsung Electronics Co., Ltd.) C:\Windows\System32\RAPID\SamsungRapidSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SamsungRapidApp] => C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe [281776 2014-09-16] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7004376 2015-11-06] (AVAST Software)
HKLM-x32\...\Run: [IMAP Subsystem] => C:\Program Files (x86)\IMAP Subsystem\imapss.exe [53248 2014-03-21] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,userinit.exe, [X]
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-436790882-221618358-3324869275-1000\...\MountPoints2: {f3452048-f0fe-11e3-9157-806e6f6e6963} - D:\Run.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-11-06] (AVAST Software)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 127.0.0.1 activation.acronis.com
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
Tcpip\..\Interfaces\{1D5CA36C-6696-4780-B4E9-92811D0FD69B}: [DhcpNameServer] 10.1.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-436790882-221618358-3324869275-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-11-06] (AVAST Software)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-11-06] (AVAST Software)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-13] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2014-04-01] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507
FF Homepage: google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-11] ()
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-17] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-17] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-17] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-17] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-11] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation)
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\extensions\adblockpopups@jessehakanen.net.xpi [2015-07-11]
FF Extension: I don't care about cookies - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\Extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xpi [2015-11-18]
FF Extension: Video DownloadHelper - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-10-30]
FF Extension: Adblock Plus - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-11-26]
FF Extension: Theme Font & Size Changer - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\Extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}.xpi [2015-11-06]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-11-06]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-11-06]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-11-06]
CHR HKLM-x32\...\Chrome\Extension: [inagegaoimgajnkolipofcjeiidkkinm] - C:\Users\Bob\AppData\Roaming\Microsoft\main.crx [2015-05-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [174416 2015-11-06] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [5554152 2015-11-06] (Avast Software)
S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-04-11] (Intel Corporation)
S3 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [296432 2014-04-09] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 SamsungRapidSvc; C:\Windows\System32\RAPID\SamsungRapidSvc.exe [28848 2014-09-16] (Samsung Electronics Co., Ltd.)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [36608 2013-12-12] (Advanced Micro Devices, Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-11-06] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [97648 2015-11-06] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-11-06] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-11-06] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1059656 2015-11-06] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449992 2015-11-06] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [154256 2015-11-06] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [273784 2015-11-06] (AVAST Software)
S2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [53816 2009-03-02] (Samsung Electronics Co., Ltd.)
S2 DgiVecp; C:\Windows\SysWOW64\Drivers\DgiVecp.sys [41984 2007-02-23] (Samsung Electronics Co., Ltd.) [File not signed]
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [378136 2014-09-30] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [296736 2015-07-13] (Acronis International GmbH)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [30960 2014-12-09] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-11-28] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-26] (Intel Corporation)
R0 ngvss; C:\Windows\System32\Drivers\ngvss.sys [147088 2015-11-06] (AVAST Software)
R0 SamsungRapidDiskFltr; C:\Windows\System32\DRIVERS\SamsungRapidDiskFltr.sys [268976 2014-09-16] (Samsung Electronics Co., Ltd.)
R0 SamsungRapidFSFltr; C:\Windows\System32\DRIVERS\SamsungRapidFSFltr.sys [111280 2014-09-16] (Samsung Electronics Co., Ltd.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1328928 2015-07-13] (Acronis International GmbH)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [234784 2015-07-13] (Acronis International GmbH)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [310904 2015-11-06] (Avast Software)
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-27 15:56 - 2015-11-28 08:52 - 00000000 ____D C:\FRST
2015-11-27 14:41 - 2015-11-27 14:44 - 00213086 _____ C:\Windows\ntbtlog.txt
2015-11-27 14:32 - 2015-11-27 14:32 - 01733632 _____ C:\Users\Bob\Desktop\adwcleaner_5.022.exe
2015-11-27 11:41 - 2015-11-27 11:41 - 00000000 ____D C:\Users\Bob\AppData\Roaming\DominiGames
2015-11-27 11:26 - 2015-11-27 11:26 - 00000889 _____ C:\Users\Public\Desktop\Dark Romance 3 - The Swan Sonata Collector's Edition.lnk
2015-11-27 11:26 - 2015-11-27 11:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dark Romance 3 - The Swan Sonata Collector's Edition
2015-11-27 07:49 - 2015-11-27 07:49 - 00000006 ____S C:\ProgramData\a929f388d3dc587d8da65685b2743cca2aad2c93
2015-11-27 07:49 - 2015-11-27 07:49 - 00000000 _RSHD C:\ProgramData\293377
2015-11-27 07:49 - 2015-11-27 07:49 - 00000000 _RSHD C:\ProgramData\293277
2015-11-27 07:49 - 2015-11-27 07:49 - 00000000 ____D C:\Program Files (x86)\IMAP Subsystem
2015-11-26 08:36 - 2015-11-27 11:15 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Eipix
2015-11-22 13:29 - 2015-11-22 13:29 - 00438584 _____ C:\Windows\system32\FNTCACHE.DAT
2015-11-22 10:41 - 2015-11-22 10:41 - 00111344 _____ C:\Users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2015-11-20 07:37 - 2015-11-20 07:37 - 00000000 ____D C:\Program Files (x86)\ESET
2015-11-13 14:48 - 2015-11-04 04:25 - 03211264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-11-13 13:39 - 2015-11-13 13:23 - 00024064 _____ C:\Windows\zoek-delete.exe
2015-11-13 13:23 - 2015-11-13 13:37 - 00000000 ____D C:\zoek_backup
2015-11-12 13:44 - 2015-11-04 08:40 - 00390344 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-11-12 13:44 - 2015-11-04 08:21 - 00342728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-11-12 13:44 - 2015-10-31 10:16 - 25818624 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-11-12 13:44 - 2015-10-31 10:10 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-11-12 13:44 - 2015-10-31 10:10 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-11-12 13:44 - 2015-10-31 09:55 - 02886656 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-11-12 13:44 - 2015-10-31 09:55 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-11-12 13:44 - 2015-10-31 09:55 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-11-12 13:44 - 2015-10-31 09:55 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-11-12 13:44 - 2015-10-31 09:54 - 00585728 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-11-12 13:44 - 2015-10-31 09:54 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-11-12 13:44 - 2015-10-31 09:47 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-11-12 13:44 - 2015-10-31 09:46 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-11-12 13:44 - 2015-10-31 09:43 - 00616960 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-11-12 13:44 - 2015-10-31 09:42 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-11-12 13:44 - 2015-10-31 09:42 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-11-12 13:44 - 2015-10-31 09:41 - 05990912 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-11-12 13:44 - 2015-10-31 09:41 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-11-12 13:44 - 2015-10-31 09:41 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-11-12 13:44 - 2015-10-31 09:34 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-11-12 13:44 - 2015-10-31 09:31 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-11-12 13:44 - 2015-10-31 09:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-11-12 13:44 - 2015-10-31 09:23 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-11-12 13:44 - 2015-10-31 09:22 - 20331520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-11-12 13:44 - 2015-10-31 09:19 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-11-12 13:44 - 2015-10-31 09:19 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-11-12 13:44 - 2015-10-31 09:17 - 00504832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-11-12 13:44 - 2015-10-31 09:16 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-11-12 13:44 - 2015-10-31 09:16 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-11-12 13:44 - 2015-10-31 09:15 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-11-12 13:44 - 2015-10-31 09:15 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-11-12 13:44 - 2015-10-31 09:14 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-11-12 13:44 - 2015-10-31 09:14 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-11-12 13:44 - 2015-10-31 09:12 - 02279936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-11-12 13:44 - 2015-10-31 09:09 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-11-12 13:44 - 2015-10-31 09:09 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-11-12 13:44 - 2015-10-31 09:07 - 00480256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-11-12 13:44 - 2015-10-31 09:06 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-11-12 13:44 - 2015-10-31 09:06 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-11-12 13:44 - 2015-10-31 09:06 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-11-12 13:44 - 2015-10-31 09:04 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-11-12 13:44 - 2015-10-31 09:02 - 00720896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-11-12 13:44 - 2015-10-31 09:01 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-11-12 13:44 - 2015-10-31 08:59 - 02126336 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-11-12 13:44 - 2015-10-31 08:59 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-11-12 13:44 - 2015-10-31 08:58 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-11-12 13:44 - 2015-10-31 08:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-11-12 13:44 - 2015-10-31 08:52 - 14457856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-11-12 13:44 - 2015-10-31 08:51 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-11-12 13:44 - 2015-10-31 08:49 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-11-12 13:44 - 2015-10-31 08:48 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-11-12 13:44 - 2015-10-31 08:47 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-11-12 13:44 - 2015-10-31 08:47 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2015-11-12 13:44 - 2015-10-31 08:46 - 04527616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-11-12 13:44 - 2015-10-31 08:41 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-11-12 13:44 - 2015-10-31 08:40 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-11-12 13:44 - 2015-10-31 08:39 - 12854272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-11-12 13:44 - 2015-10-31 08:39 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-11-12 13:44 - 2015-10-31 08:39 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-11-12 13:44 - 2015-10-31 08:34 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-11-12 13:44 - 2015-10-31 08:23 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-11-12 13:44 - 2015-10-31 08:21 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-11-12 13:44 - 2015-10-31 08:18 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-11-12 13:44 - 2015-10-31 08:16 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-11-12 13:43 - 2015-10-21 05:12 - 03168768 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-11-12 13:43 - 2015-10-21 05:12 - 02608128 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-11-12 13:43 - 2015-10-21 05:12 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-11-12 13:43 - 2015-10-21 05:12 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-11-12 13:43 - 2015-10-21 05:12 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-11-12 13:43 - 2015-10-21 05:12 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-11-12 13:43 - 2015-10-21 05:12 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-11-12 13:43 - 2015-10-21 05:11 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-11-12 13:43 - 2015-10-21 05:11 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-11-12 13:43 - 2015-10-21 05:11 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-11-12 13:43 - 2015-10-21 05:11 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-11-12 13:43 - 2015-10-21 04:16 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-11-12 13:43 - 2015-10-21 04:16 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-11-12 13:43 - 2015-10-21 04:16 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-11-12 13:43 - 2015-10-21 04:16 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-11-12 13:43 - 2015-10-21 04:15 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-11-12 13:43 - 2015-10-20 11:42 - 05570496 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-11-12 13:43 - 2015-10-20 11:42 - 00154560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-11-12 13:43 - 2015-10-20 11:42 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-11-12 13:43 - 2015-10-20 11:39 - 01730496 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-11-12 13:43 - 2015-10-20 11:36 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-11-12 13:43 - 2015-10-20 11:36 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-11-12 13:43 - 2015-10-20 11:36 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-11-12 13:43 - 2015-10-20 11:36 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 01216512 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 01164800 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00729600 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-11-12 13:43 - 2015-10-20 11:35 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-11-12 13:43 - 2015-10-20 11:35 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-11-12 13:43 - 2015-10-20 11:35 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-11-12 13:43 - 2015-10-20 11:34 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-11-12 13:43 - 2015-10-20 11:34 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-11-12 13:43 - 2015-10-20 11:34 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-11-12 13:43 - 2015-10-20 11:30 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-11-12 13:43 - 2015-10-20 11:29 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:23 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:22 - 03991488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-11-12 13:43 - 2015-10-20 11:22 - 03935680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-11-12 13:43 - 2015-10-20 11:18 - 01311768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00552960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-11-12 13:43 - 2015-10-20 11:15 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-11-12 13:43 - 2015-10-20 11:15 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-11-12 13:43 - 2015-10-20 11:14 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-11-12 13:43 - 2015-10-20 11:14 - 00665088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2015-11-12 13:43 - 2015-10-20 11:14 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-11-12 13:43 - 2015-10-20 11:14 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-11-12 13:43 - 2015-10-20 11:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-11-12 13:43 - 2015-10-20 11:14 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-11-12 13:43 - 2015-10-20 11:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-11-12 13:43 - 2015-10-20 11:09 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 11:05 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 10:11 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-11-12 13:43 - 2015-10-20 10:10 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-11-12 13:43 - 2015-10-20 10:10 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-11-12 13:43 - 2015-10-20 09:59 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-11-12 13:43 - 2015-10-20 09:59 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-11-12 13:43 - 2015-10-20 09:57 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 09:57 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 09:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-11-12 13:43 - 2015-10-20 09:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-11-12 13:43 - 2015-09-23 23:45 - 00460776 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-11-12 13:43 - 2015-09-23 23:45 - 00299632 _____ (Microsoft Corporation) C:\Windows\system32\bcryptprimitives.dll
2015-11-12 13:43 - 2015-09-23 23:39 - 00251000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcryptprimitives.dll
2015-11-12 13:42 - 2015-10-14 03:11 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2015-11-12 13:42 - 2015-10-14 03:10 - 00118272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2015-11-12 13:41 - 2015-10-13 15:27 - 00950720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2015-11-12 13:41 - 2015-10-02 04:30 - 00275456 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-11-12 13:41 - 2015-10-02 04:20 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2015-11-11 11:42 - 2015-11-27 10:44 - 00000000 _____ C:\AILog.txt
2015-11-11 11:39 - 2015-11-11 11:45 - 00000000 ____D C:\Users\Bob\AppData\Local\Ethash
2015-11-11 10:18 - 2015-11-11 10:18 - 00000886 _____ C:\Users\Public\Desktop\Age Of Empires II HD The Forgotten.lnk
2015-11-11 10:13 - 2015-11-11 10:13 - 00001612 _____ C:\Users\Bob\Desktop\PalettestealerSuspender.exe - Shortcut.lnk
2015-11-09 11:32 - 2015-11-22 10:30 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Elephant Games
2015-11-08 09:56 - 2015-11-08 09:56 - 00003258 _____ C:\Windows\System32\Tasks\CTF Host
2015-11-08 05:33 - 2015-11-08 05:33 - 00003558 _____ C:\Windows\System32\Tasks\GoogleUpdateClient
2015-11-08 05:33 - 2015-11-08 05:33 - 00003302 _____ C:\Windows\System32\Tasks\GoogleUpdate
2015-11-06 09:26 - 2015-11-06 09:26 - 00386096 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-11-06 09:26 - 2015-11-06 09:26 - 00043112 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-11-06 09:23 - 2015-11-28 07:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-28 08:52 - 2014-06-11 14:05 - 00000000 ___RD C:\Users\Bob\Desktop\Unused
2015-11-28 08:23 - 2014-12-12 07:38 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-11-28 08:17 - 2014-10-16 08:38 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-28 08:16 - 2015-04-19 11:43 - 00000000 ____D C:\Users\Bob\AppData\Roaming\vlc
2015-11-28 08:15 - 2015-05-15 17:27 - 00000000 ____D C:\Users\Bob\AppData\Roaming\uTorrent
2015-11-28 07:43 - 2009-07-14 15:15 - 00028528 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-28 07:43 - 2009-07-14 15:15 - 00028528 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-28 07:41 - 2009-07-14 15:43 - 00788282 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-28 07:41 - 2009-07-14 13:50 - 00000000 ____D C:\Windows\inf
2015-11-28 07:37 - 2014-10-26 11:26 - 00000000 ____D C:\Windows\SysWOW64\vbox
2015-11-28 07:37 - 2014-10-26 11:26 - 00000000 ____D C:\Windows\system32\vbox
2015-11-28 07:35 - 2009-07-14 15:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-27 15:57 - 2009-07-14 13:50 - 00000000 ____D C:\Windows
2015-11-27 15:38 - 2015-04-03 10:21 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Everything
2015-11-27 14:37 - 2014-07-15 12:06 - 00000000 ____D C:\Windows\PCHEALTH
2015-11-27 14:32 - 2015-07-14 13:14 - 00000000 ____D C:\AdwCleaner
2015-11-27 14:28 - 2015-08-23 13:42 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2015-11-27 14:27 - 2014-07-13 12:43 - 00000751 _____ C:\Windows\Rtcwplat.INI
2015-11-27 08:37 - 2015-05-03 10:25 - 00000000 ____D C:\Users\Bob\AppData\Roaming\52EE0892-13AF-4555-8A09-DA6649102360
2015-11-26 10:16 - 2014-06-11 11:34 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-11-21 09:44 - 2015-06-21 23:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-11-21 09:44 - 2015-06-21 23:21 - 00000000 ____D C:\Program Files\7-Zip
2015-11-18 09:53 - 2014-09-12 14:24 - 00000000 ____D C:\ProgramData\TEMP
2015-11-18 09:52 - 2015-07-19 12:39 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2015-11-18 09:49 - 2015-09-18 16:14 - 00000000 ____D C:\ProgramData\VSO
2015-11-13 13:50 - 2015-09-22 08:48 - 00000008 __RSH C:\ProgramData\ntuser.pol
2015-11-13 13:37 - 2009-07-14 13:50 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-11-13 13:37 - 2009-07-14 13:50 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2015-11-13 13:02 - 2014-06-11 17:39 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Foxit Software
2015-11-13 08:51 - 2009-07-14 13:50 - 00000000 ____D C:\Windows\rescache
2015-11-12 13:52 - 2014-06-11 15:09 - 00000000 ____D C:\Windows\system32\MRT
2015-11-12 13:51 - 2014-06-11 15:09 - 145617392 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-11-12 13:50 - 2014-07-15 12:07 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-11-12 13:50 - 2014-06-11 16:14 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-11-12 13:47 - 2014-06-11 11:30 - 00772148 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-11-11 10:18 - 2014-07-20 14:16 - 00000000 ____D C:\Temp
2015-11-11 10:18 - 2014-06-13 14:25 - 00000000 ____D C:\Windows\SysWOW64\directx
2015-11-11 09:23 - 2014-12-12 07:38 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-11-11 09:23 - 2014-11-26 08:28 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-11-11 09:23 - 2014-11-26 08:28 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-11-09 11:24 - 2009-07-14 16:02 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-11-08 08:15 - 2015-09-27 09:50 - 00000000 ____D C:\Users\Bob\AppData\LocalLow\Stage 2 Studios
2015-11-08 05:41 - 2015-01-29 13:22 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Steam
2015-11-08 05:37 - 2014-06-18 10:35 - 00000000 ____D C:\Users\Bob\Documents\My Games
2015-11-08 04:54 - 2015-10-22 09:05 - 00003412 _____ C:\Windows\System32\Tasks\SteamClient
2015-11-06 09:26 - 2015-07-16 14:47 - 00147088 _____ (AVAST Software) C:\Windows\system32\Drivers\ngvss.sys
2015-11-06 09:26 - 2015-01-03 15:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-11-06 09:26 - 2014-06-11 14:05 - 00028656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 01059656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 00449992 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 00273784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 00154256 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 00097648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 00093528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 00065224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2015-11-06 09:26 - 2014-06-11 14:00 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-11-06 09:18 - 2014-06-11 15:46 - 00000000 ____D C:\Program Files\CCleaner

==================== Files in the root of some directories =======

2015-09-18 16:08 - 2015-09-18 16:14 - 0099384 _____ () C:\Users\Bob\AppData\Roaming\inst.exe
2014-06-11 15:34 - 2015-09-18 16:14 - 0007859 _____ () C:\Users\Bob\AppData\Roaming\pcouffin.cat
2014-06-11 15:34 - 2015-09-18 16:14 - 0001167 _____ () C:\Users\Bob\AppData\Roaming\pcouffin.inf
2014-06-11 15:34 - 2015-09-18 16:14 - 0082816 _____ (VSO Software) C:\Users\Bob\AppData\Roaming\pcouffin.sys
2014-09-21 10:54 - 2014-09-21 10:54 - 0003584 _____ () C:\Users\Bob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-06-23 13:44 - 2014-09-16 14:04 - 0007606 _____ () C:\Users\Bob\AppData\Local\resmon.resmoncfg
2015-11-27 07:49 - 2015-11-27 07:49 - 0000006 ____S () C:\ProgramData\a929f388d3dc587d8da65685b2743cca2aad2c93
2014-06-11 11:36 - 2014-06-11 11:36 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-04-18 09:57 - 2015-04-18 09:57 - 0001534 _____ () C:\ProgramData\ss.ini

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-11-20 10:10

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 27 November 2015 - 05:58 PM

Hello lffoar and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
---------------------------------------------------------------------------------------------------------
 Please send me the MBAM report.

--------------------------------------------------------------
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
:hello:
 
Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 27 November 2015 - 06:39 PM

Hi lffoar,

 

If your using crack-keygen the software ,please remove all

=======================================================================================

Going over your logs I noticed that you have µTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so viaStart > Control Panel > Add/Remove Programs.

Please Uninstall:

µTorrent

=====================================================================================

Using the Add/Remove Programs and Features remove these programs in bold

µTorrent
Auslogics BoostSpeed 7

 

And PC restart.

=====================================================================================

Step 1:
 FRST Script:
 Please download this attached Attached File  Fixlist.txt   3.53KB   8 downloads   and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:

Boot to Safemode with Networking

To Enter Safemode

  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode
 
next....

  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe

2. rkill.com

3. rkill.scr

4. WiNlOgOn.exe

5. uSeRiNiT.exe

 
next....
 
Scan with Malwarebytes Antimalware

  • Please update the database by clicking on the "Update Now" button.
  • Following the update and click "Settings" and go to "Detection and Protection"
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard, then click on Scan Now to start the scan.
  • If Malware or Potentially Unwanted Programs ''PUPs'' are found, you will receive a prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on "View Detailed Log".
  • After viewing the results, please click on the "Copy to Clipboard" button and then OK.
  • Return to our forum. Paste your log into your next reply.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 lffoar

lffoar
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide South Australia
  • Local time:01:23 PM

Posted 27 November 2015 - 07:10 PM

Maybe it's gone already??

After running the FRST fixlog I ran rkill in safe mode and then ran MBAM which now shows no malware

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-11-2015
Ran by Bob (2015-11-28 10:15:04) Run:1
Running from C:\Users\Bob\Desktop\Unused
Loaded Profiles: Bob (Available Profiles: Bob)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {0E34CA84-38F5-45D0-81A8-D112A3D4D08A} - \Beplaeksiisp -> No File <==== ATTENTION
Task: {111BF468-408C-45B2-800D-7C053F31EBB4} - System32\Tasks\SteamClient => C:\Users\Bob\AppData\Roaming\Steam\SteamHelper.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:038F4577
AlternateDataStreams: C:\ProgramData\TEMP:15442FF2
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:634EA293
AlternateDataStreams: C:\ProgramData\TEMP:6A609C67
AlternateDataStreams: C:\ProgramData\TEMP:7687A3E3
AlternateDataStreams: C:\ProgramData\TEMP:A6E01F67
AlternateDataStreams: C:\ProgramData\TEMP:C63BE5D0
AlternateDataStreams: C:\ProgramData\TEMP:E14FA16F
AlternateDataStreams: C:\ProgramData\TEMP:E1D6C864
HKLM-x32\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,userinit.exe, [X]
HKU\S-1-5-21-436790882-221618358-3324869275-1000\...\MountPoints2: {f3452048-f0fe-11e3-9157-806e6f6e6963} - D:\Run.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
FF ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507
FF Extension: I don't care about cookies - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\Extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xp
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [inagegaoimgajnkolipofcjeiidkkinm] - C:\Users\Bob\AppData\Roaming\Microsoft\main.crx
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys
C:\Users\Bob\AppData\Roaming\DominiGames
2015-11-27 07:49 - 2015-11-27 07:49 - 00000006 ____S C:\ProgramData\a929f388d3dc587d8da65685b2743cca2aad2c93
2015-11-27 07:49 - 2015-11-27 07:49 - 00000000 _RSHD C:\ProgramData\293377
2015-11-27 07:49 - 2015-11-27 07:49 - 00000000 _RSHD C:\ProgramData\293277
C:\Users\Bob\AppData\Roaming\Eipix
C:\Users\Bob\AppData\Roaming\Elephant Games
2015-11-28 08:16 - 2015-04-19 11:43 - 00000000 ____D C:\Users\Bob\AppData\Roaming\vlc
2015-11-28 08:15 - 2015-05-15 17:27 - 00000000 ____D C:\Users\Bob\AppData\Roaming\uTorrent
C:\Users\Bob\AppData\Roaming\Everything
2015-11-27 08:37 - 2015-05-03 10:25 - 00000000 ____D C:\Users\Bob\AppData\Roaming\52EE0892-13AF-4555-8A09-DA6649102360
C:\Users\Bob\AppData\Roaming\Foxit Software
2015-11-08 08:15 - 2015-09-27 09:50 - 00000000 ____D C:\Users\Bob\AppData\LocalLow\Stage 2 Studios
2015-11-08 05:41 - 2015-01-29 13:22 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Steam
2015-09-18 16:08 - 2015-09-18 16:14 - 0099384 _____ () C:\Users\Bob\AppData\Roaming\inst.exe
2014-06-11 15:34 - 2015-09-18 16:14 - 0007859 _____ () C:\Users\Bob\AppData\Roaming\pcouffin.cat
2014-06-11 15:34 - 2015-09-18 16:14 - 0001167 _____ () C:\Users\Bob\AppData\Roaming\pcouffin.inf
2014-06-11 15:34 - 2015-09-18 16:14 - 0082816 _____ (VSO Software) C:\Users\Bob\AppData\Roaming\pcouffin.sys
2015-11-27 07:49 - 2015-11-27 07:49 - 0000006 ____S () C:\ProgramData\a929f388d3dc587d8da65685b2743cca2aad2c93
2014-06-11 11:36 - 2014-06-11 11:36 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-04-18 09:57 - 2015-04-18 09:57 - 0001534 _____ () C:\ProgramData\ss.ini
cmd: netsh winsock reset
EmptyTemp:
Shortcut:
Hosts:
Reboot:

 
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{0E34CA84-38F5-45D0-81A8-D112A3D4D08A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0E34CA84-38F5-45D0-81A8-D112A3D4D08A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Beplaeksiisp" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{111BF468-408C-45B2-800D-7C053F31EBB4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{111BF468-408C-45B2-800D-7C053F31EBB4}" => key removed successfully
C:\Windows\System32\Tasks\SteamClient => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SteamClient" => key removed successfully
C:\ProgramData\TEMP => ":038F4577" ADS removed successfully.
C:\ProgramData\TEMP => ":15442FF2" ADS removed successfully.
C:\ProgramData\TEMP => ":2CB9631F" ADS removed successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
C:\ProgramData\TEMP => ":634EA293" ADS removed successfully.
C:\ProgramData\TEMP => ":6A609C67" ADS removed successfully.
C:\ProgramData\TEMP => ":7687A3E3" ADS removed successfully.
C:\ProgramData\TEMP => ":A6E01F67" ADS removed successfully.
C:\ProgramData\TEMP => ":C63BE5D0" ADS removed successfully.
C:\ProgramData\TEMP => ":E14FA16F" ADS removed successfully.
C:\ProgramData\TEMP => ":E1D6C864" ADS removed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully
"HKU\S-1-5-21-436790882-221618358-3324869275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f3452048-f0fe-11e3-9157-806e6f6e6963}" => key removed successfully
HKCR\CLSID\{f3452048-f0fe-11e3-9157-806e6f6e6963} => key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
FF ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507 => FRST is scripted not to move this directory.
FF Extension: I don't care about cookies - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\Extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xp => not found.
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\inagegaoimgajnkolipofcjeiidkkinm" => key removed successfully
NVHDA => service removed successfully
nvvad_WaveExtensible => service removed successfully
C:\Users\Bob\AppData\Roaming\DominiGames => moved successfully
C:\ProgramData\a929f388d3dc587d8da65685b2743cca2aad2c93 => moved successfully
C:\ProgramData\293377 => moved successfully
C:\ProgramData\293277 => moved successfully
C:\Users\Bob\AppData\Roaming\Eipix => moved successfully
C:\Users\Bob\AppData\Roaming\Elephant Games => moved successfully
C:\Users\Bob\AppData\Roaming\vlc => moved successfully
C:\Users\Bob\AppData\Roaming\uTorrent => moved successfully
C:\Users\Bob\AppData\Roaming\Everything => moved successfully
C:\Users\Bob\AppData\Roaming\52EE0892-13AF-4555-8A09-DA6649102360 => moved successfully
C:\Users\Bob\AppData\Roaming\Foxit Software => moved successfully
C:\Users\Bob\AppData\LocalLow\Stage 2 Studios => moved successfully
C:\Users\Bob\AppData\Roaming\Steam => moved successfully
C:\Users\Bob\AppData\Roaming\inst.exe => moved successfully
C:\Users\Bob\AppData\Roaming\pcouffin.cat => moved successfully
C:\Users\Bob\AppData\Roaming\pcouffin.inf => moved successfully
C:\Users\Bob\AppData\Roaming\pcouffin.sys => moved successfully
"C:\ProgramData\a929f388d3dc587d8da65685b2743cca2aad2c93" => not found.
C:\ProgramData\DP45977C.lfl => moved successfully
C:\ProgramData\ss.ini => moved successfully

=========  netsh winsock reset =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========

Shortcut: => Error: No automatic fix found for this entry.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 137.8 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 10:15:12 ====

 

 

Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/28/2015 10:21:18 AM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Disabled

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 11/28/2015 10:21:26 AM
Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 28/11/2015
Scan Time: 10:35 AM
Logfile: mbam.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.27.04
Rootkit Database: v2015.11.26.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Bob

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333676
Time Elapsed: 4 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 



#5 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 28 November 2015 - 11:26 AM

Perfect, lffoar . :thumbup2:

 

Step1:
ComboFix run:
Please be sure to run our tools with administrator rights.
* IMPORTAN: 1   Place ComboFix.exe on your Desktop
* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.
 
Step2:
Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 lffoar

lffoar
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide South Australia
  • Local time:01:23 PM

Posted 28 November 2015 - 06:10 PM

Scans as requested follow:

 

ComboFix 15-11-27.01 - Bob 29/11/2015   9:25.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.16305.13549 [GMT 10.5:30]
Running from: c:\users\Bob\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
c:\users\Bob\AppData\Roaming\Microsoft\LIBEAY32.DLL
c:\users\Bob\AppData\Roaming\Microsoft\OMNIDYNAMIC411_VC6_RT.DLL
c:\users\Bob\AppData\Roaming\Microsoft\OMNIORB411_VC6_RT.DLL
c:\users\Bob\AppData\Roaming\Microsoft\OMNISSLTP411_VC6_RT.DLL
c:\users\Bob\AppData\Roaming\Microsoft\OMNITHREAD33_VC6_RT.DLL
c:\users\Bob\AppData\Roaming\Microsoft\ssleay32.dll
c:\users\Bob\AppData\Roaming\Microsoft\SYSINFO.DLL
c:\users\Bob\AppData\Roaming\Microsoft\taskkill.exe
.
.
(((((((((((((((((((((((((   Files Created from 2015-10-28 to 2015-11-28  )))))))))))))))))))))))))))))))
.
.
2015-11-28 21:52 . 2015-11-28 21:52    --------    d-----w-    c:\users\Bob\AppData\Local\ElevatedDiagnostics
2015-11-28 04:15 . 2015-11-28 04:15    --------    d-----w-    c:\users\Bob\AppData\Roaming\vlc
2015-11-28 03:59 . 2015-11-28 04:50    --------    d-----w-    c:\users\Bob\AppData\Roaming\uTorrent
2015-11-28 01:29 . 2015-11-28 01:29    --------    d-----w-    c:\users\Bob\AppData\Roaming\Foxit Software
2015-11-27 05:26 . 2015-11-27 23:45    --------    d-----w-    C:\FRST
2015-11-26 21:19 . 2015-11-26 21:19    --------    d-----w-    c:\program files (x86)\IMAP Subsystem
2015-11-19 21:07 . 2015-11-19 21:07    --------    d-----w-    c:\program files (x86)\ESET
2015-11-13 04:18 . 2015-11-03 17:55    3211264    ----a-w-    c:\windows\system32\win32k.sys
2015-11-13 03:09 . 2015-11-28 22:57    --------    d-----w-    c:\users\Bob\AppData\Local\Temp
2015-11-13 03:09 . 2015-11-13 02:53    24064    ----a-w-    c:\windows\zoek-delete.exe
2015-11-13 02:53 . 2015-11-13 03:07    --------    d-----w-    C:\zoek_backup
2015-11-12 03:13 . 2015-10-20 01:12    5570496    ----a-w-    c:\windows\system32\ntoskrnl.exe
2015-11-12 03:12 . 2015-10-13 16:41    497664    ----a-w-    c:\windows\system32\drivers\afd.sys
2015-11-12 03:12 . 2015-10-13 16:40    118272    ----a-w-    c:\windows\system32\drivers\tdx.sys
2015-11-12 03:11 . 2015-10-13 04:57    950720    ----a-w-    c:\windows\system32\drivers\ndis.sys
2015-11-12 03:11 . 2015-10-01 18:00    1372160    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2015-11-12 03:11 . 2015-10-01 18:00    275456    ----a-w-    c:\windows\system32\InkEd.dll
2015-11-12 03:11 . 2015-10-01 18:00    2103296    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2015-11-12 03:11 . 2015-10-01 17:50    939520    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2015-11-12 03:11 . 2015-10-01 17:50    216064    ----a-w-    c:\windows\SysWow64\InkEd.dll
2015-11-12 03:11 . 2015-10-01 17:50    1415168    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll
2015-11-12 03:11 . 2015-10-01 18:00    169984    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\rtscom.dll
2015-11-12 03:11 . 2015-10-01 18:00    353280    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\InkDiv.dll
2015-11-12 03:11 . 2015-10-01 17:50    126464    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\rtscom.dll
2015-11-12 03:11 . 2015-10-01 17:50    274944    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll
2015-11-11 01:09 . 2015-11-11 01:15    --------    d-----w-    c:\users\Bob\AppData\Local\Ethash
2015-11-05 22:56 . 2015-11-05 22:56    386096    ----a-w-    c:\windows\system32\aswBoot.exe
2015-11-05 22:56 . 2015-11-05 22:56    43112    ----a-w-    c:\windows\avastSS.scr
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-11-28 04:36 . 2014-10-15 22:08    192216    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-11-12 03:21 . 2014-06-11 04:39    145617392    ----a-w-    c:\windows\system32\MRT.exe
2015-11-10 22:53 . 2014-11-25 21:58    780488    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-11-10 22:53 . 2014-11-25 21:58    142536    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-11-05 22:56 . 2014-06-11 03:35    28656    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2015-11-05 22:56 . 2014-06-11 03:30    97648    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2015-11-05 22:56 . 2014-06-11 03:30    93528    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2015-11-05 22:56 . 2014-06-11 03:30    65224    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2015-11-05 22:56 . 2014-06-11 03:30    449992    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2015-11-05 22:56 . 2014-06-11 03:30    273784    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2015-11-05 22:56 . 2014-06-11 03:30    154256    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2015-11-05 22:56 . 2015-07-16 04:17    147088    ----a-w-    c:\windows\system32\drivers\ngvss.sys
2015-11-05 22:56 . 2014-06-11 03:30    1059656    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2015-10-20 00:45 . 2015-11-12 03:13    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2015-10-12 14:59 . 2015-10-12 14:59    875720    ----a-w-    c:\windows\SysWow64\msvcr120_clr0400.dll
2015-10-12 14:52 . 2015-10-12 14:52    869568    ----a-w-    c:\windows\system32\msvcr120_clr0400.dll
2015-10-04 23:20 . 2014-10-15 22:08    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-10-04 23:20 . 2014-10-15 22:08    109272    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-10-04 23:20 . 2014-10-15 22:08    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-10-03 05:06 . 2015-10-26 00:01    877176    ----a-w-    c:\windows\system32\NvFBC64.dll
2015-10-03 05:06 . 2015-10-26 00:01    861816    ----a-w-    c:\windows\system32\NvIFR64.dll
2015-10-03 05:06 . 2015-10-26 00:01    689456    ----a-w-    c:\windows\SysWow64\NvFBC.dll
2015-10-03 05:06 . 2015-10-26 00:01    673912    ----a-w-    c:\windows\SysWow64\NvIFR.dll
2015-10-03 05:06 . 2015-10-26 00:01    512720    ----a-w-    c:\windows\system32\nvEncodeAPI64.dll
2015-10-03 05:06 . 2015-10-26 00:01    467912    ----a-w-    c:\windows\system32\nvumdshimx.dll
2015-10-03 05:06 . 2015-10-26 00:01    42914096    ----a-w-    c:\windows\system32\nvcompiler.dll
2015-10-03 05:06 . 2015-10-26 00:01    422240    ----a-w-    c:\windows\SysWow64\nvEncodeAPI.dll
2015-10-03 05:06 . 2015-10-26 00:01    414000    ----a-w-    c:\windows\system32\NvIFROpenGL.dll
2015-10-03 05:06 . 2015-10-26 00:01    388024    ----a-w-    c:\windows\SysWow64\nvumdshim.dll
2015-10-03 05:06 . 2015-10-26 00:01    37882488    ----a-w-    c:\windows\SysWow64\nvcompiler.dll
2015-10-03 05:06 . 2015-10-26 00:01    369272    ----a-w-    c:\windows\SysWow64\NvIFROpenGL.dll
2015-10-03 05:06 . 2015-10-26 00:01    3573832    ----a-w-    c:\windows\system32\nvapi64.dll
2015-10-03 05:06 . 2015-10-26 00:01    3154104    ----a-w-    c:\windows\SysWow64\nvapi.dll
2015-10-03 05:06 . 2015-10-26 00:01    2869880    ----a-w-    c:\windows\system32\nvcuvid.dll
2015-10-03 05:06 . 2015-10-26 00:01    2489976    ----a-w-    c:\windows\SysWow64\nvcuvid.dll
2015-10-03 05:06 . 2015-10-26 00:01    22306936    ----a-w-    c:\windows\system32\nvoglv64.dll
2015-10-03 05:06 . 2015-10-26 00:01    1905456    ----a-w-    c:\windows\system32\nvdispco6435850.dll
2015-10-03 05:06 . 2015-10-26 00:01    18359928    ----a-w-    c:\windows\SysWow64\nvoglv32.dll
2015-10-03 05:06 . 2015-10-26 00:01    177416    ----a-w-    c:\windows\system32\nvinitx.dll
2015-10-03 05:06 . 2015-10-26 00:01    17395512    ----a-w-    c:\windows\system32\nvwgf2umx.dll
2015-10-03 05:06 . 2015-10-26 00:01    16541040    ----a-w-    c:\windows\system32\nvopencl.dll
2015-10-03 05:06 . 2015-10-26 00:01    15716648    ----a-w-    c:\windows\system32\nvd3dumx.dll
2015-10-03 05:06 . 2015-10-26 00:01    1564976    ----a-w-    c:\windows\system32\nvdispgenco6435850.dll
2015-10-03 05:06 . 2015-10-26 00:01    155976    ----a-w-    c:\windows\SysWow64\nvinit.dll
2015-10-03 05:06 . 2015-10-26 00:01    151368    ----a-w-    c:\windows\system32\nvoglshim64.dll
2015-10-03 05:06 . 2015-10-26 00:01    15002304    ----a-w-    c:\windows\SysWow64\nvwgf2um.dll
2015-10-03 05:06 . 2015-10-26 00:01    14832968    ----a-w-    c:\windows\system32\nvcuda.dll
2015-10-03 05:06 . 2015-10-26 00:01    13518496    ----a-w-    c:\windows\SysWow64\nvopencl.dll
2015-10-03 05:06 . 2015-10-26 00:01    128696    ----a-w-    c:\windows\SysWow64\nvoglshim32.dll
2015-10-03 05:06 . 2015-10-26 00:01    12769408    ----a-w-    c:\windows\SysWow64\nvd3dum.dll
2015-10-03 05:06 . 2015-10-26 00:01    12032200    ----a-w-    c:\windows\SysWow64\nvcuda.dll
2015-10-03 05:06 . 2015-10-26 00:01    11114616    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2015-10-03 02:49 . 2015-08-05 02:13    6358648    ----a-w-    c:\windows\system32\nvcpl.dll
2015-10-03 02:49 . 2015-08-05 02:13    2982520    ----a-w-    c:\windows\system32\nvsvc64.dll
2015-10-03 02:49 . 2015-08-05 02:13    938800    ----a-w-    c:\windows\system32\nvvsvc.exe
2015-10-03 02:49 . 2015-08-05 02:13    62768    ----a-w-    c:\windows\system32\nvshext.dll
2015-10-03 02:49 . 2015-08-05 02:13    385328    ----a-w-    c:\windows\system32\nvmctray.dll
2015-10-03 02:49 . 2015-08-05 02:13    2554488    ----a-w-    c:\windows\system32\nvsvcr.dll
2015-10-01 18:06 . 2015-10-17 23:01    692672    ----a-w-    c:\windows\system32\winload.efi
2015-10-01 18:04 . 2015-10-17 23:01    616360    ----a-w-    c:\windows\system32\winresume.efi
2015-10-01 18:00 . 2015-10-17 23:01    63488    ----a-w-    c:\windows\system32\setbcdlocale.dll
2015-10-01 18:00 . 2015-10-17 23:01    59392    ----a-w-    c:\windows\system32\appidapi.dll
2015-10-01 18:00 . 2015-10-17 23:01    32768    ----a-w-    c:\windows\system32\appidsvc.dll
2015-10-01 18:00 . 2015-10-17 23:01    17920    ----a-w-    c:\windows\system32\appidcertstorecheck.exe
2015-10-01 18:00 . 2015-10-17 23:01    147456    ----a-w-    c:\windows\system32\appidpolicyconverter.exe
2015-10-01 17:50 . 2015-10-17 23:01    50688    ----a-w-    c:\windows\SysWow64\appidapi.dll
2015-10-01 17:00 . 2015-10-17 23:01    61440    ----a-w-    c:\windows\system32\drivers\appid.sys
2015-10-01 09:33 . 2015-08-05 02:13    5284082    ----a-w-    c:\windows\system32\nvcoproc.bin
2015-09-02 03:04 . 2015-09-14 03:34    41984    ----a-w-    c:\windows\system32\lpk.dll
2015-09-02 03:04 . 2015-09-14 03:34    100864    ----a-w-    c:\windows\system32\fontsub.dll
2015-09-02 03:04 . 2015-09-14 03:34    14336    ----a-w-    c:\windows\system32\dciman32.dll
2015-09-02 03:04 . 2015-09-14 03:34    46080    ----a-w-    c:\windows\system32\atmlib.dll
2015-09-02 02:48 . 2015-09-14 03:34    70656    ----a-w-    c:\windows\SysWow64\fontsub.dll
2015-09-02 02:48 . 2015-09-14 03:34    10240    ----a-w-    c:\windows\SysWow64\dciman32.dll
2015-09-02 02:48 . 2015-09-14 03:34    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2015-09-02 02:47 . 2015-09-14 03:34    25600    ----a-w-    c:\windows\SysWow64\lpk.dll
2015-09-02 01:47 . 2015-09-14 03:34    372736    ----a-w-    c:\windows\system32\atmfd.dll
2015-09-02 01:33 . 2015-09-14 03:34    299520    ----a-w-    c:\windows\SysWow64\atmfd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2015-05-13 09:05    1729752    ----a-w-    c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2015-05-13 09:05    1729752    ----a-w-    c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2015-05-13 09:05    1729752    ----a-w-    c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-11-05 7004376]
"IMAP Subsystem"="c:\program files (x86)\IMAP Subsystem\imapss.exe" [2014-03-20 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R3 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 igfxCUIService1.0.0.0;Intel® HD Graphics Control Panel Service;c:\windows\system32\igfxCUIService.exe;c:\windows\SYSNATIVE\igfxCUIService.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys;c:\windows\SYSNATIVE\DRIVERS\amdkmpfd.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 file_tracker;file_tracker;c:\windows\system32\DRIVERS\file_tracker.sys;c:\windows\SYSNATIVE\DRIVERS\file_tracker.sys [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 ngvss;ngvss; [x]
S0 SamsungRapidDiskFltr;SAMSUNG RAPID Mode Disk Filter Driver;c:\windows\system32\DRIVERS\SamsungRapidDiskFltr.sys;c:\windows\SYSNATIVE\DRIVERS\SamsungRapidDiskFltr.sys [x]
S0 SamsungRapidFSFltr;SamsungRapidFSFltr;c:\windows\system32\DRIVERS\SamsungRapidFSFltr.sys;c:\windows\SYSNATIVE\DRIVERS\SamsungRapidFSFltr.sys [x]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 SamsungRapidSvc;Samsung RAPID Mode Service;c:\windows\system32\RAPID\SamsungRapidSvc.exe;c:\windows\SYSNATIVE\RAPID\SamsungRapidSvc.exe [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
S2 VBoxAswDrv;VBoxAsw Support Driver;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [x]
S3 AvastVBoxSvc;AvastVBox COM Service;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 e1dexpress;Intel® PRO/1000 PCI Express Network Connection Driver D;c:\windows\system32\DRIVERS\e1d62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1d62x64.sys [x]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys;c:\windows\SYSNATIVE\DRIVERS\ICCWDT.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NAL
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2015-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-25 22:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-11-05 22:56    870744    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2014-09-09 00:30    2825312    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2014-09-09 00:30    2825312    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2014-09-09 00:30    2825312    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SamsungRapidApp"="c:\program files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe" [2014-09-16 281776]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mDefault_Search_URL = www.google.com
mDefault_Page_URL = www.google.com
mStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.1.1.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\
FF - prefs.js: browser.startup.homepage - google.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436790882-221618358-3324869275-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:00,e4,91,27,9a,e6,b9,17,82,df,a6,45,9e,be,36,43,6d,27,62,82,e2,60,35,
   88,ad,e7,94,b6,19,f7,63,22,82,20,74,ea,8c,9f,08,b9,df,ed,6d,b6,ea,13,fb,13,\
"??"=hex:d4,44,a0,34,6f,0a,c4,a7,c0,5e,38,3a,70,4f,9b,a8
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Setup"="29-G1CP-5VV5-B1J4-M2UH-K7HS-WNTJYW1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
.
**************************************************************************
.
Completion time: 2015-11-29  09:29:16 - machine was rebooted
ComboFix-quarantined-files.txt  2015-11-28 22:59
.
Pre-Run: 166,364,876,800 bytes free
Post-Run: 165,478,633,472 bytes free
.
- - End Of File - - 3FDB53C3E5B29F6712E14B2689073963
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

 

RogueKiller V10.11.7.0 [Nov 23 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bob [Administrator]
Started from : C:\Users\Bob\Desktop\RogueKiller.exe
Mode : Scan -- Date : 11/29/2015 09:34:48

¤¤¤ Processes : 1 ¤¤¤
[PUP] AvastSvc.exe(1340) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe[7] -> ERROR [0]

¤¤¤ Registry : 10 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1D5CA36C-6696-4780-B4E9-92811D0FD69B} | DhcpNameServer : 10.1.1.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1D5CA36C-6696-4780-B4E9-92811D0FD69B} | DhcpNameServer : 10.1.1.1 ([(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1D5CA36C-6696-4780-B4E9-92811D0FD69B} | DhcpNameServer : 10.1.1.1 ([(Private Address) (XX)])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-436790882-221618358-3324869275-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-436790882-221618358-3324869275-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] dd686f92d27725b619cd22d32fec0fdc
[BSP] 81d1f4c0e238e2fc0018bba0b2e5d7d5 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] fe3a1fd9fc03a3386ce47489b31e06b4
[BSP] d5364a8cf3b2718b7552811275601074 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 244096 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 



#7 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 28 November 2015 - 06:49 PM

:Run CFScript:
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Download the attached Attached File  CFScript.txt   537bytes   5 downloads and save it to the location where Combofix is saved to.

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

========================================================================================

Download zoek.exe to your Desktop:
http://hijackthis.nl/smeenk/

Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications Here
http://www.bleepingc...opic114351.html

On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
Give it a few seconds to appear

Next, copy/paste the entire script inside the codebox below to the input field of Zoek:

    createsrpoint;
    autoclean;
    emptyalltemp;
    emptyclsid;
    emptyfolderscheck;delete
    ipconfig /flushdns;b

Now...
Close any open programs.
Click the Run script button, and wait. It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

 

 

Attached File  CFScript.txt   537bytes   5 downloads


Edited by olgun52, 28 November 2015 - 06:53 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 lffoar

lffoar
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide South Australia
  • Local time:01:23 PM

Posted 28 November 2015 - 07:30 PM

Scans as requested follow:

 

ComboFix 15-11-27.01 - Bob 29/11/2015  10:43:03.2.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.16305.12996 [GMT 10.5:30]
Running from: f:\downloads\ComboFix.exe
Command switches used :: f:\downloads\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2015-10-28 to 2015-11-29  )))))))))))))))))))))))))))))))
.
.
2015-11-29 00:15 . 2015-11-29 00:15    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-11-28 23:51 . 2015-11-28 23:58    --------    d-----w-    c:\users\Bob\AppData\Roaming\Everything
2015-11-28 23:37 . 2015-11-28 23:37    --------    d-----w-    c:\users\Bob\AppData\Local\CrashDumps
2015-11-28 23:01 . 2015-11-28 23:01    35064    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2015-11-28 23:01 . 2015-11-28 23:08    --------    d-----w-    c:\programdata\RogueKiller
2015-11-28 21:52 . 2015-11-28 21:52    --------    d-----w-    c:\users\Bob\AppData\Local\ElevatedDiagnostics
2015-11-28 04:15 . 2015-11-28 04:15    --------    d-----w-    c:\users\Bob\AppData\Roaming\vlc
2015-11-28 03:59 . 2015-11-28 04:50    --------    d-----w-    c:\users\Bob\AppData\Roaming\uTorrent
2015-11-28 01:29 . 2015-11-28 01:29    --------    d-----w-    c:\users\Bob\AppData\Roaming\Foxit Software
2015-11-27 05:26 . 2015-11-27 23:45    --------    d-----w-    C:\FRST
2015-11-26 21:19 . 2015-11-26 21:19    --------    d-----w-    c:\program files (x86)\IMAP Subsystem
2015-11-19 21:07 . 2015-11-19 21:07    --------    d-----w-    c:\program files (x86)\ESET
2015-11-13 04:18 . 2015-11-03 17:55    3211264    ----a-w-    c:\windows\system32\win32k.sys
2015-11-13 03:09 . 2015-11-29 00:15    --------    d-----w-    c:\users\Bob\AppData\Local\Temp
2015-11-13 03:09 . 2015-11-13 02:53    24064    ----a-w-    c:\windows\zoek-delete.exe
2015-11-13 02:53 . 2015-11-13 03:07    --------    d-----w-    C:\zoek_backup
2015-11-12 03:13 . 2015-10-20 01:12    5570496    ----a-w-    c:\windows\system32\ntoskrnl.exe
2015-11-12 03:12 . 2015-10-13 16:41    497664    ----a-w-    c:\windows\system32\drivers\afd.sys
2015-11-12 03:12 . 2015-10-13 16:40    118272    ----a-w-    c:\windows\system32\drivers\tdx.sys
2015-11-12 03:11 . 2015-10-13 04:57    950720    ----a-w-    c:\windows\system32\drivers\ndis.sys
2015-11-12 03:11 . 2015-10-01 18:00    1372160    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2015-11-12 03:11 . 2015-10-01 18:00    275456    ----a-w-    c:\windows\system32\InkEd.dll
2015-11-12 03:11 . 2015-10-01 18:00    2103296    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2015-11-12 03:11 . 2015-10-01 17:50    939520    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2015-11-12 03:11 . 2015-10-01 17:50    216064    ----a-w-    c:\windows\SysWow64\InkEd.dll
2015-11-12 03:11 . 2015-10-01 17:50    1415168    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll
2015-11-12 03:11 . 2015-10-01 18:00    169984    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\rtscom.dll
2015-11-12 03:11 . 2015-10-01 18:00    353280    ----a-w-    c:\program files\Common Files\Microsoft Shared\ink\InkDiv.dll
2015-11-12 03:11 . 2015-10-01 17:50    126464    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\rtscom.dll
2015-11-12 03:11 . 2015-10-01 17:50    274944    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll
2015-11-11 01:09 . 2015-11-11 01:15    --------    d-----w-    c:\users\Bob\AppData\Local\Ethash
2015-11-05 22:56 . 2015-11-05 22:56    386096    ----a-w-    c:\windows\system32\aswBoot.exe
2015-11-05 22:56 . 2015-11-05 22:56    43112    ----a-w-    c:\windows\avastSS.scr
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-11-29 00:00 . 2014-10-15 22:08    192216    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-11-12 03:21 . 2014-06-11 04:39    145617392    ----a-w-    c:\windows\system32\MRT.exe
2015-11-10 22:53 . 2014-11-25 21:58    780488    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-11-10 22:53 . 2014-11-25 21:58    142536    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-11-05 22:56 . 2014-06-11 03:35    28656    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2015-11-05 22:56 . 2014-06-11 03:30    97648    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2015-11-05 22:56 . 2014-06-11 03:30    93528    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2015-11-05 22:56 . 2014-06-11 03:30    65224    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2015-11-05 22:56 . 2014-06-11 03:30    449992    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2015-11-05 22:56 . 2014-06-11 03:30    273784    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2015-11-05 22:56 . 2014-06-11 03:30    154256    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2015-11-05 22:56 . 2015-07-16 04:17    147088    ----a-w-    c:\windows\system32\drivers\ngvss.sys
2015-11-05 22:56 . 2014-06-11 03:30    1059656    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2015-10-20 00:45 . 2015-11-12 03:13    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2015-10-12 14:59 . 2015-10-12 14:59    875720    ----a-w-    c:\windows\SysWow64\msvcr120_clr0400.dll
2015-10-12 14:52 . 2015-10-12 14:52    869568    ----a-w-    c:\windows\system32\msvcr120_clr0400.dll
2015-10-04 23:20 . 2014-10-15 22:08    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-10-04 23:20 . 2014-10-15 22:08    109272    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-10-04 23:20 . 2014-10-15 22:08    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-10-03 05:06 . 2015-10-26 00:01    877176    ----a-w-    c:\windows\system32\NvFBC64.dll
2015-10-03 05:06 . 2015-10-26 00:01    861816    ----a-w-    c:\windows\system32\NvIFR64.dll
2015-10-03 05:06 . 2015-10-26 00:01    689456    ----a-w-    c:\windows\SysWow64\NvFBC.dll
2015-10-03 05:06 . 2015-10-26 00:01    673912    ----a-w-    c:\windows\SysWow64\NvIFR.dll
2015-10-03 05:06 . 2015-10-26 00:01    512720    ----a-w-    c:\windows\system32\nvEncodeAPI64.dll
2015-10-03 05:06 . 2015-10-26 00:01    467912    ----a-w-    c:\windows\system32\nvumdshimx.dll
2015-10-03 05:06 . 2015-10-26 00:01    42914096    ----a-w-    c:\windows\system32\nvcompiler.dll
2015-10-03 05:06 . 2015-10-26 00:01    422240    ----a-w-    c:\windows\SysWow64\nvEncodeAPI.dll
2015-10-03 05:06 . 2015-10-26 00:01    414000    ----a-w-    c:\windows\system32\NvIFROpenGL.dll
2015-10-03 05:06 . 2015-10-26 00:01    388024    ----a-w-    c:\windows\SysWow64\nvumdshim.dll
2015-10-03 05:06 . 2015-10-26 00:01    37882488    ----a-w-    c:\windows\SysWow64\nvcompiler.dll
2015-10-03 05:06 . 2015-10-26 00:01    369272    ----a-w-    c:\windows\SysWow64\NvIFROpenGL.dll
2015-10-03 05:06 . 2015-10-26 00:01    3573832    ----a-w-    c:\windows\system32\nvapi64.dll
2015-10-03 05:06 . 2015-10-26 00:01    3154104    ----a-w-    c:\windows\SysWow64\nvapi.dll
2015-10-03 05:06 . 2015-10-26 00:01    2869880    ----a-w-    c:\windows\system32\nvcuvid.dll
2015-10-03 05:06 . 2015-10-26 00:01    2489976    ----a-w-    c:\windows\SysWow64\nvcuvid.dll
2015-10-03 05:06 . 2015-10-26 00:01    22306936    ----a-w-    c:\windows\system32\nvoglv64.dll
2015-10-03 05:06 . 2015-10-26 00:01    1905456    ----a-w-    c:\windows\system32\nvdispco6435850.dll
2015-10-03 05:06 . 2015-10-26 00:01    18359928    ----a-w-    c:\windows\SysWow64\nvoglv32.dll
2015-10-03 05:06 . 2015-10-26 00:01    177416    ----a-w-    c:\windows\system32\nvinitx.dll
2015-10-03 05:06 . 2015-10-26 00:01    17395512    ----a-w-    c:\windows\system32\nvwgf2umx.dll
2015-10-03 05:06 . 2015-10-26 00:01    16541040    ----a-w-    c:\windows\system32\nvopencl.dll
2015-10-03 05:06 . 2015-10-26 00:01    15716648    ----a-w-    c:\windows\system32\nvd3dumx.dll
2015-10-03 05:06 . 2015-10-26 00:01    1564976    ----a-w-    c:\windows\system32\nvdispgenco6435850.dll
2015-10-03 05:06 . 2015-10-26 00:01    155976    ----a-w-    c:\windows\SysWow64\nvinit.dll
2015-10-03 05:06 . 2015-10-26 00:01    151368    ----a-w-    c:\windows\system32\nvoglshim64.dll
2015-10-03 05:06 . 2015-10-26 00:01    15002304    ----a-w-    c:\windows\SysWow64\nvwgf2um.dll
2015-10-03 05:06 . 2015-10-26 00:01    14832968    ----a-w-    c:\windows\system32\nvcuda.dll
2015-10-03 05:06 . 2015-10-26 00:01    13518496    ----a-w-    c:\windows\SysWow64\nvopencl.dll
2015-10-03 05:06 . 2015-10-26 00:01    128696    ----a-w-    c:\windows\SysWow64\nvoglshim32.dll
2015-10-03 05:06 . 2015-10-26 00:01    12769408    ----a-w-    c:\windows\SysWow64\nvd3dum.dll
2015-10-03 05:06 . 2015-10-26 00:01    12032200    ----a-w-    c:\windows\SysWow64\nvcuda.dll
2015-10-03 05:06 . 2015-10-26 00:01    11114616    ----a-w-    c:\windows\system32\drivers\nvlddmkm.sys
2015-10-03 02:49 . 2015-08-05 02:13    6358648    ----a-w-    c:\windows\system32\nvcpl.dll
2015-10-03 02:49 . 2015-08-05 02:13    2982520    ----a-w-    c:\windows\system32\nvsvc64.dll
2015-10-03 02:49 . 2015-08-05 02:13    938800    ----a-w-    c:\windows\system32\nvvsvc.exe
2015-10-03 02:49 . 2015-08-05 02:13    62768    ----a-w-    c:\windows\system32\nvshext.dll
2015-10-03 02:49 . 2015-08-05 02:13    385328    ----a-w-    c:\windows\system32\nvmctray.dll
2015-10-03 02:49 . 2015-08-05 02:13    2554488    ----a-w-    c:\windows\system32\nvsvcr.dll
2015-10-01 18:06 . 2015-10-17 23:01    692672    ----a-w-    c:\windows\system32\winload.efi
2015-10-01 18:04 . 2015-10-17 23:01    616360    ----a-w-    c:\windows\system32\winresume.efi
2015-10-01 18:00 . 2015-10-17 23:01    63488    ----a-w-    c:\windows\system32\setbcdlocale.dll
2015-10-01 18:00 . 2015-10-17 23:01    59392    ----a-w-    c:\windows\system32\appidapi.dll
2015-10-01 18:00 . 2015-10-17 23:01    32768    ----a-w-    c:\windows\system32\appidsvc.dll
2015-10-01 18:00 . 2015-10-17 23:01    17920    ----a-w-    c:\windows\system32\appidcertstorecheck.exe
2015-10-01 18:00 . 2015-10-17 23:01    147456    ----a-w-    c:\windows\system32\appidpolicyconverter.exe
2015-10-01 17:50 . 2015-10-17 23:01    50688    ----a-w-    c:\windows\SysWow64\appidapi.dll
2015-10-01 17:00 . 2015-10-17 23:01    61440    ----a-w-    c:\windows\system32\drivers\appid.sys
2015-10-01 09:33 . 2015-08-05 02:13    5284082    ----a-w-    c:\windows\system32\nvcoproc.bin
2015-09-02 03:04 . 2015-09-14 03:34    41984    ----a-w-    c:\windows\system32\lpk.dll
2015-09-02 03:04 . 2015-09-14 03:34    100864    ----a-w-    c:\windows\system32\fontsub.dll
2015-09-02 03:04 . 2015-09-14 03:34    14336    ----a-w-    c:\windows\system32\dciman32.dll
2015-09-02 03:04 . 2015-09-14 03:34    46080    ----a-w-    c:\windows\system32\atmlib.dll
2015-09-02 02:48 . 2015-09-14 03:34    70656    ----a-w-    c:\windows\SysWow64\fontsub.dll
2015-09-02 02:48 . 2015-09-14 03:34    10240    ----a-w-    c:\windows\SysWow64\dciman32.dll
2015-09-02 02:48 . 2015-09-14 03:34    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2015-09-02 02:47 . 2015-09-14 03:34    25600    ----a-w-    c:\windows\SysWow64\lpk.dll
2015-09-02 01:47 . 2015-09-14 03:34    372736    ----a-w-    c:\windows\system32\atmfd.dll
2015-09-02 01:33 . 2015-09-14 03:34    299520    ----a-w-    c:\windows\SysWow64\atmfd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2015-05-13 09:05    1729752    ----a-w-    c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2015-05-13 09:05    1729752    ----a-w-    c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2015-05-13 09:05    1729752    ----a-w-    c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-11-05 7004376]
"IMAP Subsystem"="c:\program files (x86)\IMAP Subsystem\imapss.exe" [2014-03-20 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 igfxCUIService1.0.0.0;Intel® HD Graphics Control Panel Service;c:\windows\system32\igfxCUIService.exe;c:\windows\SYSNATIVE\igfxCUIService.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys;c:\windows\SYSNATIVE\DRIVERS\amdkmpfd.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 file_tracker;file_tracker;c:\windows\system32\DRIVERS\file_tracker.sys;c:\windows\SYSNATIVE\DRIVERS\file_tracker.sys [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 ngvss;ngvss; [x]
S0 SamsungRapidDiskFltr;SAMSUNG RAPID Mode Disk Filter Driver;c:\windows\system32\DRIVERS\SamsungRapidDiskFltr.sys;c:\windows\SYSNATIVE\DRIVERS\SamsungRapidDiskFltr.sys [x]
S0 SamsungRapidFSFltr;SamsungRapidFSFltr;c:\windows\system32\DRIVERS\SamsungRapidFSFltr.sys;c:\windows\SYSNATIVE\DRIVERS\SamsungRapidFSFltr.sys [x]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 SamsungRapidSvc;Samsung RAPID Mode Service;c:\windows\system32\RAPID\SamsungRapidSvc.exe;c:\windows\SYSNATIVE\RAPID\SamsungRapidSvc.exe [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
S2 VBoxAswDrv;VBoxAsw Support Driver;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [x]
S3 AvastVBoxSvc;AvastVBox COM Service;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 e1dexpress;Intel® PRO/1000 PCI Express Network Connection Driver D;c:\windows\system32\DRIVERS\e1d62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1d62x64.sys [x]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys;c:\windows\SYSNATIVE\DRIVERS\ICCWDT.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2015-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-25 22:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-11-05 22:56    870744    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2014-09-09 00:30    2825312    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2014-09-09 00:30    2825312    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2014-09-09 00:30    2825312    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SamsungRapidApp"="c:\program files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe" [2014-09-16 281776]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mDefault_Search_URL = www.google.com
mDefault_Page_URL = www.google.com
mStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.1.1.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\
FF - prefs.js: browser.startup.homepage - google.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Setup"="29-G1CP-5VV5-B1J4-M2UH-K7HS-WNTJYW1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-11-29  10:45:56
ComboFix-quarantined-files.txt  2015-11-29 00:15
.
Pre-Run: 167,002,910,720 bytes free
Post-Run: 166,592,626,688 bytes free
.
- - End Of File - - 382E217BF2B6CFAB28EB893B6CFCC41C
A36C5E4F47E84449FF07ED3517B43A31
 

 

Zoek.exe v5.0.0.1 Updated 28-November-2015
Tool run by Bob on Sun 29/11/2015 at 10:48:05.63.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: F:\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

29/11/2015 10:48:21 AM Zoek.exe System Restore Point Created Successfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\85nosiyk.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20152911_1055_.backup

ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507

user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("extensions.avastwrc.whiteList", "{\"trk\":{\"apps.facebook.com\":{\"703\":false},\"avast.com\":{\"779\":false},\"au-mg4.mail.yahoo.com\":{\
---- FireFox user.js and prefs.js backups ----

prefs_20152911_1055_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\jetpack deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507
user_pref("browser.startup.homepage", "google.com");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\AVAST Software\Avast\SafePrice\FF" [06/11/2015 09:26 AM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507
- Adblock Plus Pop-up Addon - %ProfilePath%\extensions\adblockpopups@jessehakanen.net.xpi
- I dont care about cookies - %ProfilePath%\extensions\jid1-KKzOGWgsW3Ao4Q@jetpack.xpi
- Video DownloadHelper - %ProfilePath%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- Theme Font amp; Size Changer - %ProfilePath%\extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507
F114FBA6246530B89DD1E04351E0EAC5    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll -    Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[06/11/2015 09:26 AM]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Bob\AppData\Local\Mozilla\Firefox\Profiles\cl5i8ryv.default-1436593470507\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=11 folders=7 61725 bytes)

==== Empty Temp Folders ======================

C:\Users\Bob\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Bob\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Sun 29/11/2015 at 10:57:36.26 ======================
 



#9 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 29 November 2015 - 11:47 AM

Create/Run a batch file
Open notepad and copy/paste the text in the box below into it:

net stop EventSystem
net stop wuauserv
net start EventSystem
net start wuauserv

Save this as fix.bat to your desktop.
Choose to "Save type as - All Files"
 
Rightclick on the fix.bat and choose "Run as Admin".
 
That fix should not take to long.
As soon the windows has been closed, reboot your system.

=========================================================

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 lffoar

lffoar
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide South Australia
  • Local time:01:23 PM

Posted 29 November 2015 - 05:26 PM

Scan as requested.........some programs now unusable )-:

 

C:\Program Files (x86)\NCH Software\Disketch\disketch.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    cleaned by deleting - quarantined
C:\Program Files (x86)\NCH Software\Disketch\disketchsetup_v3.11.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted - quarantined
C:\Program Files (x86)\SIW\siw.exe    a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application    deleted - quarantined
F:\Game files\Sniper 2\trainer downloaded\sev2_10sr_p2_tk.EXE    a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application    cleaned by deleting - quarantined
F:\Game files\Sniper 2\trainer downloaded\Sniper Elite v2 v1.0 SKIDROW +2 Trainer.rar    a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application    deleted - quarantined
F:\Installed new comp 1162014\ccsetup411.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
F:\Installed new comp 1162014\FoxitReader614.0217_enu_Setup.exe    a variant of Win32/OpenCandy.A potentially unsafe application    deleted - quarantined
F:\Installed new comp 1162014\FreemakeVideoConverterSetup.exe    Win32/OpenCandy potentially unsafe application    deleted - quarantined
F:\Installed new comp 1162014\siw-setup.exe    a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application    deleted - quarantined
F:\Installed new comp 1162014\Disketch dvd label\disketchsetup.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted - quarantined
F:\Program setups\FreemakeAudioConverterSetup.exe    a variant of Win32/OpenCandy.A potentially unsafe application    deleted - quarantined
F:\Program setups\vpsetup.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted - quarantined
F:\Program setups\Auslogic boost speed installed 04042015\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen +100% Working\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen.tar    Win32/Keygen.KE potentially unsafe application    deleted - quarantined
F:\Program setups\Auslogic boost speed installed 04042015\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen +100% Working\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen.tgz    Win32/Keygen.KE potentially unsafe application    deleted - quarantined
F:\Program setups\Auslogic boost speed installed 04042015\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen +100% Working\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen\Crack\KeyMaker.exe    Win32/Keygen.KE potentially unsafe application    cleaned by deleting - quarantined
F:\Program setups\ConvertXtoDVD 5.3.0.20\READ ME\ccsetup509.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
F:\Program setups\Freemake Video Converter Gold Pack + Subtitle Pack v4.1.7.1 + Online Fix Method {B@tman}\Setup.exe    a variant of Win32/OpenCandy.A potentially unsafe application    deleted - quarantined
F:\Program setups\Malwarebytes Anti-Malware Premium v2.0.3.1025 + KeyGen-FFF- [FirstUploads]\Keygen\keygen.exe    a variant of Win32/Keygen.EM potentially unsafe application    cleaned by deleting - quarantined
F:\Program setups\Super for 6300 video\SUPERsetup.exe    Win32/OpenCandy potentially unsafe application    deleted - quarantined
 



#11 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 29 November 2015 - 06:45 PM

Scan as requested.........some programs now unusable )-:

F:\Program setups\Super for 6300 video\SUPERsetup.exe    Win32/OpenCandy potentially unsafe application    deleted - quarantined
F:\Program setups\Freemake Video Converter Gold Pack + Subtitle Pack v4.1.7.1 + Online Fix Method {B@tman}\Setup.exe    a variant of Win32/OpenCandy.A potentially unsafe application    deleted - quarantined
F:\Program setups\FreemakeAudioConverterSetup.exe    a variant of Win32/OpenCandy.A potentially unsafe application    deleted - quarantined
F:\Installed new comp 1162014\Disketch dvd label\disketchsetup.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted - quarantined
F:\Program setups\ConvertXtoDVD 5.3.0.20\READ ME\ccsetup509.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined

Note:  Some safety suggestions !
http://trmalwarefix.freeforums.net/t...ty-suggestions

=================================================================================

 

F:\Program setups\Malwarebytes Anti-Malware Premium v2.0.3.1025 + KeyGen-FFF- [FirstUploads]\Keygen\keygen.exe    a variant of Win32/Keygen.EM potentially unsafe application    cleaned by deleting - quarantined
F:\Program setups\Auslogic boost speed installed 04042015\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen +100% Working\Auslogics BoostSpeed Premium 7.9.0 DC 02.04.2015 + Keygen\Crack\KeyMaker.exe    Win32/Keygen.KE potentially unsafe application    cleaned by deleting - quarantined

Crack and keygen !
This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Before posting for help, we ask that you uninstall any such applications, as indicated in this sticky topic.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, BC does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine.

In 2006, a study revealed that 59% of keygens and crack tools downloaded from peer-to-peer networks contained malicious or "unwanted" software.
----------------------------------------------------------------------------------------------------------------
Thank you for your patience.  Please do the following:
Uninstall Combofix:

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg
 
next.....
In any case please download delfix to your desktop.

  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

You can do fllowing:
 
The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

to remove all but the most recently created Restore Point.

  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
 
Note:  Some safety suggestions !
http://trmalwarefix.freeforums.net/t...ty-suggestions

Best regards.wave.gif Greetings.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 lffoar

lffoar
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide South Australia
  • Local time:01:23 PM

Posted 29 November 2015 - 07:28 PM

Olgun,

I have run the deletion program and thank you so much for your help. I had no idea there were so much malware/pup's etc on my PC. I fully understand the risks associated with "anything" on the web and am generally very careful.  Yes, like thousands of others I'm guilty of pirating some software, mainly due to cost, but have read your suggestions page and will go through my PC now and delete what should not be there and be extra careful in future.

BTW, the comp is running well now (-:



#13 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 30 November 2015 - 02:02 PM

You're welcome, :thumbup2:

Now everything is fine. İOBit and P2P softwares  are using  .Attention to 3.party softwares. Please do not hesitate to open the topics.
We are ready to help.

 

Best regards. :hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 09 December 2015 - 06:43 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users