Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

“Sushi leads” related Infected.


  • This topic is locked This topic is locked
23 replies to this topic

#1 Whipsaw

Whipsaw

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 30 December 2015 - 03:09 PM

Made the mistake of downloading a RAR file that contained what I thought was a cookbook.

Thought something was fishy when a .txt doc said to enter a code to access the book file.

 

When I entered the code a program started that appeared to download some other files, I tried to stop the process but was too late.

 

Found something called “Sushi leads” in the control panel programs menu. When first trying to delete it, another menu opened that read at the top “are you human” prompting another password to open it.

 

This was deleted this in safe mode.

 

Tried running several anti malware/virus programs but to no avail. The one called ADW Cleaner locks up and won’t run properly because of other malignant programs. The Computers CPU is revving at a high rate, and begins to bog down after being on for 20 minutes or so.

 

Running Windows 7 home premium.

 

Regards.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 30 December 2015 - 03:23 PM

Hi Whipsaw :)

My name is Aura and I'll be assisting you with your issue. To get started, I'll ask you to follow the instructions in the Preparation Guide and post the logs like asked. If FRST doesn't want to run under a normal boot, you can run it in Safe Mode (with Networking preferably).

Therefore, in your next post I should see:
  • Copy/pasted FRST.txt log content;
  • Copy/pasted Addition.txt log content;
Looking forward to working with you :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Whipsaw

Whipsaw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 30 December 2015 - 06:03 PM

Having difficulty posting the Notepad files,

 

FRST text:  

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:30-12-2015

Ran by Ed (administrator) on ED-VAIO (30-12-2015 13:46:20)
Running from C:\Users\Ed\Downloads
Loaded Profiles: Ed (Available Profiles: Ed)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostSync.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostSync_.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Sony Corporation) C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.25\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.25\opera_crashreporter.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.25\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.25\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.25\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.25\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.25\opera.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse_.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse_.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse_.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse_.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12783848 2015-12-25] (Zemana Ltd.)
HKLM-x32\...\Run: [ISBMgr.exe] => C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [320880 2009-08-26] (Sony Corporation)
Winlogon\Notify\VESWinlogon-x32: VESWinlogon.dll [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk [2014-04-26]
ShortcutTarget: Microsoft Find Fast.lnk -> C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{2F73DCE4-4155-4351-A0B8-5D5F66293778}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{BB8C9484-BDD0-485F-9085-847F9BF303D0}: [DhcpNameServer] 10.100.78.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2476431307-428378656-1639597041-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2476431307-428378656-1639597041-1004\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SNNT
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SNNT
SearchScopes: HKU\S-1-5-21-2476431307-428378656-1639597041-1004 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SNNT_enUS528US528
SearchScopes: HKU\S-1-5-21-2476431307-428378656-1639597041-1004 -> {C25C319F-C420-4BA9-979E-E59B0C31DAB4} URL = hxxp://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2015-10-27] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2015-10-27] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-08-23] (Eyeo GmbH)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-08-23] (Eyeo GmbH)
Toolbar: HKU\S-1-5-21-2476431307-428378656-1639597041-1004 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\ro8jhgdz.default
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-12-02] ()
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-10-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2015-10-27] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-16] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-12-02] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @oberon-media.com/ONCAdapter -> C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2476431307-428378656-1639597041-1004: @lightspark.github.com/Lightspark;version=1 -> C:\Program Files (x86)\Lightspark 0.5.3-git\nplightsparkplugin.dll [No File]
 
Opera: 
=======
OPR StartupUrls: "hxxps://www.google.com/"
OPR Extension: (Adblock Plus) - C:\Users\Ed\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2015-11-25]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 PACSPTISVR-Sound_Organizer; C:\Program Files (x86)\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [174176 2012-11-08] (Sony Corporation)
S4 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2015-05-20] (DEVGURU Co., LTD.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WinHostSvc; C:\Program Files (x86)\winhostuse\WinHostSync.exe [140992 2015-12-24] (FrameZen Co.)
R2 WinHostSvc2; C:\Program Files (x86)\winhostuse\WinHostSync_.exe [140992 2015-12-24] (FrameZen Co.)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12783848 2015-12-25] (Zemana Ltd.)
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S3 MSSQL$DDNI; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe" -sDDNI [X]
S4 MSSQLServerADHelper100; "C:\Program Files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [X]
S4 SQLAgent$DDNI; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE" -i DDNI [X]
S3 VcmXmlIfHelper; "C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 androidusb; C:\Windows\System32\Drivers\fxxandroidusb.sys [31744 2010-03-30] (Google Inc)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2015-12-18] (Corel Corporation)
S3 qcusbser; C:\Windows\System32\DRIVERS\FXX\qcusbser.sys [364288 2010-03-30] (QUALCOMM Incorporated)
U5 regi; C:\Windows\System32\Drivers\regi.sys [14112 2007-04-17] (InterVideo)
S3 TVICHW64; C:\Windows\system32\DRIVERS\TVICHW64.SYS [21200 2013-09-26] (EnTech Taiwan)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [202144 2015-12-30] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [202144 2015-12-30] (Zemana Ltd.)
S3 ApfiltrService; \SystemRoot\system32\drivers\Apfiltr.sys [X]
S3 avchv; system32\DRIVERS\avchv.sys [X]
S3 btwaudio; system32\drivers\btwaudio.sys [X]
S3 btwavdt; system32\drivers\btwavdt.sys [X]
S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; system32\DRIVERS\btwrchid.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U2 IAStorDataMgrSvc; no ImagePath
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 TrgExGrp64; system32\DRIVERS\TrgExGrp64.sys [X]
S3 TrgMrGrp64; system32\DRIVERS\TrgMrGrp64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-30 13:46 - 2015-12-30 13:46 - 00012624 _____ C:\Users\Ed\Downloads\FRST.txt
2015-12-30 13:45 - 2015-12-30 13:46 - 00000000 ____D C:\FRST
2015-12-30 13:44 - 2015-12-30 13:44 - 02370560 _____ (Farbar) C:\Users\Ed\Downloads\FRST64.exe
2015-12-30 12:29 - 2015-12-30 13:32 - 00003481 _____ C:\Users\Ed\Desktop\passwords.txt
2015-12-30 12:29 - 2015-12-30 12:31 - 00001129 _____ C:\Users\Ed\Desktop\hello.txt
2015-12-30 10:43 - 2015-12-30 10:44 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Ed\Downloads\tdsskiller (1).exe
2015-12-30 10:20 - 2015-12-30 12:07 - 00019968 ____H C:\Users\Ed\Desktop\~WRL2605.tmp
2015-12-30 10:20 - 2015-12-30 12:04 - 00020480 ____H C:\Users\Ed\Desktop\~WRL0004.tmp
2015-12-30 01:34 - 2015-12-30 13:46 - 00756416 _____ C:\Windows\ZAM.krnl.trace
2015-12-30 01:34 - 2015-12-30 12:42 - 00000119 _____ C:\Windows\ZAM_Guard.krnl.trace
2015-12-30 01:34 - 2015-12-30 01:34 - 00202144 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2015-12-30 01:34 - 2015-12-30 01:34 - 00001076 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2015-12-30 01:34 - 2015-12-30 01:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2015-12-30 01:34 - 2015-12-30 01:34 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-12-30 01:33 - 2015-12-30 01:34 - 00202144 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2015-12-30 01:33 - 2015-12-30 01:33 - 05013792 _____ ( ) C:\Users\Ed\Downloads\Zemana.AntiMalware.Setup.exe
2015-12-30 01:33 - 2015-12-30 01:33 - 00000000 ____D C:\Users\Ed\AppData\Local\Zemana
2015-12-30 01:32 - 2015-12-30 10:10 - 00000000 ____D C:\ProgramData\VoodooShield
2015-12-30 01:30 - 2015-12-30 01:30 - 04664936 _____ (VoodooSoft, LLC ) C:\Users\Ed\Downloads\InstallVoodooShield.exe
2015-12-30 01:23 - 2015-12-30 01:23 - 00009373 _____ C:\Users\Ed\Desktop\combo fix log.txt
2015-12-30 01:19 - 2015-12-30 01:19 - 00009373 _____ C:\ComboFix.txt
2015-12-30 00:44 - 2015-12-30 00:45 - 01743360 _____ C:\Users\Ed\Downloads\adwcleaner_5.026.exe
2015-12-30 00:39 - 2015-12-30 00:39 - 01101640 _____ (Bleeping Computer, LLC) C:\Users\Ed\Downloads\rkill64.exe
2015-12-30 00:38 - 2015-12-30 00:39 - 00184790 _____ C:\TDSSKiller.3.1.0.9_30.12.2015_00.38.28_log.txt
2015-12-29 23:45 - 2015-12-29 23:45 - 00006696 ____N C:\bootsqm.dat
2015-12-29 21:19 - 2015-12-29 21:19 - 00000000 ____D C:\Program Files (x86)\ExploreTech
2015-12-29 21:07 - 2015-12-29 21:24 - 00001688 _____ C:\ProgramData\tempimage.bmp
2015-12-29 20:59 - 2015-12-29 21:01 - 00000000 ____D C:\Program Files (x86)\winhostuse
2015-12-25 22:36 - 2015-12-25 22:48 - 00000054 _____ C:\Users\Ed\Desktop\lock pic data.txt
2015-12-25 01:57 - 2015-12-25 01:58 - 00000039 _____ C:\Users\Ed\Desktop\Gun Confiscation.txt
2015-12-24 17:09 - 2015-12-24 17:09 - 00000000 ____D C:\Users\Ed\Desktop\Spice Item Buy List
2015-12-18 15:42 - 2015-12-18 15:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sound Organizer
2015-12-18 15:41 - 2015-12-18 15:41 - 00056336 ____N (Corel Corporation) C:\Windows\system32\Drivers\PxHlpa64.sys
2015-12-18 15:36 - 2015-12-18 15:47 - 00000000 ____D C:\Users\Ed\Desktop\Audio Logs
2015-12-13 13:22 - 2015-12-13 13:22 - 00003062 _____ C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe
2015-12-13 13:22 - 2015-12-13 13:22 - 00003060 _____ C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe
2015-12-13 13:22 - 2015-12-13 13:22 - 00002741 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse and Keyboard Center.lnk
2015-12-13 13:21 - 2015-12-13 13:21 - 00000000 ____D C:\Program Files\Microsoft Mouse and Keyboard Center
2015-12-12 18:25 - 2015-12-12 18:26 - 00000047 _____ C:\Users\Ed\Desktop\Freedom of Info Act.txt
2015-12-12 16:29 - 2015-12-12 16:29 - 00000000 ____D C:\Users\Ed\Documents\Misc. Art etc
2015-12-11 22:50 - 2015-12-29 21:45 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Ed\Downloads\TDSSKiller.exe
2015-12-11 15:06 - 2015-12-11 15:17 - 00000188 _____ C:\Users\Ed\Desktop\Generation names.txt
2015-12-10 18:38 - 2015-12-10 18:38 - 00000014 _____ C:\Users\Ed\Desktop\Goverment Watch List.txt
2015-12-09 18:47 - 2015-12-13 13:22 - 00003118 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2015-12-09 18:47 - 2015-12-13 13:22 - 00003090 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2015-12-09 18:42 - 2015-12-13 13:22 - 00003092 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2015-12-08 01:12 - 2015-12-08 01:12 - 00000000 _____ C:\Users\Ed\Desktop\terror watch list anf freedom of info act.txt
2015-12-03 22:32 - 2015-12-18 19:11 - 00000000 ____D C:\Users\Ed\Desktop\Scam work
2015-12-02 21:29 - 2015-12-02 21:29 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-12-02 14:29 - 2015-12-30 01:19 - 00000000 ____D C:\Qoobox
2015-12-02 14:29 - 2015-12-02 14:40 - 00000000 ____D C:\Windows\erdnt
2015-12-02 14:29 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2015-12-02 14:29 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2015-12-02 14:29 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-12-02 14:29 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-12-02 14:29 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-12-02 14:29 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2015-12-02 14:29 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2015-12-02 14:29 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2015-12-02 14:27 - 2015-12-29 21:54 - 05643545 ____R (Swearware) C:\Users\Ed\Downloads\ComboFix.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-30 13:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows
2015-12-30 13:40 - 2009-07-13 21:13 - 00814530 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-30 13:40 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-30 13:02 - 2015-07-13 09:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-30 12:57 - 2009-07-13 20:45 - 00018928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-30 12:57 - 2009-07-13 20:45 - 00018928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-30 12:42 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-30 12:42 - 1997-07-10 23:00 - 00001114 _____ C:\Windows\SysWOW64\FFASTLOG.TXT
2015-12-30 12:25 - 2015-05-30 16:01 - 00007635 _____ C:\Users\Ed\AppData\Local\Resmon.ResmonCfg
2015-12-30 11:50 - 2014-05-10 09:35 - 00000000 ____D C:\Program Files (x86)\Opera
2015-12-30 01:39 - 2014-05-10 09:34 - 00000983 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-12-30 01:39 - 2014-05-10 09:34 - 00000983 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-12-30 01:39 - 2013-03-23 18:30 - 00000817 _____ C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-12-30 01:32 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-12-30 01:17 - 2009-07-13 18:34 - 00000215 _____ C:\Windows\system.ini
2015-12-30 01:03 - 2015-10-16 08:19 - 00000000 ____D C:\AdwCleaner
2015-12-30 01:03 - 2015-07-26 20:20 - 01180468 _____ C:\Windows\ntbtlog.txt
2015-12-29 22:49 - 2015-10-16 08:11 - 00000000 ____D C:\Users\Ed\Downloads\Bleeping Comp repair programs
2015-12-29 19:41 - 2015-03-25 21:01 - 00000000 ____D C:\Users\Ed\Desktop\Misc. etc  News
2015-12-29 18:34 - 2015-11-15 21:11 - 00000000 ____D C:\Users\Ed\AppData\Roaming\vlc
2015-12-29 13:51 - 2015-04-23 09:11 - 00000000 ____D C:\Users\Ed\Desktop\Excessive force Atty
2015-12-29 13:38 - 2015-07-30 13:19 - 00000000 ____D C:\Users\Ed\Downloads\optical illusions
2015-12-29 13:32 - 2015-05-10 09:27 - 00000000 ____D C:\Users\Ed\Desktop\Recipes - Cookware
2015-12-29 09:54 - 2015-11-06 12:46 - 00000000 ____D C:\Users\Ed\AppData\LocalLow\Adblock Plus for IE
2015-12-29 00:10 - 2009-07-13 21:08 - 00032644 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-12-28 21:47 - 2015-04-23 09:12 - 00000000 ____D C:\Users\Ed\Desktop\buy list
2015-12-26 09:32 - 2015-04-23 11:32 - 00000000 ____D C:\Users\Ed\Desktop\Physics Archive
2015-12-24 19:09 - 2015-05-30 17:31 - 00000000 ____D C:\Users\Ed\Desktop\Tech Related Software
2015-12-24 18:57 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-12-23 17:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system32\NDF
2015-12-19 09:17 - 2015-06-08 20:02 - 00000000 ____D C:\Users\Ed\Desktop\Fun stuff
2015-12-18 18:40 - 2013-03-23 18:27 - 00000000 ____D C:\Users\Ed\AppData\Roaming\Sony Corporation
2015-12-18 18:40 - 2009-11-23 14:46 - 00000000 ____D C:\ProgramData\Sony Corporation
2015-12-18 15:44 - 2009-12-08 05:51 - 00000000 ____D C:\Program Files (x86)\Sony
2015-12-18 15:41 - 2009-12-08 06:19 - 00072304 ____N (Corel Corporation) C:\Windows\SysWOW64\pxhpinst.exe
2015-12-18 15:41 - 2009-12-08 06:19 - 00011376 ____N (Corel Corporation) C:\Windows\system32\Drivers\cdralw2k.sys
2015-12-18 15:41 - 2009-12-08 06:19 - 00010864 ____N (Corel Corporation) C:\Windows\system32\Drivers\cdr4_xp.sys
2015-12-18 15:41 - 2009-05-20 17:56 - 00069232 ____N (Corel Corporation) C:\Windows\SysWOW64\pxinsa64.exe
2015-12-18 15:41 - 2009-03-24 01:01 - 00100976 ____N (Corel Corporation) C:\Windows\SysWOW64\vxblock.dll
2015-12-18 14:04 - 2015-06-12 21:37 - 00000000 ____D C:\Users\Ed\Desktop\P. Metals - finance etc
2015-12-13 15:40 - 2009-07-13 20:45 - 00362376 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-13 15:11 - 2013-03-23 18:28 - 00089120 _____ C:\Users\Ed\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-13 13:29 - 2015-11-14 19:43 - 00000000 ____D C:\Users\Ed\Desktop\Tech Related Devices
2015-12-09 19:36 - 2009-11-23 13:40 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-12-09 14:34 - 2014-04-20 11:42 - 00033280 ____H C:\Users\Ed\Desktop\~WRL0003.tmp
2015-12-09 14:20 - 2014-06-08 12:58 - 00003844 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1399746068
2015-12-08 12:38 - 2014-04-20 11:42 - 00033280 ____H C:\Users\Ed\Desktop\~WRL0001.tmp
2015-12-06 15:50 - 2015-08-03 10:34 - 00000000 ____D C:\Users\Ed\Desktop\Home Cell pics   8-3-15
2015-12-03 13:07 - 2015-11-03 13:44 - 00000000 ____D C:\Users\Ed\Desktop\NRA Atty
2015-12-03 12:59 - 2015-05-13 13:10 - 00003888 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-12-02 21:30 - 2014-10-03 21:00 - 00000000 ____D C:\Users\Ed\AppData\Local\Adobe
2015-12-02 21:29 - 2015-10-31 21:31 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-12-02 20:41 - 2015-07-27 20:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-02 19:12 - 2015-07-27 20:21 - 00003770 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-02 19:12 - 2015-04-24 21:05 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-02 19:12 - 2015-04-24 21:05 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-02 14:35 - 2009-07-13 18:34 - 74711040 _____ C:\Windows\system32\config\SOFTWARE.bak
2015-12-02 14:35 - 2009-07-13 18:34 - 24117248 _____ C:\Windows\system32\config\SYSTEM.bak
2015-12-02 14:35 - 2009-07-13 18:34 - 00524288 _____ C:\Windows\system32\config\DEFAULT.bak
2015-12-02 14:35 - 2009-07-13 18:34 - 00262144 _____ C:\Windows\system32\config\SECURITY.bak
2015-12-02 14:35 - 2009-07-13 18:34 - 00262144 _____ C:\Windows\system32\config\SAM.bak
2015-12-02 13:35 - 2015-07-26 22:03 - 00000000 ____D C:\Program Files (x86)\Google
2015-12-02 13:18 - 2013-03-29 19:33 - 00301728 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-11-30 18:13 - 2009-12-08 05:29 - 00000000 ____D C:\Program Files\Sony
 
==================== Files in the root of some directories =======
 
2014-04-26 13:25 - 1997-07-10 23:00 - 0000002 _____ () C:\Users\Ed\AppData\Roaming\Microsoft\ArtGalry.cag
2015-05-30 16:01 - 2015-12-30 12:25 - 0007635 _____ () C:\Users\Ed\AppData\Local\Resmon.ResmonCfg
2013-03-24 02:09 - 2014-04-06 18:00 - 0000952 ___SH () C:\ProgramData\KGyGaAvL.sys
2015-12-29 21:07 - 2015-12-29 21:24 - 0001688 _____ () C:\ProgramData\tempimage.bmp
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-10 18:03
 
==================== End of FRST.txt ================================================================================================================================================
 
Addition text:
Additional scan result of Farbar Recovery Scan Tool (x64) Version:30-12-2015
Ran by Ed (2015-12-30 13:47:31)
Running from C:\Users\Ed\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2013-03-24 02:27:33)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2476431307-428378656-1639597041-500 - Administrator - Disabled)
Ed (S-1-5-21-2476431307-428378656-1639597041-1004 - Administrator - Enabled) => C:\Users\Ed
Guest (S-1-5-21-2476431307-428378656-1639597041-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{66A71D83-289C-4521-A986-F62AE7E7BC5F}) (Version: 1.4.798 - Eyeo GmbH)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20069 - Adobe Systems Incorporated)
Adobe Flash Player 19 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 19.0.0.245 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.245 - Adobe Systems Incorporated)
Adobe Flash Player 19 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 19.0.0.245 - Adobe Systems Incorporated)
FiOS Self-Installation Wizard (HKLM-x32\...\InstallShield_{5EECDF2C-EE7E-4ACA-808D-A407B70BED01}) (Version: 1.00.0000 - Verizon)
FiOS Self-Installation Wizard (x32 Version: 1.00.0000 - Verizon) Hidden
Google Update Helper (x32 Version: 1.3.24.7 - Google Inc.) Hidden
Intel® Turbo Boost Technology Driver (HKLM-x32\...\{D6C630BF-8DBB-4042-8562-DC9A52CB6E7E}) (Version: 01.00.00.1030 - Intel Corporation)
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
Java 7 Update 67 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417067FF}) (Version: 7.0.670 - Oracle)
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.6.140.0 - Microsoft Corporation)
Microsoft Office 97, Professional Edition (HKLM-x32\...\Office8.0) (Version:  - )
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft Urban Assault Trial (HKLM-x32\...\Urban Assault 1.0TRIAL) (Version:  - )
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Word 2000 (HKLM-x32\...\{00170409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Mozilla Firefox 40.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 40.0.3 (x86 en-US)) (Version: 40.0.3 - Mozilla)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
Opera Stable 34.0.2036.25 (HKLM-x32\...\Opera 34.0.2036.25) (Version: 34.0.2036.25 - Opera Software)
PVSonyDll (Version: 1.00.0001 - NVIDIA Corporation) Hidden
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.55.0 - Samsung Electronics Co., Ltd.)
Service Pack 1 for SQL Server 2008 (KB968369) (HKLM-x32\...\KB968369) (Version: 10.1.2531.0 - Microsoft Corporation)
Sound Organizer (HKLM-x32\...\{2F88B11C-544B-4148-AB59-512FD788E6BB}) (Version: 1.5.0.10210 - Sony Corporation)
Sql Server Customer Experience Improvement Program (x32 Version: 10.1.2531.0 - Microsoft Corporation) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
VAIO Hardware Diagnostics (x32 Version: 3.9.1 - Sony Corporation) Hidden
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Window Host Manager (HKLM-x32\...\Window Host Manager) (Version: 1.44 - Grayscale LLC)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.19.797 - Zemana Ltd.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {09E9D6ED-BF83-409A-A0EE-968673FE9321} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-09-10] (Microsoft Corporation)
Task: {0B06C899-9A0B-45AE-AE30-42E5C09E1B9F} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-09-10] (Microsoft Corporation)
Task: {41E74F6D-9E53-4C51-8FA6-662BCCA7453D} - System32\Tasks\Sony\VAIO Survey => C:\Program Files (x86)\Sony\VAIO Survey\VAIO Sat Survey.exe
Task: {5A40E926-9E86-4B89-9CFD-B12311724371} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {7B475017-1034-41A8-9508-E18F781252ED} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-09-10] (Microsoft Corporation)
Task: {9592B9F4-62AA-41CE-8AB8-91E3DDFEE9CA} - System32\Tasks\Sony\OOBEReminder => C:\Program Files\Sony\First Experience\OOBEFcdRegistration.exe
Task: {B962304D-7D34-4CA6-933E-61B138670824} - System32\Tasks\Opera scheduled Autoupdate 1399746068 => C:\Program Files (x86)\Opera\launcher.exe [2015-12-04] (Opera Software)
Task: {C16EC1F4-5C69-4EAD-9980-8ABEC9A301FF} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {D3AD837A-8968-49AA-9693-EB707EB71EC4} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-02] (Adobe Systems Incorporated)
Task: {DD9F510C-95F4-499A-90C8-BAC5BC372FF4} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc
Task: {E4DF5E54-3E02-4C77-A8B3-A3B9BD09415D} - System32\Tasks\Sony\Java Update => C:\Program Files\Java\jre6\bin\jusched.exe
Task: {E8E25FB3-13C0-46B8-AAEE-64AC16859809} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-09-10] (Microsoft Corporation)
Task: {EC028376-4CF5-470B-9331-046CB1EC3BC8} - System32\Tasks\Sony\OOBESendInfo => C:\Program Files\Sony\First Experience\OOBESendInfo.exe
Task: {FA4DE9F4-6FD5-4BF6-AEC8-71E45C5362C8} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2015-09-10] (Microsoft)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:0C56AA30
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 18:34 - 2015-12-29 21:04 - 00000170 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2476431307-428378656-1639597041-1004\Control Panel\Desktop\\Wallpaper -> C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AxInstSV => 3
MSCONFIG\Services: ss_conn_service => 2
MSCONFIG\startupreg: msnmsgr => "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{ACD3D652-E0DA-4471-98E3-CA16EB7BF229}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\wlcsdk.exe
FirewallRules: [{CE210970-F780-4333-969A-21ABF636531E}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{C0DAFFF0-13B4-4672-9119-CA94BA8F4495}] => (Allow) svchost.exe
FirewallRules: [{316BDDC5-3DF8-4E91-BF3D-8126F26A45D4}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{F57095A0-2A77-4034-9D52-AB6F944F79AD}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{60986F78-107C-4820-80A1-9C1C18A4433A}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Project Snowblind\Snowblind.exe
FirewallRules: [{5016C697-90F4-492B-A338-E274807AEBD5}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Project Snowblind\Snowblind.exe
FirewallRules: [{1627D923-F8BB-47A5-B95F-1641C201985E}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\raceroom racing experience\RRRELauncher.exe
FirewallRules: [{B32D04C5-5E88-4D44-B74B-2D7EA8E228AA}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\raceroom racing experience\RRRELauncher.exe
FirewallRules: [{2D17E67F-6974-4C92-8907-F7EE05660CF7}] => (Allow) C:\Users\Ed\AppData\Local\Temp\7zS0F22\hppiw.exe
FirewallRules: [{99C66C39-71CF-4DA5-8C43-298634717898}] => (Allow) C:\Users\Ed\AppData\Local\Temp\7zS0F22\hppiw.exe
FirewallRules: [TCP Query User{F958661D-3FE2-4261-BA04-23071527FF5F}C:\program files (x86)\printershare\paconsole.exe] => (Allow) C:\program files (x86)\printershare\paconsole.exe
FirewallRules: [UDP Query User{EDEC007D-4FA2-4162-BA30-68890F263AB2}C:\program files (x86)\printershare\paconsole.exe] => (Allow) C:\program files (x86)\printershare\paconsole.exe
FirewallRules: [{D299A706-3668-4227-B72E-2ADDDA83E1D1}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\raceroom racing experience\Game\Game.exe
FirewallRules: [{3EC951B8-53F9-4789-9428-D65987717FB9}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\raceroom racing experience\Game\Game.exe
FirewallRules: [{1375D261-FA46-4369-BA32-FD0E389D9CED}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{91A87EDC-461A-4E0C-A366-7B84463F397C}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{359B5D48-CAF3-4034-86D3-97C2DC2B434B}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\raceroom racing experience\Game\RRRE.exe
FirewallRules: [{53DDB5EF-9E22-488A-BBD5-8A80B6B607D3}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\raceroom racing experience\Game\RRRE.exe
FirewallRules: [{0DCD52F7-BE37-44BE-A147-D9E2A60C348E}] => (Allow) %SystemRoot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
FirewallRules: [{FEA98169-09BE-454F-9212-CBAD7C816FD3}] => (Allow) C:\Program Files (x86)\Opera\opera.exe
FirewallRules: [{7A3A1303-5D14-4051-9558-4FC11E4BC5E6}] => (Allow) C:\Program Files (x86)\Opera\opera.exe
FirewallRules: [{F55788E2-DCDC-4C05-BEE9-BDD3E98F226D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{11180DDC-DD59-4CDF-BDA5-2066DBC03231}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{FCC801B2-8431-4AC3-90ED-77D900D35E3E}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{28F8B60B-38D9-419A-B693-CCADB711328B}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{843C975B-5FB2-42B9-A4D9-B07323761EA1}C:\users\ed\downloads\urban assault\original game\ua.exe] => (Allow) C:\users\ed\downloads\urban assault\original game\ua.exe
FirewallRules: [UDP Query User{74701F9E-4502-4450-91A1-CED7A890E556}C:\users\ed\downloads\urban assault\original game\ua.exe] => (Allow) C:\users\ed\downloads\urban assault\original game\ua.exe
FirewallRules: [TCP Query User{209DF6B9-2739-4888-AEAE-747FBC40423D}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [UDP Query User{1407D16B-AAF6-461A-91BB-037EDADF6901}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [TCP Query User{6ED5EBE6-9747-4C0F-BF32-62CE5C47C9D8}C:\users\ed\desktop\my mobile\mymobiler\mymobiler.exe] => (Allow) C:\users\ed\desktop\my mobile\mymobiler\mymobiler.exe
FirewallRules: [UDP Query User{753E6FE7-9DB8-48FA-9281-B99F70D6B48E}C:\users\ed\desktop\my mobile\mymobiler\mymobiler.exe] => (Allow) C:\users\ed\desktop\my mobile\mymobiler\mymobiler.exe
FirewallRules: [{0D152FC4-7E0C-44F0-B370-8101B514B1D0}] => (Block) C:\users\ed\desktop\my mobile\mymobiler\mymobiler.exe
FirewallRules: [{87F54D01-2155-4EB9-A6E6-D6C2D03DF426}] => (Block) C:\users\ed\desktop\my mobile\mymobiler\mymobiler.exe
FirewallRules: [TCP Query User{93E96777-7A5C-4CF0-9380-47056CF9886B}C:\program files\java\jdk1.7.0_67\bin\jmc.exe] => (Allow) C:\program files\java\jdk1.7.0_67\bin\jmc.exe
FirewallRules: [UDP Query User{FE82EB30-0E29-4532-B7FD-9361374ACE7E}C:\program files\java\jdk1.7.0_67\bin\jmc.exe] => (Allow) C:\program files\java\jdk1.7.0_67\bin\jmc.exe
FirewallRules: [{B34419D1-AE31-46BB-8164-B74685B85FD8}] => (Block) C:\program files\java\jdk1.7.0_67\bin\jmc.exe
FirewallRules: [{62A8C89F-BF1E-4511-A949-BCA87B1AD5DF}] => (Block) C:\program files\java\jdk1.7.0_67\bin\jmc.exe
FirewallRules: [TCP Query User{71DAA890-50D0-4706-8DD3-D96291FE43E1}C:\program files\android\android studio\bin\studio64.exe] => (Allow) C:\program files\android\android studio\bin\studio64.exe
FirewallRules: [UDP Query User{B1AA24DD-1468-4CCA-B7ED-623403CF6B98}C:\program files\android\android studio\bin\studio64.exe] => (Allow) C:\program files\android\android studio\bin\studio64.exe
FirewallRules: [{0AF7C59E-228F-4B62-AF16-F9E05B58DC4C}] => (Block) C:\program files\android\android studio\bin\studio64.exe
FirewallRules: [{E4C31034-06DC-4661-BB2B-62D3DCB67EC8}] => (Block) C:\program files\android\android studio\bin\studio64.exe
FirewallRules: [{D539E5B0-D569-492A-841F-EAED086AECC8}] => (Allow) C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{98DFC76F-D498-44EB-BF11-6B8DDA0203B2}] => (Allow) C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{2A89077C-AB13-40BB-821F-085C5E125840}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩潨瑳獵履楷桮獯畴敳攮數
FirewallRules: [{CC33633D-022D-452C-93F4-E43F35CC8E8D}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩潨瑳獵履楷桮獯畴敳⹟硥e
 
==================== Restore Points =========================
 
09-12-2015 18:46:32 DCInstallRestorePoint
09-12-2015 19:36:09 Installed USB2.0 Graphics Card (Trigger)
09-12-2015 19:36:57 Device Driver Package Install: Magic Control Technology Corp. Display adapters
09-12-2015 19:38:18 Device Driver Package Install: Magic Control Technology Corp. Display adapters
09-12-2015 19:39:12 Device Driver Package Install: Magic Control Technology Corp. Universal Serial Bus controllers
10-12-2015 01:58:33 JRT Pre-Junkware Removal
10-12-2015 13:50:28 Configured USB2.0 Graphics Card (Trigger)
10-12-2015 13:51:28 Removed USB2.0 Graphics Card (Trigger)
13-12-2015 13:21:11 DCInstallRestorePoint
18-12-2015 15:41:58 Installed Sound Organizer.
29-12-2015 21:34:21 JRT Pre-Junkware Removal
29-12-2015 23:30:13 Installed Microsoft Fix it 50362
29-12-2015 23:32:11 JRT Pre-Junkware Removal
29-12-2015 23:49:28 Windows Update
30-12-2015 00:31:41 Windows Update
30-12-2015 01:38:47 Zemana AntiMalware 12/30/2015 1:38:24 AM
 
==================== Faulty Device Manager Devices =============
 
Name: Bluetooth Hands-free Audio
Description: Bluetooth Hands-free Audio
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Broadcom
Service: btwaudio
Problem: : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Resolution: Reasons for this error include a driver that is not present; a binary file that is corrupt; a file I/O problem, or a driver that references an entry point in another binary file that could not be loaded.
Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.
 
Name: Bluetooth L2CAP Interface
Description: Bluetooth L2CAP Interface
Class Guid: {c7c038ad-1f2d-44d4-b2fe-d912be20e6d5}
Manufacturer: Broadcom Corp.
Service: btwl2cap
Problem: : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Resolution: Reasons for this error include a driver that is not present; a binary file that is corrupt; a file I/O problem, or a driver that references an entry point in another binary file that could not be loaded.
Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: Bluetooth Remote Control
Description: Bluetooth Remote Control
Class Guid: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Manufacturer: Broadcom
Service: btwrchid
Problem: : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Resolution: Reasons for this error include a driver that is not present; a binary file that is corrupt; a file I/O problem, or a driver that references an entry point in another binary file that could not be loaded.
Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/30/2015 01:43:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0x664
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 01:14:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0x1090
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 12:48:46 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0x9fc
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 12:43:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0xd2c
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 12:29:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0xd20
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 12:24:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WINWORD.EXE version 9.0.0.2717 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1558
 
Start Time: 01d1433d3d4759e5
 
Termination Time: 468
 
Application Path: C:\Program Files (x86)\Microsoft Office\Office\WINWORD.EXE
 
Report Id: 2c735cea-af33-11e5-ac8a-506313fcbca6
 
Error: (12/30/2015 12:22:37 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0xc84
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 11:49:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0xf00
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 11:42:56 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0xc0c
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
Error: (12/30/2015 11:06:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Faulting module name: winhostask_.exe, version: 1.3.3.0, time stamp: 0x567aa2c0
Exception code: 0xc0000005
Fault offset: 0x000020c0
Faulting process id: 0xda8
Faulting application start time: 0xwinhostask_.exe0
Faulting application path: winhostask_.exe1
Faulting module path: winhostask_.exe2
Report Id: winhostask_.exe3
 
 
System errors:
=============
Error: (12/30/2015 01:25:39 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Portable Device Enumerator Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The WLAN AutoConfig service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Diagnostic System Host service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Desktop Window Manager Session Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Distributed Link Tracking Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Program Compatibility Assistant Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Network Connections service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
 
Error: (12/30/2015 01:25:08 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Human Interface Device Access service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
 
CodeIntegrity:
===================================
  Date: 2015-12-02 14:34:16.434
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-12-02 14:34:16.419
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-04-05 21:34:02.317
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-05 21:34:02.193
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-05 21:34:02.020
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-05 21:34:01.847
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-05 21:34:01.693
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-05 21:34:01.571
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-05 21:16:42.167
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-04-05 21:16:41.991
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7 CPU Q 720 @ 1.60GHz
Percentage of memory in use: 91%
Total physical RAM: 4078.07 MB
Available physical RAM: 354.64 MB
Total Virtual: 8154.33 MB
Available Virtual: 2493.99 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:456.99 GB) (Free:416.92 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 7A6D9928)
Partition 1: (Not Active) - (Size=8.7 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=457 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ==============================================================================================================

Edited by xXToffeeXx, 31 December 2015 - 06:57 AM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 31 December 2015 - 05:47 PM

Hi Whipsaw :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • Finally, in the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Did you ever use BitDefender on your system? As an Antivirus, or as a standalone scanning program?

I see that you ran multiple tools before posting your thread: ComboFix, AdwCleaner, TDSSKiller, etc. Do you still have the logs these tools created? If so, can you copy/paste their content here so I can see them? If you don't know where they usually here, let me know and I'll point out the locations for you.

It seems like we are dealing with an unknown malware here. We can processes running from 4 different files and they all look suspicious to me. I would like you to upload these files to VirusTotal, and post the result URLs so we can get more information on them. There's 4 files to upload, and you can only upload them one at the time.

5KB3EXa.pngUpload a file on VirusTotal
  • Open your favorite web browser, and go on virustotal.com;
  • From there, click on the Select a file button and wait for the Windows Explorer to open;
  • Browse to C:\Program Files (x86)\winhostuse, select WinHostSync.exe, WinHostSync_.exe, WinHostUse_.exe, WinHostUse.exe and click on Open;
  • Once it's done, click on the Analyze button;
  • If you get a message that the file was already analyzed, click on the Re-analyze button;
  • Once done, copy and paste the VirusTotal report URL in your next reply;
warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • Window Host Manager
If you have an issue when uninstalling a program, please let me know.

warning.gifOutdated Programs Warning!

I noticed that you have outdated vulnerable programs installed on your system. I'll ask you to uninstall them since keeping outdated software installed on a system puts it more at risk of being infected. We will reinstall these programs at the end of the clean-up if you need them.
  • Adobe Flash Player 19 ActiveX
  • Adobe Flash Player 19 NPAPI
  • Adobe Flash Player 19 PPAPI
  • Java 7 Update 67 (64-bit)
If you have an issue when uninstalling a program, please let me know.

Once you're done answering the questions and following the instructions above, we'll run a fix with FRST. I'm asking you to do this at the end because this fix will remove the 4 files I'm asking you to upload to VirusTotal.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    
    Winlogon\Notify\VESWinlogon-x32: VESWinlogon.dll [X]
    
    R2 WinHostSvc; C:\Program Files (x86)\winhostuse\WinHostSync.exe [140992 2015-12-24] (FrameZen Co.)
    R2 WinHostSvc2; C:\Program Files (x86)\winhostuse\WinHostSync_.exe [140992 2015-12-24] (FrameZen Co.)
    
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-2476431307-428378656-1639597041-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    
    Toolbar: HKU\S-1-5-21-2476431307-428378656-1639597041-1004 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
    
    AlternateDataStreams: C:\ProgramData\TEMP:0C56AA30
    
    FirewallRules: [{2A89077C-AB13-40BB-821F-085C5E125840}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩潨瑳獵履楷桮獯畴敳攮數
    FirewallRules: [{CC33633D-022D-452C-93F4-E43F35CC8E8D}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶睜湩潨瑳獵履楷桮獯畴敳⹟硥e
    
    Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
    
    C:\Program Files (x86)\winhostuse
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;
Your next reply should include:
  • Did you ever use a BitDefender program on your computer?;
  • Copy/pasted logs of the other tools you ran (ComboFix, AdwCleaner, TDSSKiller, etc.) if you can find the logs;
  • Result URLs for the 4 files I'm asking you to upload;
  • If you were able to uninstall both the malicious and outdated programs successfully or not;
  • Copy/pasted content of the FRST fixlog;
  • How's your computer running after running the FRST fix and a restart?;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Whipsaw

Whipsaw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 02 January 2016 - 01:53 AM

Hi Aura,

I’ve had some difficulties with the instructions.

 

Q. Did you ever use BitDefender on your system? As an Antivirus, or as a standalone scanning program?

A. No, I have not.

 

Q.  I see that you ran multiple tools before posting your thread: ComboFix, AdwCleaner, TDSSKiller, etc. Do you still have the logs these tools created?

A. Have recent combo fix logs from 12-29 and 12-30 and one Adw Log, these were generated just after the malware hit.  There was some other logs, but were deleted when the programs failed to clean the system. If you want, I can look for a specific folder. Three Logs are attached. 

 

Q. It seems like we are dealing with an unknown malware here. We can processes running from 4 different files and they all look suspicious to me. I would like you to upload these files to VirusTotal, and post the result URLs so we can get more information on them. There's 4 files to upload, and you can only upload them one at the time.

 

A. I looked in:

C:\Program Files (x86)\winhostuse, for WinHostSync.exe, WinHostSync_.exe, WinHostUse_.exe, WinHostUse.exe 

but the files were not there.

 

Uninstall:

Window Host Manager

Searched for file name, its not there either.

 

Uninstall:

Adobe Flash Player 19 ActiveX

Adobe Flash Player 19 NPAPI

Adobe Flash Player 19 PPAPI

Java 7 Update 67 (64-bit)

Done.

 

(FRST) - Fix mode:

Notepad wont let me save the .txt file in ANSI

Says some characters in Unicode format will be lost. (I guess due to the Chinese script)

A menu asks for a selection on the Unicode drop down list. There are 17.

 

Regards.

Attached Files



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 02 January 2016 - 02:27 PM

Q. Did you ever use BitDefender on your system? As an Antivirus, or as a standalone scanning program?
A. No, I have not.


Alright :)
 

Q. I see that you ran multiple tools before posting your thread: ComboFix, AdwCleaner, TDSSKiller, etc. Do you still have the logs these tools created?
A. Have recent combo fix logs from 12-29 and 12-30 and one Adw Log, these were generated just after the malware hit. There was some other logs, but were deleted when the programs failed to clean the system. If you want, I can look for a specific folder. Three Logs are attached.


It's good. I see that you ran AdwCleaner only in scan mode, so nothing it detected was deleted, and ComboFix didn't do any manual deletions either. The deletions are what I was looking for.
 

A. I looked in:
C:\Program Files (x86)\winhostuse, for WinHostSync.exe, WinHostSync_.exe, WinHostUse_.exe, WinHostUse.exe
but the files were not there.


Probably because they are hidden system files (attributes). In that case, let's try this:

1. Download ComboFix and save it on your Desktop.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
4. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:
5. Combofix might upload a few suspicious files.  Please allow this!!

http://www.bleepingcomputer.com/forums/t/600878/sushi-leads-related-infected/#entry3899375
KillAll::
Suspect::[89]
C:\Program Files (x86)\winhostuse\WinHostSync.exe
C:\Program Files (x86)\winhostuse\WinHostSync_.exe

6. Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif
7. Refering to the picture above, drag CFScript into ComboFix.exe
8. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
----------
This shall upload those files to BleepingComputer and run them through our scanner and VirusTotal then we will be notified of the results. It will also obtain a copy of the files for future testing.
 

Uninstall:
Window Host Manager
Searched for file name, its not there either.


The Windows Host Manager is an installed program on your system, did you only do a search for a file named like this, or did you look in Uninstall a program (Control Panel), because this is where it'll show up.
 

(FRST) - Fix mode:
Notepad wont let me save the .txt file in ANSI
Says some characters in Unicode format will be lost. (I guess due to the Chinese script)
A menu asks for a selection on the Unicode drop down list. There are 17.


I have made necessary adjustments to the fix so please use the fixlist.txt I attached in this post.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the fixlist.txt attached in this post, and move it on your Desktop (or in the same folder as FRST.exe/FRST64.exe);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;
In your next reply, I should see:
  • Copy/pasted content of the ComboFix log;
  • Wether or not you were able to find the Windows Host Manager program under Uninstall a program in the Control Panel, and if yes, if you were able to uninstall it or not;
  • Copy/pasted content of the FRST fixlog;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Whipsaw

Whipsaw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 02 January 2016 - 06:35 PM

Aura,

Q. The Windows Host Manager is an installed program on your system, did you only do a search for a file named like this, or did you look in Uninstall a program (Control Panel), because this is where it'll show up.

A.  That file was deleted earlier when I opened the control panel in safe mode to remove the original Malware. 

 

Two Logs are attached. 

 

Regards.

Attached Files



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 03 January 2016 - 11:55 AM

A. That file was deleted earlier when I opened the control panel in safe mode to remove the original Malware.


Do you mean that you uninstalled that program already via the Control Panel? A file and a program aren't the same thing :)

It seems that ComboFix didn't run using the CFScript you created, but I know why. In that case, could you please follow the same instructions again, but download the attached CFScript.txt and drag and drop it on ComboFix.exe?


This being said, let's get a fresh pair of FRST logs to see if there's anything else to address :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;
Your next reply should include:
  • If you did uninstall Windows Host Manager via the Control Panel (under "Uninstall a program") or not;
  • Copy/pasted content of the ComboFix fixlog;
  • Copy/pasted content of the FRST.txt log;
  • Copy/pasted content of the Addition.txt log;
  • How's your computer running now?;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Whipsaw

Whipsaw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 04 January 2016 - 02:46 AM

 

A. That file was deleted earlier when I opened the control panel in safe mode to remove the original Malware.

Do you mean that you uninstalled that program already via the Control Panel? A file and a program aren't the same thing :)

 

A.That is correct, two other programs besides the "Sushi Leads" one.

 

It seems that ComboFix didn't run using the CFScript you created, but I know why. In that case, could you please follow the same instructions again, but download the attached CFScript.txt and drag and drop it on ComboFix.exe?

 

Done.

 

This being said, let's get a fresh pair of FRST logs to see if there's anything else to address :)

 

See Attached.

 

Q. How's your computer running now?;

A. Its running better, prior to this scan, there still was some CPU revving and intermittent browser (not responding) blinking. 

I'll run it a little while and see how things are.

 

Regards.

Attached Files


Edited by Whipsaw, 04 January 2016 - 05:28 AM.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 04 January 2016 - 04:30 PM

Alright, in that case, let's move on :) Follow the instructions below please.

warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • Itibiti RTC
If you have an issue when uninstalling a program, please let me know.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or in the folder where FRST64.exe/FRST.exe is);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;


In your next reply I should see:
  • If you uninstalled Itibiti RTC or not;
  • Copy/pasted content of the FRST fixlog;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Whipsaw

Whipsaw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 04 January 2016 - 08:08 PM

 

In your next reply I should see:
  • If you uninstalled Itibiti RTC or not;
  • Copy/pasted content of the FRST fixlog;

 

Found “Itibiti RTC” in the programs section and deleted it.

 

fixlog attached

Attached Files



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 04 January 2016 - 08:52 PM

The FRST fix went through perfectly! Now it's time for a JRT, AdwCleaner and Malwarebytes sweep :) Follow the instructions below please.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;
  • How is your computer running after running JRT, AdwCleaner and Malwarebytes?;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Whipsaw

Whipsaw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 05 January 2016 - 02:44 AM

 

Your next reply should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;
  • How is your computer running after running JRT, AdwCleaner and Malwarebytes?;

 

The computer is running quite quietly now  :)

 

 

Attached Files



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 05 January 2016 - 09:39 AM

Did you proceed with the deletions once you ran Malwarebytes? The log you gave me is a scan log, and not a log where deletions were made. If you didn't delete anything, is it possible to run Malwarebytes again and this time, delete everything that was detected? :)

aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
And we'll run one last scan with ESET Online Scanner on your system to take care of remnants :)

cvMlKv6.pngESET Online Scanner
Note : If you use Internet Explorer to get the ESET Online Scanner, you won't have to download, nor install the tool, as everything will be ran in a contextual (pop-up) window of Internet Explorer. However, for every other browsers, you will have to download and install ESET Online Scanner. In this set of instruction, I'll use Google Chrome to download it and run it (since a lot of people will do it), however, except for the download and installation procedure, the same instructions applies if you use Internet Explorer. Please note that two or three prompts will appear if you use Internet Explorer asking you to reload the page, authorize the application, execute it, etc. Accept all of them in order to run ESET Online Scanner.
  • Download and execute ESET Online Scanner (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
  • Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :
    • Enable detection of potentially unwanted applications;
    • Scan archives;
    • Scan for potentially unsafe applications;
    • Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;
  • After you're done checking these options, click on "Start" and ESET Online Scanner will download it's virus signature database before starting the scan;
  • Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
  • After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
  • Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
  • Once you're done, click on the Back button, then click on the Finish button;
Your next reply should include:
  • Copy/pasted content of the Malwarebytes log;
  • Copy/pasted content of the ESET Online Scanner log;
  • Is your computer still running fine?;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Whipsaw

Whipsaw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 05 January 2016 - 08:37 PM

Did you proceed with the deletions once you ran Malwarebytes? The log you gave me is a scan log, and not a log where deletions were made.

If you didn't delete anything, is it possible to run Malwarebytes again and this time, delete everything that was detected?

 

A. Yes, all that Pup Stuff was checked and deleted. The new log shows all zeros.
 

Your next reply should include:

  • Copy/pasted content of the Malwarebytes log;

Done.

  • Copy/pasted content of the ESET Online Scanner log;

Could not locate the .txt log file for ESET. So I included the results in .jpeg form.

  • Is your computer still running fine?;

Concerning the computer system operation after the malwarebytes deletion, but prior to the ESET scan,

there’s still some jerky page loading and rapid (not responding) blinking while searching with Opera.      

 

Hmmm...  :(

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users