Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Trojan.Agent.MSIL along with safefinder, and sidecube


  • This topic is locked This topic is locked
5 replies to this topic

#1 Hivolt

Hivolt

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 05 December 2015 - 09:07 AM

Encountered sd.symcd, safefinder pop ups and sidecube hijacking chrome and firefox browser search engines. adwcleaner managed to remove sd, but it was replaced by sidecube.
 
Tried running MalwareBytes and it detected Trojan.Agent.MSIL. It was able to quarantine/remove the threat, but after a few restarts sidecube and the Trojan resurfaced.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-12-2015
Ran by Vagrant (administrator) on AELWYD (05-12-2015 21:38:22)
Running from C:\Users\Vagrant\Desktop
Loaded Profiles: Vagrant (Available Profiles: Vagrant)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\ProgramData\Vaiafineco\Vaiafineco.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
() C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(PowerISO Computing, Inc.) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Pen\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
() C:\Program Files (x86)\RivaTuner Statistics Server\RTSS.exe
() C:\ProgramData\Vaiafineco\Vaiafineco.exe
() C:\Program Files (x86)\RivaTuner Statistics Server\EncoderServer.exe
() C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooksLoader64.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\Messenger for Desktop\Messenger.exe
() C:\Program Files (x86)\Messenger for Desktop\Messenger.exe
() C:\Program Files (x86)\Messenger for Desktop\Messenger.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [200704 2007-08-07] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-12-18] (Oracle Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-11-13] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\...\MountPoints2: {235873d2-606b-11e4-9f40-806e6f6e6963} - L:\AutoRun.exe
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\...\MountPoints2: {f7a65d55-7c8f-11e4-9fac-b0bf71b99369} - L:\Launch.exe
AppInit_DLLs: C:\ProgramData\Vaiafineco\Physsing.dll => C:\ProgramData\Vaiafineco\Physsing.dll [518656 2015-12-05] ()
AppInit_DLLs-x32: C:\ProgramData\Vaiafineco\Medtip.dll => C:\ProgramData\Vaiafineco\Medtip.dll [320512 2015-12-05] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{16580DB0-40CF-417B-BC5F-370B790A6771}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{9664F634-C6CD-410F-8AD0-2E81467C2415}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2PosWRdtoLswH_u7-dB7g3znn-jp46PwCBbsZHG5zZGyf2xu9dLZ-dWscXoMN2n0oJvz8nk9OtO7jFiLuA,,
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2015-03-04] (Oracle Corporation)
BHO-x32: FlashGetBHO -> {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} -> C:\Users\Vagrant\AppData\Roaming\FlashGetBHO\FlashGetBHO.dll [2012-11-01] (Trend Media Group)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2015-03-04] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Vagrant\AppData\Roaming\Mozilla\Firefox\Profiles\xkcy5gha.default-1449320805945
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @java.com/DTPlugin,version=10.76.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-03-04] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.76.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2015-03-04] (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin HKU\S-1-5-21-3441441459-1719453584-1741147209-1000: @my.com/Games -> C:\Users\Vagrant\AppData\Local\MyComGames\NPMyComDetector.dll [2015-07-18] (My.com, Inc)
 
Chrome: 
=======
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.73\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-06]
CHR Extension: (Google Drive) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-01]
CHR Extension: (Google Search) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Docs Offline) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-25]
CHR Extension: (Gmail) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [121856 2015-11-13] (Advanced Micro Devices) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2015-01-19] ()
S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 Vaiafineco; C:\ProgramData\\Vaiafineco\\Vaiafineco.exe [406016 2015-12-05] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [627992 2014-01-14] (Wacom Technology, Corp.)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [635160 2014-04-22] (Wacom Technology, Corp.)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpksd; C:\Windows\system32\drivers\amdacpksd.sys [297672 2015-11-14] (Advanced Micro Devices)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-12-05] ()
R3 RTCore64; C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [13536 2015-06-02] ()
R3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-05 21:38 - 2015-12-05 21:38 - 00012717 _____ C:\Users\Vagrant\Desktop\FRST.txt
2015-12-05 21:38 - 2015-12-05 21:38 - 00000000 ____D C:\FRST
2015-12-05 21:36 - 2015-12-05 21:38 - 02369024 _____ (Farbar) C:\Users\Vagrant\Desktop\FRST64.exe
2015-12-05 21:20 - 2015-12-05 21:20 - 01400320 _____ C:\Users\Vagrant\Desktop\GRDP_Con_Reg_P_2014_pub.xls
2015-12-05 21:06 - 2015-12-05 21:06 - 00000000 ____D C:\Users\Vagrant\Desktop\Old Firefox Data
2015-12-05 21:01 - 2015-12-05 21:01 - 00000000 ____D C:\Program Files (x86)\ESET
2015-12-05 21:00 - 2015-12-05 21:00 - 02870984 _____ (ESET) C:\Users\Vagrant\Desktop\esetsmartinstaller_enu.exe
2015-12-05 20:58 - 2015-12-05 20:58 - 00001192 _____ C:\Users\Vagrant\Desktop\Firefox.lnk
2015-12-05 20:57 - 2015-12-05 20:59 - 00001436 _____ C:\Users\Vagrant\Desktop\Google Chrome.lnk
2015-12-05 19:39 - 2015-12-05 20:56 - 00000000 ____D C:\ProgramData\Vaiafineco
2015-12-05 19:39 - 2015-12-05 19:39 - 00000000 ____D C:\ProgramData\Vaiafinecos
2015-12-05 19:38 - 2015-12-05 19:38 - 03797347 _____ C:\Program Files\Common Files\cu3gqqjw.exe
2015-12-05 15:16 - 2015-12-05 15:16 - 03797354 _____ C:\Program Files\Common Files\q3wqgk25.exe
2015-12-05 15:11 - 2015-12-05 15:11 - 00003388 _____ C:\Windows\System32\Tasks\rlvvaih2
2015-12-05 15:11 - 2015-12-05 15:11 - 00000000 ____D C:\Program Files\Common Files\ryilrsxg
2015-12-05 15:05 - 2015-12-05 20:54 - 00000000 ____D C:\AdwCleaner
2015-12-05 14:44 - 2015-12-05 21:05 - 00000000 ____D C:\Users\Vagrant\Desktop\Malwarebytes Anti-Malware 2.2.0.1024
2015-12-05 11:06 - 2015-12-05 11:06 - 00022704 _____ C:\Windows\system32\Drivers\EsgScanner.sys
2015-12-05 10:58 - 2015-12-05 10:58 - 00003566 _____ C:\Windows\System32\Tasks\{4A2EFBD1-DD9D-43DC-A92C-92520EB0B70E}
2015-12-05 10:50 - 2015-12-05 11:11 - 30946738 _____ C:\Users\Vagrant\Desktop\Aradia Armor of the Cross.7z
2015-12-04 14:48 - 2015-12-05 11:16 - 14201148 _____ C:\Users\Vagrant\Desktop\Untitled-2.psd
2015-12-04 06:33 - 2015-12-04 06:33 - 00003236 _____ C:\Windows\System32\Tasks\upuste
2015-12-04 05:48 - 2015-12-05 11:16 - 14081192 _____ C:\Users\Vagrant\Desktop\Untitled-1.psd
2015-12-04 03:13 - 2015-12-04 03:34 - 00000000 ____D C:\Users\Vagrant\Desktop\Fear and Loathing in Las Vegas-Disco
2015-12-03 19:33 - 2015-12-03 19:33 - 00003388 _____ C:\Windows\System32\Tasks\xniwtlbf
2015-12-03 19:33 - 2015-12-03 19:33 - 00000000 ____D C:\Program Files\Common Files\e3gp2nee
2015-12-03 18:50 - 2009-09-27 09:39 - 00415744 ___SH (The Public) C:\Windows\SysWOW64\avisynth.dll
2015-12-03 18:50 - 2005-07-14 12:31 - 00032256 ___SH C:\Windows\SysWOW64\AVSredirect.dll
2015-12-03 18:50 - 2004-02-22 10:11 - 00764416 ___SH (Abysmal Software) C:\Windows\SysWOW64\devil.dll
2015-12-03 18:50 - 2004-01-25 00:00 - 00070656 ___SH (www.helixcommunity.org) C:\Windows\SysWOW64\yv12vfw.dll
2015-12-03 18:50 - 2004-01-25 00:00 - 00070656 ___SH (www.helixcommunity.org) C:\Windows\SysWOW64\i420vfw.dll
2015-12-03 18:32 - 2015-12-03 18:32 - 00000187 _____ C:\Users\Vagrant\AppData\Local\High-dexon.exe.config
2015-12-03 18:31 - 2015-12-03 18:31 - 00000000 ____D C:\Users\Vagrant\Documents\eRightSoft
2015-12-03 18:31 - 2015-12-03 18:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPER © - by eRightSoft
2015-12-03 18:31 - 2014-03-07 10:03 - 03109520 __RSH (FFmpeg Project) C:\Windows\SysWOW64\avcodec-lav-55.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00550032 __RSH (FFmpeg Project) C:\Windows\SysWOW64\avformat-lav-55.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00313520 __RSH (1f0.de - Hendrik Leppkes) C:\Windows\SysWOW64\HLvideo.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00203408 __RSH (1f0.de - Hendrik Leppkes) C:\Windows\SysWOW64\HLsplit.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00181392 __RSH (FFmpeg Project) C:\Windows\SysWOW64\avutil-lav-52.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00166544 __RSH (Intel Corp.) C:\Windows\SysWOW64\IntelQuickSyncDecoder.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00122512 __RSH (1f0.de - Hendrik Leppkes) C:\Windows\SysWOW64\HLaudio.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00118416 __RSH (FFmpeg Project) C:\Windows\SysWOW64\swscale-lav-2.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00109712 __RSH C:\Windows\SysWOW64\libbluray.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00098960 __RSH (FFmpeg Project) C:\Windows\SysWOW64\avfilter-lav-4.dll
2015-12-03 18:31 - 2014-03-07 10:03 - 00059536 __RSH (FFmpeg Project) C:\Windows\SysWOW64\avresample-lav-1.dll
2015-12-03 18:31 - 2014-01-31 15:20 - 00000493 __RSH C:\Windows\SysWOW64\LAVFilters.Dependencies.manifest
2015-12-03 18:31 - 2012-10-05 18:54 - 00188416 __RSH C:\Windows\SysWOW64\winDCE32.dll
2015-12-03 18:31 - 2012-07-11 22:00 - 00075776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Olepau32.ax
2015-12-03 18:31 - 2011-06-14 19:05 - 00121344 __RSH C:\Windows\SysWOW64\TAKDSDecoder.ax
2015-12-03 18:31 - 2011-02-11 09:26 - 00112128 __RSH C:\Windows\SysWOW64\OptimFROG.dll
2015-12-03 18:31 - 2010-01-06 23:00 - 00107520 __RSH C:\Windows\SysWOW64\TAKDSDecoder.dll
2015-12-03 18:31 - 2009-08-10 22:00 - 00352768 __RSH C:\Windows\SysWOW64\ac3DX.ax
2015-12-03 18:31 - 2005-02-22 16:55 - 00081920 __RSH C:\Windows\SysWOW64\aac_parser.ax
2015-12-03 18:31 - 2004-10-10 08:50 - 00278528 _____ (Real Networks, Inc) C:\Windows\SysWOW64\pncrt.dll
2015-12-03 18:31 - 2004-07-02 16:33 - 00327749 _____ (RealNetworks, Inc.) C:\Windows\SysWOW64\drvc.dll
2015-12-03 18:31 - 2004-04-27 15:03 - 00017408 __RSH (RadLight) C:\Windows\SysWOW64\RLOFRDec.ax
2015-12-03 18:31 - 2004-04-05 09:31 - 00499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2015-12-03 18:31 - 2004-04-05 09:31 - 00348160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2015-12-03 18:30 - 2015-12-03 18:30 - 00000000 ____D C:\Program Files (x86)\eRightSoft
2015-11-30 15:31 - 2015-12-05 14:55 - 00000000 ____D C:\Users\Vagrant\Desktop\[Mods] Fallout 4
2015-11-28 09:15 - 2015-11-28 09:15 - 00000000 ____D C:\Users\Vagrant\AppData\Local\AMD
2015-11-27 09:31 - 2015-11-27 09:31 - 00000222 _____ C:\Users\Vagrant\Desktop\Fallout 4.url
2015-11-27 01:40 - 2015-11-19 21:27 - 00000428 _____ C:\Users\Vagrant\AppData\Roaming\ham.txt
2015-11-27 01:39 - 2015-12-03 17:19 - 00043520 _____ C:\Users\Vagrant\AppData\Roaming\Moses.dat
2015-11-27 01:39 - 2015-12-03 17:19 - 00005568 _____ C:\Users\Vagrant\AppData\Roaming\md.xml
2015-11-27 01:37 - 2015-12-03 17:20 - 00406016 _____ C:\Users\Vagrant\AppData\Roaming\moses.exe
2015-11-26 17:34 - 2015-12-03 17:21 - 09545216 _____ C:\Users\Vagrant\AppData\Roaming\agent.dat
2015-11-26 17:34 - 2015-12-03 17:21 - 00017920 _____ C:\Users\Vagrant\AppData\Roaming\Main.dat
2015-11-26 17:34 - 2015-12-03 17:20 - 00058272 _____ C:\Users\Vagrant\AppData\Roaming\Config.xml
2015-11-25 21:03 - 2015-11-25 21:08 - 00000000 ____D C:\Users\Vagrant\Desktop\Scarlet
2015-11-23 15:05 - 2015-12-01 00:51 - 00000000 ____D C:\Users\Vagrant\Desktop\Screenshots
2015-11-22 03:28 - 2015-11-22 03:47 - 00000000 ____D C:\Users\Vagrant\Desktop\Patreon - tsuaii
2015-11-18 17:02 - 2015-11-18 17:02 - 00000000 ____D C:\Users\Vagrant\AppData\Roaming\ATI
2015-11-18 17:02 - 2015-11-18 17:02 - 00000000 ____D C:\Users\Vagrant\AppData\Local\ATI
2015-11-18 17:02 - 2015-11-18 17:02 - 00000000 ____D C:\ProgramData\ATI
2015-11-18 17:02 - 2015-11-18 17:02 - 00000000 _____ C:\Windows\ativpsrm.bin
2015-11-18 16:50 - 2015-11-18 16:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
2015-11-18 16:49 - 2015-11-18 16:49 - 00000000 ____D C:\Program Files (x86)\AMD
2015-11-18 16:48 - 2015-11-18 16:48 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2015-11-18 04:51 - 2015-11-18 04:51 - 00000000 ____D C:\Users\Vagrant\AppData\Roaming\Steam
2015-11-18 04:44 - 2015-11-18 04:44 - 00000000 ____D C:\Users\Vagrant\AppData\Local\Fallout4
2015-11-18 04:15 - 2015-11-18 04:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fallout 4
2015-11-14 05:38 - 2015-11-14 05:38 - 12101120 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atidxx64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 01479768 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\aticfx64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 01217576 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00152056 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiuxp64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00141792 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdhcp64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00133016 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00128384 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdhcp32.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00120656 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiu9p64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00107784 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdave64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00102616 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00100568 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdave32.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00078432 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atimpc64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00078432 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdpcom64.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00071704 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2015-11-14 05:38 - 2015-11-14 05:38 - 00071704 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2015-11-14 05:37 - 2015-11-14 05:37 - 10226528 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2015-11-14 05:37 - 2015-11-14 05:37 - 08895768 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd6a.dll
2015-11-14 05:37 - 2015-11-14 05:37 - 08779872 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd64.dll
2015-11-14 05:37 - 2015-11-14 05:37 - 07931152 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
2015-11-14 05:37 - 2015-11-14 05:37 - 07408936 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
2015-11-14 05:31 - 2015-11-14 05:31 - 00297672 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amdacpksd.sys
2015-11-14 05:26 - 2015-11-14 05:26 - 21661696 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmdag.sys
2015-11-14 05:22 - 2015-11-14 05:22 - 47785472 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl64.dll
2015-11-14 05:22 - 2015-11-14 05:22 - 01187342 _____ C:\Windows\system32\amdocl_as64.exe
2015-11-14 05:22 - 2015-11-14 05:22 - 01061902 _____ C:\Windows\system32\amdocl_ld64.exe
2015-11-14 05:22 - 2015-11-14 05:22 - 00995342 _____ C:\Windows\SysWOW64\amdocl_as32.exe
2015-11-14 05:22 - 2015-11-14 05:22 - 00798734 _____ C:\Windows\SysWOW64\amdocl_ld32.exe
2015-11-14 05:22 - 2015-11-14 05:22 - 00235008 _____ C:\Windows\system32\clinfo.exe
2015-11-14 05:21 - 2015-11-14 05:21 - 39712768 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2015-11-14 05:20 - 2015-11-14 05:20 - 00065024 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2015-11-14 05:20 - 2015-11-14 05:20 - 00059392 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2015-11-14 05:18 - 2015-11-14 05:18 - 27535872 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl12cl64.dll
2015-11-14 05:18 - 2015-11-14 05:18 - 22318592 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl12cl.dll
2015-11-14 04:57 - 2015-11-14 04:57 - 06728192 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmantle64.dll
2015-11-14 04:57 - 2015-11-14 04:57 - 00675328 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdlvr64.dll
2015-11-14 04:57 - 2015-11-14 04:57 - 00560640 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdlvr32.dll
2015-11-14 04:57 - 2015-11-14 04:57 - 00127488 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantle64.dll
2015-11-14 04:57 - 2015-11-14 04:57 - 00113664 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantle32.dll
2015-11-14 04:52 - 2015-11-14 04:52 - 05290496 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmantle32.dll
2015-11-14 04:50 - 2015-11-14 04:50 - 30767616 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atio6axx.dll
2015-11-14 04:48 - 2015-11-14 04:48 - 00096256 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantleaxl64.dll
2015-11-14 04:48 - 2015-11-14 04:48 - 00089088 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantleaxl32.dll
2015-11-14 04:44 - 2015-11-14 04:44 - 25312768 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
2015-11-14 04:44 - 2015-11-14 04:44 - 00050688 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmmcl6.dll
2015-11-14 04:44 - 2015-11-14 04:44 - 00039424 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmmcl.dll
2015-11-14 04:42 - 2015-11-14 04:42 - 03437632 _____ C:\Windows\system32\atiumd6a.cap
2015-11-14 04:41 - 2015-11-14 04:41 - 00663992 _____ C:\Windows\SysWOW64\atiapfxx.blb
2015-11-14 04:41 - 2015-11-14 04:41 - 00663992 _____ C:\Windows\system32\atiapfxx.blb
2015-11-14 04:41 - 2015-11-14 04:41 - 00367104 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiapfxx.exe
2015-11-14 04:41 - 2015-11-14 04:41 - 00062464 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalrt64.dll
2015-11-14 04:41 - 2015-11-14 04:41 - 00055808 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalcl64.dll
2015-11-14 04:41 - 2015-11-14 04:41 - 00052224 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
2015-11-14 04:41 - 2015-11-14 04:41 - 00049152 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
2015-11-14 04:40 - 2015-11-14 04:40 - 15716352 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticaldd64.dll
2015-11-14 04:40 - 2015-11-14 04:40 - 14302208 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
2015-11-14 04:40 - 2015-11-14 04:40 - 00204952 _____ C:\Windows\SysWOW64\ativvsvl.dat
2015-11-14 04:40 - 2015-11-14 04:40 - 00204952 _____ C:\Windows\system32\ativvsvl.dat
2015-11-14 04:40 - 2015-11-14 04:40 - 00157144 _____ C:\Windows\SysWOW64\ativvsva.dat
2015-11-14 04:40 - 2015-11-14 04:40 - 00157144 _____ C:\Windows\system32\ativvsva.dat
2015-11-14 04:37 - 2015-11-14 04:37 - 03471376 _____ C:\Windows\SysWOW64\atiumdva.cap
2015-11-14 04:36 - 2015-11-14 04:36 - 00674816 _____ (AMD) C:\Windows\system32\atieclxx.exe
2015-11-14 04:36 - 2015-11-14 04:36 - 00442368 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atidemgy.dll
2015-11-14 04:36 - 2015-11-14 04:36 - 00246784 _____ (AMD) C:\Windows\system32\atiesrxx.exe
2015-11-14 04:36 - 2015-11-14 04:36 - 00204800 _____ C:\Windows\system32\amdgfxinfo64.dll
2015-11-14 04:36 - 2015-11-14 04:36 - 00189952 _____ C:\Windows\SysWOW64\amdgfxinfo32.dll
2015-11-14 04:36 - 2015-11-14 04:36 - 00160256 _____ C:\Windows\system32\atieah64.exe
2015-11-14 04:36 - 2015-11-14 04:36 - 00143872 _____ C:\Windows\SysWOW64\atieah32.exe
2015-11-14 04:36 - 2015-11-14 04:36 - 00029696 _____ (AMD) C:\Windows\system32\atimuixx.dll
2015-11-14 04:35 - 2015-11-14 04:35 - 00190976 _____ (AMD) C:\Windows\system32\atitmm64.dll
2015-11-14 04:33 - 2015-11-14 04:33 - 00865792 _____ (AMD) C:\Windows\system32\coinst_15.20.dll
2015-11-14 04:33 - 2015-11-14 04:33 - 00089088 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atisamu64.dll
2015-11-14 04:33 - 2015-11-14 04:33 - 00080896 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atisamu32.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 01247744 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiadlxx.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 00926720 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 00926720 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxx.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 00666112 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmpag.sys
2015-11-14 04:32 - 2015-11-14 04:32 - 00156672 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6txx.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 00141824 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 00075264 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6pxx.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 00069632 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
2015-11-14 04:32 - 2015-11-14 04:32 - 00069632 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiglpxx.dll
2015-11-14 04:31 - 2015-11-14 04:31 - 00102912 _____ C:\Windows\system32\hsa-thunk64.dll
2015-11-14 04:31 - 2015-11-14 04:31 - 00102400 _____ C:\Windows\SysWOW64\hsa-thunk.dll
2015-11-14 04:29 - 2015-11-14 04:29 - 00043520 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\ati2erec.dll
2015-11-13 15:45 - 2015-11-13 15:45 - 02412544 _____ C:\Windows\system32\amdacpusl.pdb
2015-11-13 15:42 - 2015-11-13 15:42 - 00363008 _____ (Advanced Micro Devices) C:\Windows\system32\amdacpusl.dll
2015-11-13 15:42 - 2015-11-13 15:42 - 00306176 _____ C:\Windows\system32\amdacpusl.pdb.pub
2015-11-13 15:42 - 2015-11-13 15:42 - 00247296 _____ (Advanced Micro Devices) C:\Windows\SysWOW64\amdacpusl.dll
2015-11-05 21:21 - 2015-12-05 21:06 - 00001156 _____ C:\Users\Vagrant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Messenger.lnk
2015-11-05 21:21 - 2015-12-05 21:05 - 00000000 ____D C:\Users\Vagrant\AppData\Local\Messenger
2015-11-05 21:20 - 2015-12-05 15:56 - 00001217 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Messenger for Desktop.lnk
2015-11-05 21:20 - 2015-12-05 15:56 - 00001107 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Messenger.lnk
2015-11-05 21:20 - 2015-12-05 15:55 - 00001107 _____ C:\Users\Vagrant\Desktop\Messenger.lnk
2015-11-05 21:20 - 2015-11-05 21:20 - 00000000 ____D C:\Program Files (x86)\Messenger for Desktop
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-05 21:38 - 2009-07-14 11:20 - 00000000 ____D C:\Windows
2015-12-05 21:04 - 2015-10-09 03:39 - 00000000 ____D C:\Users\Vagrant\Desktop\RPG
2015-12-05 21:04 - 2014-11-28 14:31 - 00000000 ____D C:\Users\Vagrant\Desktop\Stuff
2015-12-05 21:03 - 2009-07-14 12:45 - 00028976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-05 21:03 - 2009-07-14 12:45 - 00028976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-05 21:02 - 2009-07-14 13:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-05 21:02 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\inf
2015-12-05 21:01 - 2014-11-07 18:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-05 20:56 - 2014-10-31 02:21 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-05 20:55 - 2015-10-22 14:05 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2015-12-05 20:55 - 2009-07-14 13:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-05 20:51 - 2015-01-05 16:50 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-05 20:39 - 2014-10-31 02:21 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-05 19:05 - 2014-11-27 17:29 - 00000000 ____D C:\Program Files (x86)\Steam
2015-12-05 18:53 - 2014-10-30 19:18 - 00000000 ____D C:\Users\Vagrant\AppData\Roaming\vlc
2015-12-05 15:56 - 2015-05-09 04:40 - 00001029 _____ C:\Users\Vagrant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Girlvania.lnk
2015-12-05 15:56 - 2014-11-01 16:03 - 00001254 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Device Central CS5.lnk
2015-12-05 15:56 - 2014-11-01 16:03 - 00001161 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS5.lnk
2015-12-05 15:56 - 2014-11-01 16:01 - 00001511 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS5.lnk
2015-12-05 15:56 - 2014-11-01 16:01 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS5.lnk
2015-12-05 15:56 - 2014-11-01 16:01 - 00000985 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Help.lnk
2015-12-05 15:56 - 2014-10-31 04:11 - 00000467 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sid Meier's Civilization V.lnk
2015-12-05 15:56 - 2014-10-30 12:38 - 00001389 _____ C:\Users\Vagrant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-12-05 15:56 - 2009-07-14 12:57 - 00001511 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-12-05 15:55 - 2015-10-19 13:37 - 00001228 _____ C:\Users\Vagrant\Desktop\PTT.lnk
2015-12-05 15:55 - 2015-06-19 17:09 - 00000654 _____ C:\Users\Vagrant\Desktop\Crimson.lnk
2015-12-05 15:55 - 2015-04-23 04:31 - 00000661 _____ C:\Users\Vagrant\Desktop\Art Stuff.lnk
2015-12-05 15:55 - 2014-11-02 18:13 - 00000773 _____ C:\Users\Vagrant\Desktop\[Art] Collection (Sorted).lnk
2015-12-05 15:55 - 2014-11-02 18:12 - 00000787 _____ C:\Users\Vagrant\Desktop\[Art] Collection Unsorted.lnk
2015-12-05 15:55 - 2014-10-31 04:29 - 00000000 ____D C:\Windows\Panther
2015-12-05 15:55 - 2014-10-30 16:12 - 00000953 _____ C:\ProgramData\Microsoft\Windows\Start Menu\µTorrent.lnk
2015-12-05 15:55 - 2009-07-14 12:49 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2015-12-05 15:54 - 2015-10-22 14:55 - 00003022 _____ C:\Windows\System32\Tasks\MSIAfterburner
2015-12-05 15:53 - 2015-04-29 21:08 - 00000000 ____D C:\Users\Vagrant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2015-12-05 15:53 - 2014-11-08 02:49 - 00000000 ____D C:\Users\Vagrant\Desktop\Games
2015-12-05 15:28 - 2014-10-30 16:30 - 00000000 ____D C:\Users\Vagrant\Desktop\Other Programs
2015-12-05 15:07 - 2015-01-05 16:50 - 00000000 ____D C:\Users\Vagrant\AppData\Roaming\Yahoo!
2015-12-05 15:07 - 2015-01-05 16:50 - 00000000 ____D C:\Users\Vagrant\AppData\LocalLow\Yahoo!
2015-12-05 15:07 - 2015-01-05 16:32 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2015-12-05 15:07 - 2014-10-31 02:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-12-05 15:01 - 2014-10-30 16:11 - 00000000 ____D C:\Users\Vagrant\AppData\Roaming\uTorrent
2015-12-04 17:47 - 2015-08-28 18:46 - 00000000 ____D C:\Users\Vagrant\Desktop\New folder (5)
2015-12-04 10:34 - 2014-10-31 02:21 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-04 10:34 - 2014-10-31 02:21 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-12-04 05:14 - 2015-08-27 18:34 - 00000000 ____D C:\Users\Vagrant\Desktop\Project - FEAR
2015-11-30 20:23 - 2014-11-09 04:11 - 00000000 ____D C:\Users\Vagrant\Desktop\Commish - Rossfellow
2015-11-27 04:23 - 2015-10-22 14:49 - 00000000 ____D C:\Program Files (x86)\MSI Afterburner
2015-11-25 21:11 - 2014-10-30 12:46 - 00000000 ____D C:\Users\Vagrant\AppData\Roaming\BITS
2015-11-25 21:10 - 2015-10-09 03:38 - 00000000 ____D C:\Users\Vagrant\Desktop\Temp
2015-11-25 21:10 - 2015-03-07 23:58 - 00000000 ____D C:\Users\Vagrant\Desktop\My stuff
2015-11-25 05:53 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\system32\NDF
2015-11-18 17:00 - 2014-10-31 03:25 - 00000000 ____D C:\Program Files\AMD
2015-11-18 16:55 - 2015-03-03 16:55 - 00000000 ____D C:\Program Files (x86)\Raptr
2015-11-18 16:02 - 2014-10-26 04:31 - 00000000 ____D C:\AMD
2015-11-18 04:44 - 2014-10-31 09:48 - 00000000 ____D C:\Users\Vagrant\Documents\My Games
2015-11-13 00:25 - 2015-08-28 14:03 - 00000000 ____D C:\Users\Vagrant\Desktop\Project - FoS
2015-11-12 01:44 - 2015-01-19 16:41 - 00347464 _____ C:\Windows\SysWOW64\PnkBstrB.xtr
2015-11-12 01:44 - 2015-01-19 16:18 - 00347464 _____ C:\Windows\SysWOW64\PnkBstrB.exe
2015-11-10 22:07 - 2015-11-04 23:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-11-10 22:07 - 2015-11-03 21:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
 
==================== Files in the root of some directories =======
 
2015-12-05 19:38 - 2015-12-05 19:38 - 3797347 _____ () C:\Program Files\Common Files\cu3gqqjw.exe
2015-12-05 15:16 - 2015-12-05 15:16 - 3797354 _____ () C:\Program Files\Common Files\q3wqgk25.exe
2015-04-28 13:56 - 2015-09-23 00:22 - 0000132 _____ () C:\Users\Vagrant\AppData\Roaming\Adobe BMP Format CS5 Prefs
2015-02-10 04:43 - 2015-06-09 12:07 - 0000132 _____ () C:\Users\Vagrant\AppData\Roaming\Adobe PNG Format CS5 Prefs
2015-11-26 17:34 - 2015-12-03 17:21 - 9545216 _____ () C:\Users\Vagrant\AppData\Roaming\agent.dat
2015-11-26 17:34 - 2015-12-03 17:20 - 0058272 _____ () C:\Users\Vagrant\AppData\Roaming\Config.xml
2015-11-27 01:40 - 2015-11-19 21:27 - 0000428 _____ () C:\Users\Vagrant\AppData\Roaming\ham.txt
2015-11-26 17:34 - 2015-12-03 17:21 - 0017920 _____ () C:\Users\Vagrant\AppData\Roaming\Main.dat
2015-11-27 01:39 - 2015-12-03 17:19 - 0005568 _____ () C:\Users\Vagrant\AppData\Roaming\md.xml
2015-11-27 01:39 - 2015-12-03 17:19 - 0043520 _____ () C:\Users\Vagrant\AppData\Roaming\Moses.dat
2015-11-27 01:37 - 2015-12-03 17:20 - 0406016 _____ () C:\Users\Vagrant\AppData\Roaming\moses.exe
2015-11-27 01:40 - 2015-11-19 21:26 - 0004134 _____ () C:\Users\Vagrant\AppData\Roaming\shem.jpg
2014-11-03 05:24 - 2015-09-09 00:32 - 0001740 _____ () C:\Users\Vagrant\AppData\Local\Adobe Save for Web 12.0 Prefs
2015-12-03 18:32 - 2015-12-03 18:32 - 0000187 _____ () C:\Users\Vagrant\AppData\Local\High-dexon.exe.config
 
Some files in TEMP:
====================
C:\Users\Vagrant\AppData\Local\Temp\amd-catalyst-14-9-win7-win8.1-64bit-dd-ccc-whql.exe
C:\Users\Vagrant\AppData\Local\Temp\AutoRun.exe
C:\Users\Vagrant\AppData\Local\Temp\AutoRunGUI.dll
C:\Users\Vagrant\AppData\Local\Temp\eauninstall.exe
C:\Users\Vagrant\AppData\Local\Temp\First15.exe
C:\Users\Vagrant\AppData\Local\Temp\gtapi_signed.dll
C:\Users\Vagrant\AppData\Local\Temp\Gw2.exe
C:\Users\Vagrant\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\Vagrant\AppData\Local\Temp\Latlex.exe
C:\Users\Vagrant\AppData\Local\Temp\nsu5489.exe
C:\Users\Vagrant\AppData\Local\Temp\Quarantine.exe
C:\Users\Vagrant\AppData\Local\Temp\raptrpatch.exe
C:\Users\Vagrant\AppData\Local\Temp\raptr_stub.exe
C:\Users\Vagrant\AppData\Local\Temp\Ruby.exe
C:\Users\Vagrant\AppData\Local\Temp\sqlite3.dll
C:\Users\Vagrant\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\Vagrant\AppData\Local\Temp\System.Data.SQLitee5d66baa-55dd-47f5-af71-a5a0f240f125.dll
C:\Users\Vagrant\AppData\Local\Temp\The Sims 2_uninst.exe
C:\Users\Vagrant\AppData\Local\Temp\tmp2F59.exe
C:\Users\Vagrant\AppData\Local\Temp\tmp357D.exe
C:\Users\Vagrant\AppData\Local\Temp\Transbam.exe
C:\Users\Vagrant\AppData\Local\Temp\VP6Install.exe
C:\Users\Vagrant\AppData\Local\Temp\VP6VFW.dll
C:\Users\Vagrant\AppData\Local\Temp\WIE_2.39.2.63.exe
C:\Users\Vagrant\AppData\Local\Temp\Zotsoft.exe
C:\Users\Vagrant\AppData\Local\Temp\__pythonRunner.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-11-30 07:38
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:27 PM

Posted 06 December 2015 - 10:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs and Features applet.
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\ProgramData\Vaiafineco\Vaiafineco.exe
() C:\ProgramData\Vaiafineco\Vaiafineco.exe
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\...\Run: [AdobeBridge] => [X]
AppInit_DLLs: C:\ProgramData\Vaiafineco\Physsing.dll => C:\ProgramData\Vaiafineco\Physsing.dll [518656 2015-12-05] ()
AppInit_DLLs-x32: C:\ProgramData\Vaiafineco\Medtip.dll => C:\ProgramData\Vaiafineco\Medtip.dll [320512 2015-12-05] ()
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2PosWRdtoLswH_u7-dB7g3znn-jp46PwCBbsZHG5zZGyf2xu9dLZ-dWscXoMN2n0oJvz8nk9OtO7jFiLuA,,
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
R2 Vaiafineco; C:\ProgramData\\Vaiafineco\\Vaiafineco.exe [406016 2015-12-05] () [File not signed]
R3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {3DA99E5D-20D2-40A6-B8E5-63C04B497D23} - System32\Tasks\upuste => C:\Windows\system32\config\systemprofile\AppData\Local\Antough [2015-12-03] () <==== ATTENTION
Task: {73E88447-885D-427A-9AC8-A9099E7420CD} - System32\Tasks\xniwtlbf => C:\Program Files\Common Files\e3gp2nee\f85d7avicylz4.exe [2015-10-18] () <==== ATTENTION
Task: {DD9ECB82-7F74-4F78-BE3A-FC5CD92374B6} - System32\Tasks\rlvvaih2 => C:\Program Files\Common Files\ryilrsxg\e4c44fbdeym32.exe [2015-10-18] () <==== ATTENTION
2015-12-05 19:39 - 2015-12-05 16:40 - 00406016 _____ () C:\ProgramData\Vaiafineco\Vaiafineco.exe
2015-12-05 19:39 - 2015-12-05 19:39 - 00320512 _____ () C:\ProgramData\Vaiafineco\Medtip.dll
C:\Windows\system32\config\systemprofile\AppData\Local\Antough
C:\Program Files\Common Files\e3gp2nee
C:\Program Files\Common Files\ryilrsxg
C:\ProgramData\Vaiafineco
C:\ProgramData\\Vaiafineco
2015-12-05 19:38 - 2015-12-05 19:38 - 3797347 _____ () C:\Program Files\Common Files\cu3gqqjw.exe
2015-12-05 15:16 - 2015-12-05 15:16 - 3797354 _____ () C:\Program Files\Common Files\q3wqgk25.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

How is the computer running now?

p.s.
on Jan. 12, 2016, Microsoft is folding up the tent on Internet Explorer 7 and 8. After that date, only IE 9 on Vista, IE 10 on Windows Server 2012, and IE 11 on Windows 7 and 8.1 will get security updates
Read about it.
http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx
You may not be using this Browser but I suggest you install a newer version.

#3 Hivolt

Hivolt
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 07 December 2015 - 05:18 AM

Did as instructed, removed MBAM and did a fresh reinstall of it using the link and it found some PUP's which it removed.

 

Did another scan with MBAM after the reset and clearing of Chrome and it found no threats, malware or pup's.

 

Removed Firefox and doing a fresh reinstall just in case, and will update IE as advised.

 

Is it ok to re-download and re-install Yahoo Messenger at this point?

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-12-2015
Ran by Vagrant (2015-12-07 17:26:20) Run:1
Running from C:\Users\Vagrant\Desktop
Loaded Profiles: Vagrant (Available Profiles: Vagrant)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
() C:\ProgramData\Vaiafineco\Vaiafineco.exe
() C:\ProgramData\Vaiafineco\Vaiafineco.exe
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\...\Run: [AdobeBridge] => [X]
AppInit_DLLs: C:\ProgramData\Vaiafineco\Physsing.dll => C:\ProgramData\Vaiafineco\Physsing.dll [518656 2015-12-05] ()
AppInit_DLLs-x32: C:\ProgramData\Vaiafineco\Medtip.dll => C:\ProgramData\Vaiafineco\Medtip.dll [320512 2015-12-05] ()
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2PosWRdtoLswH_u7-dB7g3znn-jp46PwCBbsZHG5zZGyf2xu9dLZ-dWscXoMN2n0oJvz8nk9OtO7jFiLuA,,
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTwkzwGbNf0b0WsDmkH2KmgwM7jGtJNNkTn4btHj7DcsxBt6CLoMLKw1Qv6_qEa_n-hyDYA5198gUL--s9naL2Pogt0POxzzaNj4ctwC5Gs4qMq6Zxkx48Vn2qs_lyhGS79bSjdTIsWAnMRBEYLK7I3KR2XwID79Xw2eF3Q,,&q={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
R2 Vaiafineco; C:\ProgramData\\Vaiafineco\\Vaiafineco.exe [406016 2015-12-05] () [File not signed]
R3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {3DA99E5D-20D2-40A6-B8E5-63C04B497D23} - System32\Tasks\upuste => C:\Windows\system32\config\systemprofile\AppData\Local\Antough [2015-12-03] () <==== ATTENTION
Task: {73E88447-885D-427A-9AC8-A9099E7420CD} - System32\Tasks\xniwtlbf => C:\Program Files\Common Files\e3gp2nee\f85d7avicylz4.exe [2015-10-18] () <==== ATTENTION
Task: {DD9ECB82-7F74-4F78-BE3A-FC5CD92374B6} - System32\Tasks\rlvvaih2 => C:\Program Files\Common Files\ryilrsxg\e4c44fbdeym32.exe [2015-10-18] () <==== ATTENTION
2015-12-05 19:39 - 2015-12-05 16:40 - 00406016 _____ () C:\ProgramData\Vaiafineco\Vaiafineco.exe
2015-12-05 19:39 - 2015-12-05 19:39 - 00320512 _____ () C:\ProgramData\Vaiafineco\Medtip.dll
C:\Windows\system32\config\systemprofile\AppData\Local\Antough
C:\Program Files\Common Files\e3gp2nee
C:\Program Files\Common Files\ryilrsxg
C:\ProgramData\Vaiafineco
C:\ProgramData\\Vaiafineco
2015-12-05 19:38 - 2015-12-05 19:38 - 3797347 _____ () C:\Program Files\Common Files\cu3gqqjw.exe
2015-12-05 15:16 - 2015-12-05 15:16 - 3797354 _____ () C:\Program Files\Common Files\q3wqgk25.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
[5524] C:\ProgramData\Vaiafineco\Vaiafineco.exe => process closed successfully.
[5524] C:\ProgramData\Vaiafineco\Vaiafineco.exe => process closed successfully.
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
"C:\ProgramData\Vaiafineco\Physsing.dll" => Value data not found.
"C:\ProgramData\Vaiafineco\Medtip.dll" => Value data not found.
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-3441441459-1719453584-1741147209-1000\Software\Microsoft\Internet Explorer\Main\\SearchAssistant => value removed successfully
C:\Users\Vagrant\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
Vaiafineco => service not found.
MBAMSwissArmy => Service stopped successfully.
MBAMSwissArmy => service removed successfully
VGPU => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3DA99E5D-20D2-40A6-B8E5-63C04B497D23}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3DA99E5D-20D2-40A6-B8E5-63C04B497D23}" => key removed successfully
C:\Windows\System32\Tasks\upuste => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\upuste" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73E88447-885D-427A-9AC8-A9099E7420CD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73E88447-885D-427A-9AC8-A9099E7420CD}" => key removed successfully
C:\Windows\System32\Tasks\xniwtlbf => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\xniwtlbf" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD9ECB82-7F74-4F78-BE3A-FC5CD92374B6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD9ECB82-7F74-4F78-BE3A-FC5CD92374B6}" => key removed successfully
C:\Windows\System32\Tasks\rlvvaih2 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\rlvvaih2" => key removed successfully
C:\ProgramData\Vaiafineco\Vaiafineco.exe => moved successfully
"C:\ProgramData\Vaiafineco\Medtip.dll" => not found.
C:\Windows\system32\config\systemprofile\AppData\Local\Antough => moved successfully
C:\Program Files\Common Files\e3gp2nee => moved successfully
C:\Program Files\Common Files\ryilrsxg => moved successfully
C:\ProgramData\Vaiafineco => moved successfully
"C:\ProgramData\\Vaiafineco" => not found.
C:\Program Files\Common Files\cu3gqqjw.exe => moved successfully
C:\Program Files\Common Files\q3wqgk25.exe => moved successfully
EmptyTemp: => 40.6 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 17:28:02 ====
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 12/7/2015
Scan Time: 5:38 PM
Logfile: MBAM Log 2015-12-07.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.12.07.01
Rootkit Database: v2015.11.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Vagrant
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332741
Time Elapsed: 11 min, 41 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 1
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam, , [f14cbce6f596d95d76f249551fe3b44c], 
 
Files: 4
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\InstallationConfiguration.xml, , [f14cbce6f596d95d76f249551fe3b44c], 
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\uninstall.dat, , [f14cbce6f596d95d76f249551fe3b44c], 
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\uninstall.exe, , [f14cbce6f596d95d76f249551fe3b44c], 
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\uninstall.ico, , [f14cbce6f596d95d76f249551fe3b44c], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:27 PM

Posted 07 December 2015 - 09:32 AM

Yes it your option.
Keep in mind tha Yahoo! Messenger (sometimes abbreviated YM) is an advertisement-supported instant messaging client

https://en.wikipedia.org/wiki/Yahoo!_Messenger


---

If not all ready done please run MBAM and clean these items.

Folders: 1
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam, , [f14cbce6f596d95d76f249551fe3b44c],

Files: 4
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\InstallationConfiguration.xml, , [f14cbce6f596d95d76f249551fe3b44c],
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\uninstall.dat, , [f14cbce6f596d95d76f249551fe3b44c],
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\uninstall.exe, , [f14cbce6f596d95d76f249551fe3b44c],
PUP.Optional.Linkury, C:\Program Files (x86)\Common Files\Zaam-Lam\uninstall.ico, , [f14cbce6f596d95d76f249551fe3b44c],


===

How is the computer running now?

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:27 PM

Posted 12 December 2015 - 08:41 AM

Are you still with me?

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:27 PM

Posted 18 December 2015 - 11:14 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users