Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Challenge for U! Pups/malware/adware/certificate trust errors


  • This topic is locked This topic is locked
3 replies to this topic

#1 AstealthyOne

AstealthyOne

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 22 December 2015 - 07:36 PM

My browsers are hosed.  It seems that my daughter may have downloaded some malware to her computer.  When using the browser, there are all kinds of ads from *.ru websites, the browser opens up new windows, it opens by itself when the browser is closed, when trying to access Google, Youtube or Gmail, there is a security error that says "Google uses an invalid security certificate."  When clicking on links it will often take you a different link or different download.  Sorry for the vague description but I do not know what this is.  I assume it is malware. I ran SpyBot, Malwarebytes, Avast.  Below is the FRST result.  I also attached the addition.  I can post results from those scans as well as DDS, hijackthis, and OTL if needed.  Hope you guys can help. 

 

Stealthy (or not so much now, ugh!)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-12-2015
Ran by Student (administrator) on WINDOWS-GTUTOGA (22-12-2015 19:22:57)
Running from C:\Users\Student\Downloads
Loaded Profiles: Student (Available Profiles: Student & Cathy)
Platform: Windows 7 Enterprise Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Faronics Corporation) C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe
(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(SMSC) C:\Program Files\SGFX\sgfxmgr.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(IVT Corporation) C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
() C:\Program Files (x86)\filter\2\CppWindowsService.exe
() C:\Windows\SysWOW64\srvany.exe
() C:\Windows\HEU_KMS_Service.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Stoneware Inc.) C:\Program Files (x86)\LanSchool\LskHelper.exe
(Stoneware Inc.) C:\Program Files (x86)\LanSchool\student.exe
(Raxco Software, Inc.) C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(SafeDNS) C:\Program Files (x86)\SafeDNS Agent\dns-service.exe
(Faronics Corporation) C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Stoneware Inc.) C:\Program Files (x86)\LanSchool\student.exe
(Stoneware Inc.) C:\Program Files (x86)\LanSchool\lskHlpr64.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
() C:\Program Files (x86)\filter\2\PFHttpContentFilter.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(SonicWALL, Inc.) C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
(Raxco Software, Inc.) C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Raxco Software, Inc.) C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
(IVT Corporation) C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [184112 2012-05-31] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2885904 2012-02-24] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-08-13] (Apple Inc.)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-04-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [449168 2012-03-26] (CANON INC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [883352 2015-12-14] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7021880 2015-12-22] (AVAST Software)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3221618759-4272670589-4272156714-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-18\...\Run: [] => 0
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-11-04] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-11-04] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-11-04] (Google)
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-12-22] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX32.dll [2014-05-01] ()
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX32.dll [2014-05-01] ()
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX32.dll [2014-05-01] ()
BootExecute: autocheck autochk /k:C * sdnclean64.exe
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{64DFF8B7-9774-4290-AC71-E7E844CB67AE}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{94E8B686-2129-496F-9291-41172692F39D}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-3221618759-4272670589-4272156714-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ewrotor.ru/?utm_content=d54606dbae5a2fe00f4f6fab656afd00&utm_source=startpm&utm_term=413A89EB8CE422CA2F932561AC61BB54
SearchScopes: HKU\S-1-5-21-3221618759-4272670589-4272156714-1000 -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={SearchTerms}&product_id=%7BFDA41585-4215-48A8-A718-79B7AA0B498E%7D&gp=801502
SearchScopes: HKU\S-1-5-21-3221618759-4272670589-4272156714-1000 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={SearchTerms}&product_id=%7BFDA41585-4215-48A8-A718-79B7AA0B498E%7D&gp=801502
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-13] (Advanced Micro Devices)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-06-12] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-12-22] (AVAST Software)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO: onelogin_ie -> {DC498566-E7AC-46D4-A1B3-6891BBF7346D} -> C:\Program Files (x86)\OneLogin IE Addon\adxloader64.dll [2013-07-17] ()
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2012-02-13] (Advanced Micro Devices)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2011-06-12] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-12-15] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-12-22] (AVAST Software)
BHO-x32: Ïîèñê@Mail.Ru -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\Student\AppData\Local\Mail.Ru\Sputnik\IESearchPlugin.dll [2015-12-22] (Mail.Ru)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-12-15] (Oracle Corporation)
BHO-x32: onelogin_ie -> {DC498566-E7AC-46D4-A1B3-6891BBF7346D} -> C:\Program Files (x86)\OneLogin IE Addon\adxloader.dll [2013-07-17] ()
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)

FireFox:
========
FF ProfilePath: C:\Users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\w4op3ff3.default-1445640480227
FF DefaultSearchEngine.US: Google
FF Homepage: google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-09] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-09] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll [2012-08-08] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-07-30] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2012-09-10] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-12-15] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\w4op3ff3.default-1445640480227\searchplugins\mailru.xml [2015-12-22]
FF Extension: Video DownloadHelper - C:\Users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\w4op3ff3.default-1445640480227\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-10-30]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-10-08] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-22]

Chrome:
=======
CHR HomePage: Default -> mail.ru/cnt/11956636?gp=801002
CHR StartupUrls: Default -> "hxxp://ewrotor.ru/?utm_content=d54606dbae5a2fe00f4f6fab656afd00&utm_source=startpm&utm_term=413A89EB8CE422CA2F932561AC61BB54"
CHR DefaultSearchURL: Default -> hxxp://go.mail.ru/distib/ep/?q={searchTerms}&product_id=%7B0279FFD8-F814-48AA-9F51-314DED361307%7D&gp=801502
CHR DefaultSearchKeyword: Default -> go.mail.ru
CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/ff3?q={searchTerms}
CHR Profile: C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-03]
CHR Extension: (Google Docs) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-03]
CHR Extension: (Google Drive) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-24]
CHR Extension: (YouTube) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-06]
CHR Extension: (Google Cast) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2015-12-12]
CHR Extension: (Google Search) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Mail.Ru) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\eioddfaepdoeifbhjphfefgipcjcdieo [2015-12-22]
CHR Extension: (Поделиться ВКонтакте) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcimjkehglmijlhnpbmjbpoiamjiegod [2015-12-22]
CHR Extension: (Google Sheets) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-03]
CHR Extension: (Google Docs Offline) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-23]
CHR Extension: (Avast Online Security) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-12-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-30]
CHR Extension: (Gmail) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-08]
CHR Extension: (Домашняя страница Mail.Ru) - C:\Users\Student\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppoilmfkbpckodoifdlkmkepcajfjmhl [2015-12-22]
CHR HKLM-x32\...\Chrome\Extension: [eioddfaepdoeifbhjphfefgipcjcdieo] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-22]
CHR HKLM-x32\...\Chrome\Extension: [iflppbjnpneiigcbdfjpnkebidmkjmoi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-10-12]
CHR HKLM-x32\...\Chrome\Extension: [ppoilmfkbpckodoifdlkmkepcajfjmhl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-02-14] (Advanced Micro Devices, Inc.) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-05-29] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [226440 2015-12-22] (AVAST Software)
R2 BlueSoleilCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe [1630456 2013-06-07] (IVT Corporation)
R3 BsHelpCS; C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe [145656 2013-05-14] (IVT Corporation)
S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [432792 2015-12-14] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [412312 2015-12-14] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [854680 2015-12-14] (BlueStack Systems, Inc.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2015-10-12] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2015-10-12] (Microsoft Corporation)
R2 CppWindowsService; C:\Program Files (x86)\filter\2\CppWindowsService.exe [22016 2015-10-10] () [File not signed]
R2 DFServ; C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe [1089408 2013-08-08] (Faronics Corporation) [File not signed]
R2 HEU_KMS_Service; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] () [File not signed]
R2 LanSchoolHelper; C:\Program Files (x86)\LanSchool\LskHelper.exe [402008 2013-07-25] (Stoneware Inc.)
R2 LanSchoolStudent; C:\Program Files (x86)\LanSchool\student.exe [2823256 2013-07-25] (Stoneware Inc.)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-12-23] ()
R2 SafeDNS Agent; C:\Program Files (x86)\SafeDNS Agent\dns-service.exe [695320 2013-07-24] (SafeDNS)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SGFXMgr; C:\Program Files\SGFX\sgfxmgr.exe [8481280 2013-05-01] (SMSC) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZcfgSvc7; C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe [992256 2010-12-23] (Intel® Corporation) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2012-01-03] (Advanced Micro Devices)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-12-22] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [97648 2015-12-22] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-12-22] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-12-22] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1055560 2015-12-22] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [451040 2015-12-22] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [155304 2015-12-22] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [273784 2015-12-22] (AVAST Software)
U5 BlueletAudio; C:\Windows\System32\Drivers\BlueletAudio.sys [33968 2012-12-19] (IVT Corporation)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [146016 2015-12-14] (BlueStack Systems)
R3 BtAudioBusSrv; C:\Windows\System32\Drivers\BtAudioBus.sys [23136 2012-06-15] (IVT Corporation)
S3 BthL2caScoIfSrv; C:\Windows\System32\Drivers\BtL2caScoIf.sys [54064 2013-04-26] (Ralink Corporation)
S3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [111104 2012-05-21] (Motorola Solutions, Inc.)
S3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [849408 2012-06-09] (Motorola Solutions, Inc.)
S3 btmlehid; C:\Windows\system32\drivers\btmlehid.sys [66560 2012-06-21] (Motorola Solutions, Inc.)
S3 btUrbFilterDrv; C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [49584 2013-03-25] (Ralink Corporation)
R0 DeepFrz; C:\Windows\System32\Drivers\DeepFrz.sys [217232 2013-03-01] (Faronics Corporation)
R0 DfDiskLow; C:\Windows\System32\Drivers\DfDiskLow.sys [39184 2013-03-01] (Faronics Corporation)
R1 DFFilter; C:\Windows\System32\Drivers\DFFilter.sys [42768 2013-03-01] (Faronics Corporation)
R1 DNE; C:\Windows\System32\DRIVERS\dnelwf64.sys [132184 2011-08-03] (Citrix Systems, Inc.)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 FarDisk; C:\Windows\System32\Drivers\FarDisk.sys [31504 2013-03-01] (Faronics Corporation)
R0 FarSpace; C:\Windows\System32\Drivers\FarSpace.sys [116880 2013-03-01] (Faronics Corporation)
S3 IntcDAud; C:\Windows\System32\DRIVERS\IntcDAud.sys [317440 2010-10-15] (Intel® Corporation) [File not signed]
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R1 netfilter2; C:\Windows\System32\drivers\netfilter2.sys [56296 2015-09-30] (Windows ® Win 7 DDK provider)
R1 netfilter2; C:\Windows\SysWOW64\drivers\netfilter2.sys [56296 2015-09-30] (Windows ® Win 7 DDK provider)
S3 rtbth; C:\Windows\System32\DRIVERS\rtbth.sys [1162952 2013-07-13] (Ralink Technology, Corp.)
R4 sgfxk; C:\Windows\System32\drivers\sgfxk64.sys [157432 2013-05-02] (SMSC)
R0 sgfxl; C:\Windows\System32\drivers\sgfxl64.sys [18168 2013-05-02] (SMSC)
S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver.sys [21264 2012-02-24] (Synaptics Incorporated)
S3 SmbDrvAMDASF; C:\Windows\system32\drivers\Smb_driver_AMDASF.sys [26424 2012-06-20] (Synaptics Incorporated)
R3 SmbDrvIntel; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [27448 2012-06-20] (Synaptics Incorporated)
S3 5U877; system32\DRIVERS\5U877.sys [X]
U5 BlueletAudio; C:\Windows\SysWOW64\Drivers\BlueletAudio.sys [33968 2012-12-19] (IVT Corporation)
S3 RSP2STOR; system32\DRIVERS\RtsP2Stor.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-22 19:22 - 2015-12-22 19:23 - 00027464 _____ C:\Users\Student\Downloads\FRST.txt
2015-12-22 19:22 - 2015-12-22 19:22 - 02370560 _____ (Farbar) C:\Users\Student\Downloads\FRST64.exe
2015-12-22 19:22 - 2015-12-22 19:22 - 00000000 ____D C:\FRST
2015-12-22 18:12 - 2015-12-22 18:12 - 00000000 ____D C:\Users\Student\Documents\ProcAlyzer Dumps
2015-12-22 17:47 - 2015-12-22 17:47 - 00009680 _____ C:\Users\Student\Desktop\attach.txt
2015-12-22 17:47 - 2015-12-22 17:46 - 00022987 _____ C:\Users\Student\Desktop\dds.txt
2015-12-22 17:38 - 2015-12-22 17:40 - 00688992 ____R (Swearware) C:\Users\Student\Downloads\dds.scr
2015-12-22 17:18 - 2015-12-22 17:18 - 00001892 _____ C:\Users\Student\Desktop\mbam.txt
2015-12-22 17:17 - 2015-12-22 17:17 - 00076032 _____ C:\Users\Student\Desktop\Extras.Txt
2015-12-22 16:42 - 2015-12-22 16:42 - 00141064 _____ C:\Users\Student\Desktop\OTL.Txt
2015-12-22 16:40 - 2015-12-22 16:40 - 00076032 _____ C:\Users\Student\Downloads\Extras.Txt
2015-12-22 16:39 - 2015-12-22 16:39 - 00141064 _____ C:\Users\Student\Downloads\OTL.Txt
2015-12-22 16:32 - 2015-12-22 16:32 - 00001122 _____ C:\Users\Student\Desktop\checkup.txt
2015-12-22 16:19 - 2015-12-22 16:19 - 00852720 _____ C:\Users\Student\Downloads\SecurityCheck (2).exe
2015-12-22 16:18 - 2015-12-22 16:18 - 00852720 _____ C:\Users\Student\Downloads\SecurityCheck (1).exe
2015-12-22 16:17 - 2015-12-22 16:18 - 00852720 _____ C:\Users\Student\Downloads\SecurityCheck.exe
2015-12-22 15:51 - 2015-12-22 15:52 - 00448512 _____ (OldTimer Tools) C:\Users\Student\Downloads\TFC.exe
2015-12-22 15:34 - 2015-12-22 15:35 - 00602112 _____ (OldTimer Tools) C:\Users\Student\Downloads\OTL (2).exe
2015-12-22 15:34 - 2015-12-22 15:35 - 00602112 _____ (OldTimer Tools) C:\Users\Student\Downloads\OTL (1).exe
2015-12-22 15:32 - 2015-12-22 15:34 - 00602112 _____ (OldTimer Tools) C:\Users\Student\Downloads\OTL.exe
2015-12-22 14:14 - 2015-12-22 14:15 - 00388608 _____ (Trend Micro Inc.) C:\Users\Student\Downloads\HijackThis.exe
2015-12-22 14:02 - 2015-12-22 14:02 - 00000073 _____ C:\Users\Student\Desktop\sevice.cmd
2015-12-22 12:57 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2015-12-22 12:55 - 2015-12-22 13:48 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-12-22 12:55 - 2015-12-22 12:59 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-12-22 12:55 - 2015-12-22 12:55 - 00001402 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-12-22 12:55 - 2015-12-22 12:55 - 00001390 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-12-22 12:55 - 2015-12-22 12:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-12-22 12:55 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-12-22 12:50 - 2015-12-22 12:52 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Student\Downloads\spybot-2.4.exe
2015-12-22 12:38 - 2015-12-22 12:36 - 00386096 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-12-22 12:37 - 2015-12-22 12:37 - 00000000 ____D C:\Users\Student\AppData\Roaming\AVAST Software
2015-12-22 12:36 - 2015-12-22 12:57 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-22 12:36 - 2015-12-22 12:38 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-12-22 12:36 - 2015-12-22 12:36 - 01055560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00451040 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00273784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00155304 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00097648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00093528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00065224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00043112 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-12-22 12:36 - 2015-12-22 12:36 - 00028656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2015-12-22 12:36 - 2015-12-22 12:36 - 00001929 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-12-22 12:36 - 2015-12-22 12:36 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2015-12-22 12:36 - 2015-12-22 12:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-12-22 12:34 - 2015-12-22 12:34 - 00000000 ____D C:\Program Files\AVAST Software
2015-12-22 11:50 - 2015-12-22 12:34 - 00000000 ____D C:\ProgramData\AVAST Software
2015-12-22 11:50 - 2015-12-22 11:50 - 05066096 _____ (AVAST Software) C:\Users\Student\Downloads\avast_free_antivirus_setup_online.exe
2015-12-22 11:50 - 2015-12-22 11:50 - 05066096 _____ (AVAST Software) C:\Users\Public\Desktop\avast_free_antivirus_setup_online.exe
2015-12-22 11:46 - 2015-12-22 11:46 - 00001170 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-12-22 11:46 - 2015-12-22 11:46 - 00001158 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-12-22 11:46 - 2015-12-22 11:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-12-22 11:42 - 2015-12-22 11:43 - 45702448 _____ C:\Users\Student\Downloads\Firefox Setup 43.0.1.exe
2015-12-22 11:37 - 2015-12-22 17:17 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-22 11:35 - 2015-12-22 11:35 - 00249416 _____ C:\Users\Student\Downloads\Firefox Setup Stub 43.0.1.exe
2015-12-22 11:35 - 2015-12-22 11:35 - 00249416 _____ C:\Users\Student\Downloads\Firefox Setup Stub 43.0.1 (1).exe
2015-12-22 11:17 - 2015-12-22 11:17 - 00000000 ____D C:\Users\Student\AppData\Local\Вконтактe
2015-12-22 11:15 - 2015-12-22 17:45 - 00000000 ____D C:\netfilter2
2015-12-22 11:14 - 2015-12-22 11:14 - 00000000 ____D C:\Users\Student\AppData\Roaming\MailProducts
2015-12-22 11:14 - 2015-12-22 11:14 - 00000000 ____D C:\Users\Student\AppData\Local\Вoйти в Интeрнет
2015-12-22 11:14 - 2015-12-22 11:14 - 00000000 ____D C:\Program Files (x86)\filter
2015-12-22 11:14 - 2015-09-30 09:38 - 00056296 _____ (Windows ® Win 7 DDK provider) C:\Windows\SysWOW64\Drivers\netfilter2.sys
2015-12-22 11:14 - 2015-09-30 09:38 - 00056296 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\netfilter2.sys
2015-12-22 11:09 - 2015-12-22 11:09 - 00070113 _____ C:\Users\Student\Downloads\PTHC Videos - Collection 01 - Pastebin.htm
2015-12-22 11:09 - 2015-12-22 11:09 - 00000000 ____D C:\Users\Student\Downloads\PTHC Videos - Collection 01 - Pastebin_files
2015-12-22 11:08 - 2015-12-22 11:11 - 00000000 ____D C:\Users\Student\AppData\Roaming\Calculator
2015-12-22 11:06 - 2015-12-22 11:06 - 00001244 _____ C:\Users\Student\Desktop\Поиcк в Интeрнете.lnk
2015-12-22 11:06 - 2015-12-22 11:06 - 00000000 ____D C:\Users\Student\AppData\Local\Поиcк в Интeрнете
2015-12-22 11:05 - 2015-12-22 12:19 - 00000000 ____D C:\Users\Student\AppData\Local\SystemDir
2015-12-22 11:04 - 2015-12-22 11:04 - 00000178 _____ C:\Users\Student\Desktop\Искать в Интернете.url
2015-12-22 11:04 - 2015-12-22 11:04 - 00000000 ____D C:\Users\Student\AppData\Local\Mail.Ru
2015-12-22 11:04 - 2015-12-22 11:04 - 00000000 ____D C:\ProgramData\Mail.Ru
2015-12-22 10:53 - 2015-12-22 10:53 - 00056729 _____ C:\Users\Student\Downloads\Collection 01 - Pastebin.com
2015-12-22 07:31 - 2015-12-22 07:31 - 13897440 _____ C:\Users\Student\Downloads\HSS-5.0.4-install-plain-773-plain.exe
2015-12-21 17:07 - 2015-12-21 17:07 - 00100547 _____ C:\Users\Student\Documents\IMG_20151221_0003.pdf
2015-12-21 17:06 - 2015-12-21 17:07 - 00100804 _____ C:\Users\Student\Documents\IMG_20151221_0002.pdf
2015-12-21 16:47 - 2015-12-21 16:47 - 00147072 _____ C:\Users\Student\Documents\State Cert L-S prob.pdf
2015-12-21 16:46 - 2015-12-21 16:46 - 00137150 _____ C:\Users\Student\Documents\IMG_20151221_0001.pdf
2015-12-16 21:59 - 2015-12-16 22:00 - 20057853 _____ C:\Users\Student\Desktop\Tell Me Why.mp4
2015-12-16 21:49 - 2015-12-16 21:49 - 06667399 _____ C:\Users\Student\Desktop\Proud Of You.mp4
2015-12-16 21:45 - 2015-12-16 21:47 - 46844329 _____ C:\Users\Student\Desktop\Can You Feel the Love Tonight.mp4
2015-12-16 21:44 - 2015-12-16 21:48 - 67447858 _____ C:\Users\Student\Desktop\You Raise Me Up.mp4
2015-12-16 21:42 - 2015-12-16 21:43 - 13532278 _____ C:\Users\Student\Desktop\From a Distance.mp4
2015-12-16 08:37 - 2015-12-16 08:37 - 00000000 ____D C:\Users\Cathy\AppData\LocalLow\Adobe
2015-12-16 08:37 - 2015-12-16 08:37 - 00000000 ____D C:\Users\Cathy\AppData\Local\CEF
2015-12-16 08:37 - 2015-12-16 08:37 - 00000000 ____D C:\Users\Cathy\AppData\Local\Adobe
2015-12-15 23:51 - 2015-12-15 23:51 - 00000000 ____D C:\Users\Student\.android
2015-12-15 23:47 - 2015-12-15 23:47 - 00001708 _____ C:\Users\Student\AppData\Roaming\Microsoft\Windows\Start Menu\BlueStacks.lnk
2015-12-15 23:47 - 2015-12-15 23:47 - 00001684 _____ C:\Users\Public\Desktop\BlueStacks.lnk
2015-12-15 23:47 - 2015-12-15 23:47 - 00000000 ____D C:\ProgramData\BlueStacksGameManager
2015-12-15 23:42 - 2015-12-15 23:45 - 00000000 ____D C:\Program Files (x86)\BlueStacks
2015-12-15 23:42 - 2015-12-15 23:44 - 00000000 ____D C:\ProgramData\BlueStacks
2015-12-15 23:37 - 2015-12-22 16:08 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2015-12-15 23:37 - 2015-12-15 23:37 - 00000000 ____D C:\Users\Student\AppData\Local\Bluestacks
2015-12-15 23:21 - 2015-12-15 23:31 - 308353568 _____ (BlueStack Systems Inc.) C:\Users\Student\Downloads\BlueStacks2_native.exe
2015-12-15 23:00 - 2015-12-22 11:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Andy
2015-12-15 23:00 - 2015-12-15 23:00 - 00740775 _____ C:\ProgramData\AndyDrivers.zip
2015-12-15 23:00 - 2015-12-15 23:00 - 00001678 _____ C:\Users\Public\Desktop\WhatsApp.lnk
2015-12-15 23:00 - 2014-11-21 11:57 - 00916024 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxDrv.sys
2015-12-15 23:00 - 2014-11-21 11:55 - 00128080 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
2015-12-15 22:38 - 2015-12-15 22:38 - 00561056 _____ (andyroid.net) C:\Users\Student\Downloads\WhatsApp_AndyOS.exe
2015-12-15 22:25 - 2012-09-10 14:37 - 00821736 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2015-12-15 22:25 - 2012-09-10 14:37 - 00746984 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2015-12-15 21:10 - 2015-12-15 21:10 - 00002049 _____ C:\Users\Public\Desktop\Google Slides.lnk
2015-12-15 21:10 - 2015-12-15 21:10 - 00002047 _____ C:\Users\Public\Desktop\Google Sheets.lnk
2015-12-15 21:10 - 2015-12-15 21:10 - 00002037 _____ C:\Users\Public\Desktop\Google Docs.lnk
2015-12-15 21:10 - 2015-12-15 21:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-12-15 21:08 - 2015-12-15 21:08 - 00927824 _____ (Google Inc.) C:\Users\Student\Downloads\googledrivesync.exe
2015-12-10 17:59 - 2015-12-10 17:59 - 00000212 _____ C:\Users\Student\Downloads\rt=ifr
2015-12-10 08:42 - 2015-12-10 08:42 - 00088792 _____ C:\Windows\ntbtlog.txt
2015-12-09 22:28 - 2015-12-09 23:16 - 330632491 _____ C:\Users\Student\Documents\videoplayback.htm
2015-12-09 14:26 - 2015-12-09 14:26 - 03281420 _____ C:\Users\Student\Documents\Annuity-Insights.pdf
2015-12-09 11:03 - 2015-12-09 11:34 - 00132889 _____ C:\Users\Student\Documents\Lydia Reference.pdf
2015-12-09 10:50 - 2015-12-09 10:50 - 06874706 _____ C:\Users\Student\Documents\Communication & Marketing 8.2015 Presentation & Assessment Link.pptx
2015-12-09 10:48 - 2015-12-09 10:48 - 00323361 _____ C:\Users\Student\Documents\EdPlus LOW INK Letterhead BLUE.doc - Google Docs.htm
2015-12-09 10:43 - 2015-12-09 10:43 - 01294995 _____ C:\Users\Student\Documents\Header-Footer.zip
2015-12-09 10:40 - 2015-12-09 10:40 - 00363301 _____ C:\Users\Student\Documents\Communication & Marketing 8.2015 Presentation & Assessment Link - Google Slides.htm
2015-12-06 22:57 - 2015-12-06 22:57 - 00149396 _____ C:\Users\Student\Documents\Arrest and Conviction 2015.pdf
2015-12-06 22:55 - 2015-12-06 22:55 - 00439182 _____ C:\Users\Student\Documents\Act 168 Form.pdf
2015-12-06 22:53 - 2015-12-06 22:53 - 00142639 _____ C:\Users\Student\Documents\IMG_20151206_0002.pdf
2015-12-06 22:52 - 2015-12-06 22:52 - 00395795 _____ C:\Users\Student\Documents\IMG_20151206_0001.pdf
2015-12-06 22:35 - 2015-12-06 22:35 - 00450025 _____ C:\Users\Student\Downloads\childabuseclearancechildline10-2015.PDF
2015-12-06 22:35 - 2015-12-06 22:35 - 00103324 _____ C:\Users\Student\Downloads\Epatch PA State Police Criminal Record Check 10-15.pdf
2015-12-01 15:35 - 2015-12-01 15:37 - 00386497 _____ C:\Users\Student\Documents\Assistance 2015.pdf
2015-12-01 15:32 - 2015-12-01 15:51 - 00000000 ___HD C:\ProgramData\CanonIJMIG
2015-12-01 15:31 - 2015-12-01 15:31 - 00002084 _____ C:\Users\Public\Desktop\Canon My Image Garden.lnk
2015-12-01 15:17 - 2015-12-01 15:24 - 307428904 _____ C:\Users\Student\Downloads\mig_-win-3_3_0-ea31_2.exe
2015-12-01 15:11 - 2012-04-16 05:00 - 00392192 _____ (CANON INC.) C:\Windows\system32\CNMXLMBB.DLL
2015-12-01 15:10 - 2015-12-01 15:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG5400 series
2015-12-01 15:04 - 2015-12-01 15:05 - 19648072 _____ C:\Users\Student\Downloads\mp68-win-mg5400-1_01-ejs.exe
2015-12-01 15:03 - 2015-12-01 15:03 - 16137808 _____ C:\Users\Student\Downloads\xp68-win-mg5400-5_60a-ejs.exe
2015-12-01 14:42 - 2015-12-01 14:43 - 48639568 _____ C:\Users\Student\Downloads\mpnx_2_0-win-2_05-ea23_2.exe
2015-12-01 14:39 - 2015-12-01 14:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MP540 series
2015-12-01 14:36 - 2008-10-09 05:00 - 00279040 _____ (CANON INC.) C:\Windows\system32\CNMLM9E.DLL
2015-12-01 14:35 - 2015-12-01 14:35 - 26502544 _____ C:\Users\Student\Downloads\md64-win-mp540-1_04-ea24.exe
2015-12-01 14:30 - 2015-12-01 14:32 - 48639568 _____ C:\Users\Student\Downloads\mp navigator x_2_0-win-2_05-ea23_2.exe
2015-11-30 23:10 - 2015-11-30 23:11 - 00074069 _____ C:\Users\Student\Downloads\Microsoft Volume Licensing – Windows 10.htm
2015-11-30 23:10 - 2015-11-30 23:10 - 00000000 ____D C:\Users\Student\Downloads\Microsoft Volume Licensing – Windows 10_files
2015-11-28 17:37 - 2015-11-28 17:37 - 00193285 _____ C:\Users\Student\Documents\LenhartCoverLetter2015.pdf
2015-11-28 16:29 - 2015-11-28 16:29 - 01480899 _____ C:\Users\Student\Documents\PVAAS Misconceptions Booklet.pdf
2015-11-28 16:28 - 2015-11-28 16:28 - 03402240 _____ C:\Users\Student\Documents\Value AddedAssessmentandaGrowthstandard.ppt
2015-11-27 12:43 - 2015-11-27 12:43 - 00029988 _____ C:\Users\Student\Downloads\neededdocsforyunemployment.pdf
2015-11-27 12:41 - 2015-11-27 12:41 - 00076647 _____ C:\Users\Student\Downloads\unemploymentcompassapplication.pdf
2015-11-27 10:58 - 2015-11-27 10:58 - 01346301 _____ C:\Users\Student\Downloads\6011.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-22 19:22 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2015-12-22 19:05 - 2015-01-07 14:49 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-22 18:24 - 2012-08-30 09:26 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-22 16:16 - 2009-07-13 23:45 - 00030480 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-22 16:16 - 2009-07-13 23:45 - 00030480 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-22 16:10 - 2009-07-14 00:13 - 00786486 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-22 16:10 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2015-12-22 16:08 - 2013-07-10 12:21 - 00000000 ____D C:\Program Files (x86)\LanSchool
2015-12-22 16:04 - 2015-01-07 14:50 - 00003490 _____ C:\Windows\System32\Tasks\AutoKMS
2015-12-22 16:04 - 2015-01-07 14:49 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-22 16:03 - 2013-09-13 17:20 - 00001017 _____ C:\Windows\SysWOW64\bscs.ini
2015-12-22 16:03 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-22 12:22 - 2013-07-10 12:21 - 00000000 ____D C:\LanSchool Files
2015-12-22 11:46 - 2015-11-07 18:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-22 11:08 - 2013-07-25 11:47 - 00000444 __RSH C:\Users\Student\ntuser.pol
2015-12-22 11:08 - 2012-08-30 08:20 - 00000000 ____D C:\Users\Student
2015-12-22 11:04 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2015-12-22 10:17 - 2015-05-01 18:00 - 00000000 ____D C:\Users\Student\Documents\New folder
2015-12-21 22:36 - 2015-05-03 15:11 - 00000000 ____D C:\Program Files\Syscom
2015-12-21 12:11 - 2015-04-30 07:21 - 00000000 ____D C:\Users\Student\AppData\Roaming\vlc
2015-12-16 08:41 - 2015-06-28 18:27 - 00000000 ____D C:\Users\Cathy\AppData\Roaming\Adobe
2015-12-16 02:10 - 2015-06-28 18:27 - 00000000 ____D C:\Users\Cathy\AppData\Local\Google
2015-12-15 23:45 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Public\Libraries
2015-12-15 22:25 - 2015-10-31 18:29 - 00000000 ____D C:\ProgramData\Oracle
2015-12-15 22:25 - 2012-09-10 14:37 - 00000000 ____D C:\Program Files (x86)\Java
2015-12-15 22:23 - 2015-10-31 18:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-12-15 22:19 - 2015-10-31 18:30 - 00000000 ____D C:\Users\Student\.oracle_jre_usage
2015-12-15 22:19 - 2012-09-10 14:37 - 00278624 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2015-12-15 22:19 - 2012-09-10 14:37 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-12-15 21:10 - 2015-01-07 14:48 - 00000000 ____D C:\Users\Student\AppData\Local\Google
2015-12-15 21:10 - 2015-01-07 14:48 - 00000000 ____D C:\Program Files (x86)\Google
2015-12-09 12:24 - 2012-08-30 09:26 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-09 12:24 - 2012-08-30 09:26 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-09 12:24 - 2012-08-30 09:26 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-06 22:27 - 2015-05-03 08:53 - 00182784 ___SH C:\Users\Student\Documents\Thumbs.db
2015-12-03 21:00 - 2015-01-07 14:49 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-03 21:00 - 2015-01-07 14:49 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-12-02 13:18 - 2010-11-20 22:27 - 00301728 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-12-01 15:32 - 2015-06-14 08:58 - 00000000 ____D C:\Users\Student\AppData\Roaming\Canon
2015-12-01 15:26 - 2015-06-14 08:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
2015-12-01 15:25 - 2015-06-14 08:56 - 00000000 ____D C:\Program Files (x86)\Canon
2015-12-01 15:10 - 2015-06-14 08:56 - 00002020 _____ C:\Users\Public\Desktop\Canon IJ Network Tool.lnk
2015-12-01 15:10 - 2009-07-13 22:20 - 00000000 __RSD C:\Windows\Media
2015-12-01 14:37 - 2015-06-14 08:55 - 00000000 ___HD C:\Windows\system32\CanonIJ Uninstaller Information
2015-11-28 17:39 - 2015-08-09 15:57 - 00278549 _____ C:\Users\Student\Documents\GS Lenhart CV - 082015.pdf
2015-11-26 22:03 - 2015-06-06 15:32 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk

==================== Files in the root of some directories =======

2015-12-15 23:00 - 2015-12-15 23:00 - 0740775 _____ () C:\ProgramData\AndyDrivers.zip

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-12-20 08:26

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:31 PM

Posted 23 December 2015 - 07:42 PM

Hello 

AstealthyOne

,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

1.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool .
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished...
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

2.

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

 

Things to include in your next reply:

AdwCleaner log

Emsisoft log

How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:31 PM

Posted 28 December 2015 - 09:24 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:31 PM

Posted 01 January 2016 - 01:24 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users