Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found few threats, still not completely cured


  • This topic is locked This topic is locked
12 replies to this topic

#1 almasat

almasat

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 06 January 2016 - 10:56 PM

Hello,

TrendMicro and ESET found and cleared some threats but I am still not sure the computer is clean. Startup programs keep changing, Chrome behaves strangely. Any help will be appreciated. Here is the FRST log. 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:06-01-2015
Ran by Raj (administrator) on RAJ-PC (07-01-2016 09:17:55)
Running from C:\Users\Raj\Downloads
Loaded Profiles: Raj (Available Profiles: Raj)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files\360\Total Security\safemon\QHWatchdog.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
() C:\Program Files\Vodafone K4203I\Vodafone K4203I.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Google Inc) C:\Program Files\Google\Google Input Tools\GoogleInputService.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.29.1\GoogleCrashHandler.exe
() C:\ProgramData\DatacardService\HWDeviceService.exe
(Google Inc.) C:\Program Files\Google\Google Input Tools\GoogleInputHandler.exe
(Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe
() C:\ProgramData\Vodafone K4203I\OnlineUpdate\ouc.exe
(Microsoft Corporation) C:\Windows\System32\conime.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [QHSafeTray] => C:\Program Files\360\Total Security\safemon\QHSafeTray.exe [3101304 2015-12-31] (QIHU 360 SOFTWARE CO. LIMITED)
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6602152 2015-12-09] (Piriform Ltd)
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\Run: [Mobile Partner] => C:\Program Files\Vodafone K4203I\Vodafone K4203I.exe [114688 2015-06-28] ()
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6819232 2015-12-02] (SUPERAntiSpyware)
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\Run: [GoogleChromeAutoLaunch_95C663C400DEFC7487EB577892897E6C] => C:\program files\google\chrome\application\chrome.exe [741704 2015-12-11] (Google Inc.)
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\MountPoints2: {09ef265d-c446-11e4-99e8-82b051f88121} - E:\AutoRun.exe
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\MountPoints2: {09ef269d-c446-11e4-99e8-e12805f91ac6} - E:\AutoRun.exe
HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\...\MountPoints2: {2f737111-cf08-11e4-a9b1-00219bdf4380} - E:\AutoRun.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
Startup: C:\Users\Raj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2015-08-02]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyServer: [S-1-5-21-3960607897-3642553953-3203239249-1000] => localhost:8080
AutoConfigURL: [S-1-5-21-3960607897-3642553953-3203239249-1000] => localhost:8080
Tcpip\Parameters: [DhcpNameServer] 10.169.30.245 10.169.30.244
Tcpip\..\Interfaces\{57DCE419-3055-4078-AD48-EDBD49AF0D26}: [DhcpNameServer] 10.169.30.245 10.169.30.244
Tcpip\..\Interfaces\{DCE9CF48-127C-4B69-B08C-C01834116F9D}: [DhcpNameServer] 10.169.30.245 10.169.30.244
 
Internet Explorer:
==================
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3960607897-3642553953-3203239249-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files\Evernote\Evernote\EvernoteIE.dll [2015-12-01] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
 
FireFox:
========
FF ProfilePath: C:\Users\Raj\AppData\Roaming\Mozilla\Firefox\Profiles\mv6kge8f.default-1450255684531
FF NetworkProxy: "autoconfig_url", "data:text/javascript,%2F*ZenMate*%2F%0Afunction%20FindProxyForURL(url%2C%20host)%20%7B%0A%0A%20%20var%20e%20%3D%20%7B%20data%3A%20%7B%22localDomains%22%3A%5B%22zenguard.biz%22%2C%22local%22%2C%22dev%22%2C%22ip%22%2C%22box%22%2C%22lvh.me%22%2C%22ripe%22%2C%22invalid%22%2C%22intra%22%2C%22intranet%22%2C%22onion%22%2C%22vcap.me%22%2C%22zeus.pm%22%2C%22127.0.0.1.xip.io%22%2C%22smackaho.st%22%2C%22localtest.me%22%2C%22site%22%2C%22about%3Aaddons%22%2C%22about%3Anewtab%22%2C%22about%3Apreferences%22%2C%22about%3Aconfig%22%5D%2C%22nodeOverrides%22%3A%5B%7B%22target_cc%22%3A%22US%22%2C%22hosts%22%3A%5B%22hulu.com%22%5D%2C%22premium_only%22%3Atrue%2C%22nodes%22%3A%22US-ALT1%22%7D%2C%7B%22target_cc%22%3A%22UW%22%2C%22hosts%22%3A%5B%22hulu.com%22%5D%2C%22premium_only%22%3Atrue%2C%22nodes%22%3A%22US-ALT1%22%7D%5D%2C%22IPv4NotationRE%22%3A%7B%7D%2C%22localIPsRE%22%3A%7B%7D%7D%2CnodeLookup%3A%20function%20(nodeDict%2C%20cc)%20%7B%0A%20%20%20%20%20%20return%20nodeDict%5Bcc%5D%20%7C%7C%20false%3B%0A%20%20%20%20%7D%2CcompareHosts%3A%20function%20(hosts%2C%20host)%20%7B%0A%20%20%20%20%20%20var%20h%2C%20j%2C%20len%3B%0A%20%20%20%20%20%20for%20(j%20%3D%200%2C%20len%20%3D%20hosts.length%3B%20j%20%3C%20len%3B%20j%2B%2B)%20%7B%0A%20%20%20%20%20%20%20%20h%20%3D%20hosts%5Bj%5D%3B%0A%20%20%20%20%20%20%20%20if%20(this.matchWildcardDomain(host%2C%20h))%20%7B%0A%20%20%20%20%20%20%20%20%20%20return%20h%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%2CcompareURLs%3A%20function%20(patterns%2C%20url)%20%7B%0A%20%20%20%20%20%20var%20j%2C%20len%2C%20p%3B%0A%20%20%20%20%20%20for%20(j%20%3D%200%2C%20len%20%3D%20patterns.length%3B%20j%20%3C%20len%3B%20j%2B%2B)%20%7B%0A%20%20%20%20%20%20%20%20p%20%3D%20patterns%5Bj%5D%3B%0A%20%20%20%20%20%20%20%20if%20(p.test(url))%20%7B%0A%20%20%20%20%20%20%20%20%20%20return%20p%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%2CdnsDomainIs%3A%20function%20(host%2C%20pattern)%20%7B%0A%20%20%20%20%20%20return%20host.length%20%3E%3D%20pattern.length%20%26%26%20host.substring(host.length%20-%20pattern.length)%20%3D%3D%3D%20pattern%3B%0A%20%20%20%20%7D%2CmatchWildcardDomain%3A%20function%20(host%2C%20domain)%20%7B%0A%20%20%20%20%20%20var%20exactMatch%2C%20hasSubdomain%2C%20tldMatch%3B%0A%20%20%20%20%20%20exactMatch%20%3D%20host%20%3D%3D%3D%20domain%3B%0A%20%20%20%20%20%20tldMatch%20%3D%20host.slice(-domain.length)%20%3D%3D%3D%20domain%3B%0A%20%20%20%20%20%20hasSubdomain%20%3D%20host%5Bhost.lastIndexOf(domain)%20-%201%5D%20%3D%3D%3D%20'.'%3B%0A%20%20%20%20%20%20return%20exactMatch%20%7C%7C%20(tldMatch%20%26%26%20hasSubdomain)%3B%0A%20%20%20%20%7D%2CmatchNodeOverride%3A%20function%20(host%2C%20cc)%20%7B%0A%20%20%20%20%20%20var%20o%2C%20ref%2C%20result%3B%0A%20%20%20%20%20%20result%20%3D%20(function()%20%7B%0A%20%20%20%20%20%20%20%20var%20j%2C%20len%2C%20ref%2C%20results%3B%0A%20%20%20%20%20%20%20%20ref%20%3D%20this.data.nodeOverrides%3B%0A%20%20%20%20%20%20%20%20results%20%3D%20%5B%5D%3B%0A%20%20%20%20%20%20%20%20for%20(j%20%3D%200%2C%20len%20%3D%20ref.length%3B%20j%20%3C%20len%3B%20j%2B%2B)%20%7B%0A%20%20%20%20%20%20%20%20%20%20o%20%3D%20ref%5Bj%5D%3B%0A%20%20%20%20%20%20%20%20%20%20if%20(o.target_cc%20%3D%3D%3D%20cc%20%26%26%20this.compareHosts(o.hosts%2C%20host))%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20results.push(o)%3B%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20return%20results%3B%0A%20%20%20%20%20%20%7D).call(this)%3B%0A%20%20%20%20%20%20return%20(result%20!%3D%20null%20%3F%20(ref%20%3D%20result%5B0%5D)%20!%3D%20null%20%3F%20ref.nodes%20%3A%20void%200%20%3A%20void%200)%20%7C%7C%20false%3B%0A%20%20%20%20%7D%2CmatchRules%3A%20function%20(rules%2C%20host%2C%20url)%20%7B%0A%20%20%20%20%20%20var%20i%2C%20j%2C%20len%2C%20rule%3B%0A%20%20%20%20%20%20if%20(!((rules%20!%3D%20null%20%3F%20rules.length%20%3A%20void%200)%20%3E%200))%20%7B%0A%20%20%20%20%20%20%20%20return%3B%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20if%20(this.data.rulesWithOverrides%20%3D%3D%20null)%20%7B%0A%20%20%20%20%20%20%20%20rules%20%3D%20mergeRuleOverrides(rules%2C%20config.ruleOverrides)%3B%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20for%20(i%20%3D%20j%20%3D%200%2C%20len%20%3D%20rules.length%3B%20j%20%3C%20len%3B%20i%20%3D%20%2B%2Bj)%20%7B%0A%20%20%20%20%20%20%20%20rule%20%3D%20rules%5Bi%5D%3B%0A%20%20%20%20%20%20%20%20if%20(this.matchWildcardDomain(host%2C%20rule.domain)%20%7C%7C%20((rule.hosts%20!%3D%20null)%20%26%26%20this.compareHosts(rule.hosts%2C%20host)))%20%7B%0A%20%20%20%20%20%20%20%20%20%20return%20i%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%2C_getProxyState%3A%20function%20(url%2C%20host%2C%20rules)%20%7B%0A%20%20%20%20%20%20var%20j%2C%20len%2C%20local%2C%20match%2C%20ref%3B%0A%20%20%20%20%20%20url%20%3D%20url.toLowerCase()%3B%0A%20%20%20%20%20%20if%20(!~host.indexOf('.')%20%26%26%20!~host.indexOf('%3A'))%20%7B%0A%20%20%20%20%20%20%20%20return%20'LOCAL'%3B%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20if%20(this.data.IPv4NotationRE.test(host)%20%26%26%20this.data.localIPsRE.test(host))%20%7B%0A%20%20%20%20%20%20%20%20return%20'LOCAL'%3B%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20ref%20%3D%20this.data.localDomains%3B%0A%20%20%20%20%20%20for%20(j%20%3D%200%2C%20len%20%3D%20ref.length%3B%20j%20%3C%20len%3B%20j%2B%2B)%20%7B%0A%20%20%20%20%20%20%20%20local%20%3D%20ref%5Bj%5D%3B%0A%20%20%20%20%20%20%20%20if%20(this.matchWildcardDomain(host%2C%20local))%20%7B%0A%20%20%20%20%20%20%20%20%20%20return%20'LOCAL'%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20match%20%3D%20this.matchRules(rules%2C%20host%2C%20url)%3B%0A%20%20%20%20%20%20if%20(match%20!%3D%20null)%20%7B%0A%20%20%20%20%20%20%20%20return%20rules%5Bmatch%5D.cc%3B%0A%20%20%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20return%20'DEFAULT'%3B%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%20%7D%3B%0A%20%20e.data.localDomains%20%3D%20e.data.localDomains.concat(%5B%22zenmate.com%22%2C%22d1jr1idae5ms9n.cloudfront.net%22%5D)%3B%0A%20%20e.data.IPv4NotationRE%20%3D%20%2F%5E%5Cd%2B%5C.%5Cd%2B%5C.%5Cd%2B%5C.%5Cd%2B%24%2Fg%3B%0Ae.data.localIPsRE%20%3D%20%2F(%5E127%5C.)%7C(%5E192%5C.168%5C.)%7C(%5E10%5C.)%7C(%5E172%5C.1%5B6-9%5D%5C.)%7C(%5E172%5C.2%5B0-9%5D%5C.)%7C(%5E172%5C.3%5B0-1%5D%5C.)%2F%3B%0A%0A%20%20e.data.defaultLocation%20%3D%20'HK'%3B%0A%20%20e.data.nodeDict%20%3D%20%7B%22HK%22%3A%22PROXY%20127.0.0.1%3A49657%22%2C%22RO%22%3A%22PROXY%20127.0.0.1%3A49658%22%2C%22DE%22%3A%22PROXY%20127.0.0.1%3A49659%22%2C%22US%22%3A%22PROXY%20127.0.0.1%3A49660%22%2C%22US-ALT1%22%3A%22PROXY%20127.0.0.1%3A49661%22%7D%3B%0A%20%20e.data.rulesWithOverrides%20%3D%20%5B%5D%3B%0A%0A%20%20var%20res%20%3D%20e._getProxyState(url%2C%20host%2C%20e.data.rulesWithOverrides)%3B%0A%0A%20%20if%20(res%20%3D%3D%3D%20'LOCAL'%20%7C%7C%20res%20%3D%3D%3D%20'DIRECT'%20%7C%7C%20res%20%3D%3D%3D%20'OFF')%20%7Breturn%20'DIRECT'%7D%3B%0A%20%20if%20(res%20%3D%3D%3D%20'DEFAULT')%20%7Bcc%20%3D%20e.data.defaultLocation%7D%20else%20%7Bcc%20%3D%20res%7D%3B%0A%0A%20%20var%20override%20%3D%20e.matchNodeOverride(host%2C%20cc)%3B%0A%20%20if%20(override)%20%7Bcc%20%3D%20override%7D%3B%0A%0A%20%20return%20e.nodeLookup(e.data.nodeDict%2C%20cc)%20%7C%7C%20'DIRECT'%3B%0A%7D"
FF NetworkProxy: "type", 2
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-19] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Extension: HTTPS-Everywhere - C:\Users\Raj\AppData\Roaming\Mozilla\Firefox\Profiles\mv6kge8f.default-1450255684531\extensions\https-everywhere-eff@eff.org [2015-12-29]
FF Extension: NoScript - C:\Users\Raj\AppData\Roaming\Mozilla\Firefox\Profiles\mv6kge8f.default-1450255684531\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-01-07]
FF Extension: No Name - C:\Users\Raj\AppData\Roaming\Mozilla\Firefox\Profiles\mv6kge8f.default-1450255684531\Extensions\firefox@zenmate.com.xpi [2015-12-16] [not signed]
FF Extension: Video DownloadHelper - C:\Users\Raj\AppData\Roaming\Mozilla\Firefox\Profiles\mv6kge8f.default-1450255684531\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-12-18]
FF Extension: Evernote Web Clipper - C:\Users\Raj\AppData\Roaming\Mozilla\Firefox\Profiles\mv6kge8f.default-1450255684531\Extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}.xpi [2016-01-06]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-03-07] [not signed]
FF HKLM\...\Firefox\Extensions: [WebProtection@360safe.com] - C:\Program Files\360\Total Security\safemon\webprotection_firefox
FF Extension: 360 Internet Protection - C:\Program Files\360\Total Security\safemon\webprotection_firefox [2016-01-04]
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://in.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_ir_15_48&param1=1&param2=f%3D1%26b%3DChrome%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutDtDtBtCzy0B0D0FyEtAzztDzz0F0F0CtN0D0Tzu0StCyEtByCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StD0EtC0C0CtBzyzztGtDzz0C0EtG0FtC0D0FtGtA0E0A0BtG0B0DyD0EtByD0FtAyC0C0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDtD0B0B0E0DyCyCtGzy0EyB0FtGyEyEyC0BtGzyyC0FyDtG0EyEzyzzzzyCtBzytB0CyEzy2QtN0A0LzuyE%26cr%3D1482986612%26a%3Dwncy_ir_15_48%26os%3DWindows%2BVista%2B™%2BHome%2BPremium
CHR StartupUrls: Default -> "hxxps://in.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_ir_15_48&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutDtDtBtCzy0B0D0FyEtAzztDzz0F0F0CtN0D0Tzu0StCyEtByCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StD0EtC0C0CtBzyzztGtDzz0C0EtG0FtC0D0FtGtA0E0A0BtG0B0DyD0EtByD0FtAyC0C0Dzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDtD0B0B0E0DyCyCtGzy0EyB0FtGyEyEyC0BtGzyyC0FyDtG0EyEzyzzzzyCtBzytB0CyEzy2QtN0A0LzuyE%26cr%3D1482986612%26a%3Dwncy_ir_15_48%26os%3DWindows%2BVista%2B™%2BHome%2BPremium"
CHR Profile: C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Advanced Font Settings) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\caclkomlalccbpcdllchkeecicepbmbm [2015-11-18]
CHR Extension: (uBlock) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\epcnnfbjfcgphgdmggkamkmgojdagdnn [2015-11-22]
CHR Extension: (ZenMate Security, Privacy & Unblock VPN) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2016-01-05]
CHR Extension: (HTTPS Everywhere) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2015-12-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-11-18]
CHR Profile: C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-15]
CHR Extension: (Google Docs) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-15]
CHR Extension: (Google Drive) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (Leapforce Extension) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\belncckcaakhmonmcfmegbglccbjlebc [2015-12-03]
CHR Extension: (YouTube) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Sheets) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-15]
CHR Extension: (Google Docs Offline) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-18]
CHR Extension: (NM Examples) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jhbidnpflpccdoffamdgpmgilfbpigdh [2016-01-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-29]
CHR Extension: (Gmail) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-15]
CHR HKLM\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jaehkpjddfdgiiefcnhahapilbejohhj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3960607897-3642553953-3203239249-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jaehkpjddfdgiiefcnhahapilbejohhj] - hxxps://clients2.google.com/service/update2/crx
 
Opera: 
=======
OPR Extension: (AdBlock) - C:\Users\Raj\AppData\Roaming\Opera Software\Opera Stable\Extensions\aobdicepooefnbaeokijohmhjlleamfj [2015-10-17]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-23] (SUPERAntiSpyware.com)
R2 GoogleInputService; C:\Program Files\Google\Google Input Tools\GoogleInputService.exe [164888 2015-03-07] (Google Inc)
R2 HWDeviceService.exe; C:\ProgramData\DatacardService\HWDeviceService.exe [276048 2014-01-15] ()
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 QHActiveDefense; C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe [906872 2015-12-31] (QIHU 360 SOFTWARE CO. LIMITED)
S2 Vodafone K4203I. RunOuc; C:\Program Files\Vodafone K4203I\UpdateDog\ouc.exe [651856 2014-05-27] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker.sys [122448 2015-11-12] (360.cn)
S3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [66128 2015-12-11] (360.cn)
R1 360Box; C:\Windows\System32\DRIVERS\360Box.sys [204368 2015-12-31] (360.cn)
R1 360Camera; C:\Windows\System32\Drivers\360Camera.sys [34888 2015-11-12] (360.cn)
R1 360SelfProtection; C:\Windows\System32\drivers\360SelfProtection.sys [179152 2015-11-12] (360安全中心)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV.sys [177232 2015-12-11] (360.cn)
R1 EfiMon; C:\Windows\System32\Drivers\Efimon.sys [23248 2015-11-12] (360.cn)
R0 HookPort; C:\Windows\System32\Drivers\Hookport.sys [60368 2015-11-12] (360安全中心)
S3 huawei_cdcacm; C:\Windows\System32\DRIVERS\ew_jucdcacm.sys [101504 2013-11-30] (Huawei Technologies Co., Ltd.)
R3 hwusb_cdcacm; C:\Windows\System32\DRIVERS\ew_cdcacm.sys [111872 2014-07-25] (Huawei Technologies Co., Ltd.)
R3 hwusb_cdcecm; C:\Windows\System32\DRIVERS\ew_cdcecm.sys [117888 2015-01-07] (Huawei Technologies Co., Ltd.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R1 qutmdserv; C:\Windows\System32\DRIVERS\qutmdrv.sys [301264 2015-11-12] (360.cn)
R1 qutmipc; C:\Windows\system32\drivers\qutmipc.sys [53960 2015-11-12] (360.cn)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 eapihdrv; \??\C:\Users\Raj\AppData\Local\Temp\ehdrv.sys [X]
U5 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [249856 2014-02-07] (Huawei Technologies Co., Ltd.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-07 09:17 - 2016-01-07 09:18 - 00023405 _____ C:\Users\Raj\Downloads\FRST.txt
2016-01-07 09:17 - 2016-01-07 09:17 - 01721856 _____ (Farbar) C:\Users\Raj\Downloads\FRST.exe
2016-01-07 09:17 - 2016-01-07 09:17 - 00000000 ____D C:\FRST
2016-01-06 18:14 - 2015-12-24 18:33 - 00305928 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2016-01-06 17:31 - 2016-01-06 17:31 - 00606532 _____ C:\Users\Raj\Downloads\Autoruns.zip
2016-01-06 08:40 - 2016-01-06 08:40 - 00384408 _____ C:\Users\Raj\Downloads\TheObstacle.epub
2016-01-04 14:31 - 2016-01-06 18:22 - 00287391 _____ C:\Users\Raj\AppData\Local\census.cache
2016-01-04 14:31 - 2016-01-06 18:22 - 00163686 _____ C:\Users\Raj\AppData\Local\ars.cache
2016-01-03 20:56 - 2016-01-03 20:56 - 00000798 _____ C:\Windows\DCEBOOT.RST
2016-01-03 20:55 - 2016-01-03 20:55 - 00025088 _____ (Trend Micro Inc.) C:\Windows\DCEBoot.exe
2016-01-03 12:35 - 2016-01-03 12:35 - 00000010 _____ C:\Users\Raj\AppData\Local\sponge.last.runtime.cache
2016-01-03 12:10 - 2016-01-03 12:10 - 02086200 _____ (Trend Micro Inc.) C:\Users\Raj\Downloads\HousecallLauncher.exe
2016-01-03 12:10 - 2016-01-03 12:10 - 00000036 _____ C:\Users\Raj\AppData\Local\housecall.guid.cache
2016-01-02 13:20 - 2016-01-02 13:20 - 00000000 ____D C:\Users\Raj\SHAREit
2016-01-02 13:20 - 2016-01-02 13:20 - 00000000 ____D C:\Users\Raj\AppData\Roaming\Lenovo
2016-01-02 13:20 - 2016-01-02 13:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-01-02 13:20 - 2016-01-02 13:20 - 00000000 ____D C:\Program Files\Lenovo
2015-12-29 17:33 - 2015-12-29 19:06 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-12-29 10:51 - 2015-12-29 10:51 - 01620571 _____ C:\Users\Raj\Downloads\Derren Brown-Tricks of the Mind-Channel 4 Books (2007.).mobi
2015-12-27 19:38 - 2015-12-28 13:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
2015-12-27 19:38 - 2015-12-28 13:23 - 00000000 ____D C:\Program Files\Auslogics
2015-12-26 19:09 - 2015-12-26 19:09 - 01743360 _____ C:\Users\Raj\Downloads\adwcleaner_5.026.exe
2015-12-25 10:15 - 2015-12-25 10:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Evernote
2015-12-20 17:59 - 2015-12-20 18:00 - 05947250 _____ C:\Users\Raj\Downloads\Allan_and_Barbara_Pease_-_Body_Language_The_Definitive_Book.pdf
2015-12-20 12:15 - 2015-12-20 12:16 - 00852720 _____ C:\Users\Raj\Downloads\SecurityCheck.exe
2015-12-18 15:19 - 2015-12-18 15:20 - 03181270 _____ C:\Users\Raj\NiP1900 (f).mp4
2015-12-16 12:57 - 2015-12-16 12:57 - 02870984 _____ (ESET) C:\Users\Raj\Downloads\esetsmartinstaller_enu.exe
2015-12-15 08:25 - 2015-12-15 08:26 - 02677623 _____ C:\Users\Raj\Downloads\Aziz Ansari, Eric Klinenberg-Modern Romance-Penguin Press (2015).epub
2015-12-09 16:15 - 2015-11-06 22:35 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2015-12-09 16:15 - 2015-11-06 22:02 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2015-12-09 16:15 - 2015-11-06 22:02 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2015-12-09 16:15 - 2015-11-06 22:02 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2015-12-09 16:15 - 2015-11-06 22:02 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2015-12-09 16:15 - 2015-11-06 20:57 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-12-09 16:15 - 2015-11-06 20:56 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2015-12-09 16:15 - 2015-11-06 20:54 - 02068480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-12-09 16:15 - 2015-11-06 20:50 - 01073152 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-12-09 16:15 - 2015-11-06 20:50 - 00682496 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2015-12-09 16:15 - 2015-11-06 20:49 - 00802304 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-12-09 16:12 - 2015-11-02 22:34 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\els.dll
2015-12-09 16:10 - 2015-11-10 22:33 - 01208832 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2015-12-09 16:10 - 2015-11-10 22:33 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2015-12-09 16:10 - 2015-11-05 12:56 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-12-09 16:09 - 2015-11-05 13:04 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-12-09 09:20 - 2015-11-13 02:09 - 01814528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-12-09 09:20 - 2015-11-13 02:06 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-12-09 09:20 - 2015-11-13 02:04 - 09753088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-12-09 09:20 - 2015-11-13 02:04 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-12-09 09:20 - 2015-11-13 02:03 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 01804288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-12-09 09:20 - 2015-11-13 02:02 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-12-09 09:20 - 2015-11-13 02:02 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-12-09 09:20 - 2015-11-13 02:02 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-12-09 09:20 - 2015-11-13 02:01 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-12-09 09:20 - 2015-11-13 02:01 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-12-09 09:20 - 2015-11-13 02:01 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-12-09 09:20 - 2015-11-13 02:01 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-12-09 09:20 - 2015-11-13 02:01 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-12-09 09:20 - 2015-11-13 02:01 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-12-09 09:19 - 2015-11-13 02:07 - 12389376 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-07 09:17 - 2006-11-02 16:48 - 00000000 ____D C:\Windows
2016-01-07 09:15 - 2015-03-13 21:19 - 00000000 __SHD C:\$360Section
2016-01-07 09:15 - 2015-03-07 10:29 - 00000000 ____D C:\ProgramData\360Quarant
2016-01-07 09:12 - 2006-11-02 18:17 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-07 09:12 - 2006-11-02 18:17 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-07 08:56 - 2015-03-06 13:21 - 00000000 ____D C:\Users\Raj
2016-01-07 08:36 - 2015-03-06 16:50 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-07 07:36 - 2015-11-18 21:58 - 00000000 ____D C:\Users\Raj\AppData\LocalLow\360WD
2016-01-07 07:24 - 2015-03-06 16:50 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-07 07:24 - 2006-11-02 18:31 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-06 23:36 - 2015-03-06 17:29 - 00000000 ____D C:\Users\Raj\AppData\Roaming\vlc
2016-01-06 23:36 - 2006-11-02 18:31 - 00032578 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-01-06 21:50 - 2015-03-06 22:07 - 00000000 ____D C:\Users\Raj\.FBReader
2016-01-06 18:15 - 2006-11-02 16:48 - 00000000 ____D C:\Windows\inf
2016-01-05 13:48 - 2015-09-23 17:32 - 00000000 ____D C:\Users\Raj\English Blog
2016-01-04 14:16 - 2015-03-13 22:28 - 00000000 ____D C:\Users\Raj\AppData\Roaming\AIMP3
2016-01-04 13:47 - 2015-11-27 22:20 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-01-04 13:45 - 2015-11-22 18:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2016-01-03 21:33 - 2015-04-01 23:38 - 00000000 ____D C:\AdwCleaner
2016-01-02 22:46 - 2015-03-09 21:31 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-01-02 20:21 - 2006-11-02 16:03 - 00794480 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-02 18:09 - 2015-03-08 19:42 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-01-02 18:09 - 2015-03-08 19:42 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-12-31 08:00 - 2015-11-22 18:20 - 00204368 _____ (360.cn) C:\Windows\system32\Drivers\360Box.sys
2015-12-30 09:36 - 2015-04-01 21:12 - 00000000 ____D C:\Users\Raj\AppData\Roaming\dvdcss
2015-12-30 09:36 - 2015-03-06 16:46 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-12-30 09:36 - 2006-11-02 16:48 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-12-30 09:36 - 2006-11-02 16:48 - 00000000 ____D C:\Windows\system32\spool
2015-12-30 09:36 - 2006-11-02 16:48 - 00000000 ____D C:\Windows\registration
2015-12-29 10:38 - 2015-04-04 13:02 - 00000000 ____D C:\Users\Raj\Motivation
2015-12-28 22:57 - 2015-03-17 16:21 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-24 20:37 - 2015-04-13 22:56 - 00000000 ____D C:\Users\Raj\AppData\Roaming\transmission
2015-12-21 18:36 - 2015-04-02 18:06 - 00000000 ____D C:\Users\Raj\Leapforce
2015-12-20 20:18 - 2015-10-26 23:26 - 00000000 ____D C:\Users\Raj\AppData\Roaming\MPC-HC
2015-12-20 12:14 - 2015-03-06 21:17 - 00001674 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SumatraPDF.lnk
2015-12-18 15:19 - 2015-03-09 11:53 - 00000000 ____D C:\Users\Raj\dwhelper
2015-12-12 16:33 - 2006-11-02 15:52 - 36962304 _____ C:\Windows\system32\config\components_previous
2015-12-12 16:33 - 2006-11-02 15:52 - 32505856 _____ C:\Windows\system32\config\software_previous
2015-12-12 16:33 - 2006-11-02 15:52 - 24903680 _____ C:\Windows\system32\config\system_previous
2015-12-12 16:33 - 2006-11-02 15:52 - 00262144 _____ C:\Windows\system32\config\security_previous
2015-12-12 16:33 - 2006-11-02 15:52 - 00262144 _____ C:\Windows\system32\config\sam_previous
2015-12-12 16:33 - 2006-11-02 15:52 - 00262144 _____ C:\Windows\system32\config\default_previous
2015-12-11 07:37 - 2015-11-22 18:19 - 00177232 _____ (360.cn) C:\Windows\system32\Drivers\BAPIDRV.SYS
2015-12-11 07:37 - 2015-11-22 18:19 - 00066128 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2015-12-09 17:11 - 2006-11-02 16:48 - 00000000 ____D C:\Windows\rescache
2015-12-09 16:54 - 2015-11-28 09:18 - 00241880 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-09 16:52 - 2006-11-02 18:07 - 00000000 ____D C:\Windows\system32\XPSViewer
2015-12-09 09:21 - 2015-03-06 16:10 - 00000000 ____D C:\Windows\system32\MRT
2015-12-09 09:21 - 2006-11-02 15:54 - 137798368 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
 
==================== Files in the root of some directories =======
 
2015-04-03 18:11 - 2015-04-03 18:11 - 0000751 _____ () C:\Users\Raj\AppData\Roaming\Jarteerror.log
2016-01-04 14:31 - 2016-01-06 18:22 - 0163686 _____ () C:\Users\Raj\AppData\Local\ars.cache
2016-01-04 14:31 - 2016-01-06 18:22 - 0287391 _____ () C:\Users\Raj\AppData\Local\census.cache
2015-03-06 13:21 - 2015-03-07 08:24 - 0000680 _____ () C:\Users\Raj\AppData\Local\d3d9caps.dat
2016-01-03 12:10 - 2016-01-03 12:10 - 0000036 _____ () C:\Users\Raj\AppData\Local\housecall.guid.cache
2016-01-03 12:35 - 2016-01-03 12:35 - 0000010 _____ () C:\Users\Raj\AppData\Local\sponge.last.runtime.cache
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-01-07 07:30
 
==================== End of FRST.txt ============================v

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 07 January 2016 - 09:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
CHR Extension: (uBlock) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\epcnnfbjfcgphgdmggkamkmgojdagdnn [2015-11-22]
CHR Extension: (Leapforce Extension) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\belncckcaakhmonmcfmegbglccbjlebc [2015-12-03]
CHR Extension: (NM Examples) - C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jhbidnpflpccdoffamdgpmgilfbpigdh [2016-01-06]
S3 eapihdrv; \??\C:\Users\Raj\AppData\Local\Temp\ehdrv.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
Task: {66F68DCA-290E-4325-82A9-0C46046CEEE1} - \UpdateTask -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:4BE698E6
C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Default\Extensions\epcnnfbjfcgphgdmggkamkmgojdagdnn
C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\belncckcaakhmonmcfmegbglccbjlebc
C:\Users\Raj\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jhbidnpflpccdoffamdgpmgilfbpigdh

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

===

Please post the logs and let me know of any remaining issues.

#3 almasat

almasat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 07 January 2016 - 11:39 AM

Thank you for the reply. 

Chrome is still having problems which are 

1. Starts at startup despite changing startup program and registry (It modifies registry every time)

2. Chrome and windows freeze for few seconds

3. After starting at startup, all extensions stop working and I have to start them manually every time.

 

Here are the logs.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/7/2016
Scan Time: 8:57:01 PM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.01.07.03
Rootkit Database: v2016.01.05.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Raj
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 294722
Time Elapsed: 23 min, 26 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
--------------------------
 
# AdwCleaner v5.028 - Logfile created 07/01/2016 at 21:35:19
# Updated 04/01/2016 by Xplode
# Database : 2016-01-04.2 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (x86)
# Username : Raj - RAJ-PC
# Running from : C:\Users\Raj\Downloads\adwcleaner_5.028.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\360
 
***** [ Web browsers ] *****
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S10].txt - [624 bytes] ##########
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 08 January 2016 - 08:44 AM

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

then:

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.
<<<>>>

How is it now?

#5 almasat

almasat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 08 January 2016 - 09:57 AM

Uninstalled and reinstalled Chrome. Strangely enough I did not have to reinstall bookmarks or extensions. They were already there.

 

Chrome still starts with startup. Have not encountered freezing or extension problems so far.

 

Also, when I try to save any settings in Chrome like 'enable guest browsing' it does not save it and goes back to what it was. 

 

ps : I have been having another problem with Chrome since a long time. After opening Chrome, a dialogue pops up saying 'Your preferences cannot be read.' Tried everything I could find on the web, no success. 


Edited by almasat, 08 January 2016 - 10:00 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 08 January 2016 - 01:56 PM

IF STILL HAVING PROBLEM WITH CHROME COMPLETELY DELETE IT.

Backup Chrome Bookmarks
How to Export Bookmarks from Chrome: 8 Steps (with Pictures) <- I think this is important since you will be deleting all sync links to Chrome.

NEXT - Open Chrome

Open your Google Dashboard. https://www.google.com/settings/dashboard
Make sure you are signed in to your Google Account.
Click Stop and Clear to stop syncing and clear all of your synced data.
Click OK.

NEXT Uninstall Chrome completely

Now delete the profile folder as well:

(type %appdata% into the search box to open the folder)

C:\Users\User Name\AppData\Local\Google\Chrome\User Data\Default << right click and delete all the contents of this folder

Note: AppData is a hidden folder, so you will need to show hidden files and folders.

Now re-install Chrome and let me know how it goes.

Uninstall Google Chrome Completely from your Computer (Windows 7, XP or OSX)
https://support.google.com/chrome/answer/2390059?hl=en
<<<>>>

#7 almasat

almasat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 08 January 2016 - 11:34 PM

Uninstalled and reinstalled Chrome. also deleted sync so I had to load bookmarks manually from the file. 

No change. Chrome still starts at startup, remains in background. Settings are not saved.  And the extensions show error st startup. 

I noticed that windows also freezes when I start Chromium(SRIron) browser. 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 09 January 2016 - 08:31 AM

Chromium(SRIron) is an open source program. I suggest you look for help in there forum. I'm not familiar with it and you should get help from the experts in that version of Chrome.

#9 almasat

almasat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 January 2016 - 09:33 AM

Okay, will do that. Thanks a lot for your help. 

 

ps : Just to clarify, my problems were for standard version of Chrome. I am also using Chromium and it's also freezing. 


Edited by almasat, 09 January 2016 - 09:37 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 09 January 2016 - 01:47 PM

Try this GeekUninstaller and remove everything related to Chrome.

Please download the free version of GeekUninstall:
  • Please create a system restore point before continuing with the instructions.
  • Open the geek.zip file and run the geek.exe file inside of it.
  • A window will open, please from the list of programs click on the listed program(s), or anything similar, to remove it:
xxxFantapper Playerxxx
xxxFantapper Updaterxxx
  • Click on Action on the top menu and then select Force Removal.
  • When asked if you are sure you want to perform a forced removal, click Yes.
  • A window will appear telling the File System and Registry locations, click Finish.
  • Once all traces are removed, click Close.
  • Repeat for each of the programs on the list.


#11 almasat

almasat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 10 January 2016 - 09:36 PM

All problems gone. Chrome is working smoothly now. :)

Thank you for your time and patience. Very much appreciated. 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 11 January 2016 - 09:07 AM

Glad we could help.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:16 PM

Posted 17 January 2016 - 09:46 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users