Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor found by MBAM attached to run | bitshost


  • This topic is locked This topic is locked
7 replies to this topic

#1 emc20guru

emc20guru

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 11 January 2016 - 06:21 AM

I ran adwcleaner first and then Mbam, adwcleaner cleaned up some and then mbam still found and fixed  "as far as I know" a backdoor attached to a registry value ending with "Run | bitshost" this log was produced after mbam cleanup and restart.  I wanted to see if any further action needed to be taken as the person who owns this computer did have issues with ID theft.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-01-2015
Ran by Pats (administrator) on PATS-PC (09-01-2016 13:59:36)
Running from C:\Users\Pats\Desktop
Loaded Profiles: Pats (Available Profiles: Pats & UpdatusUser)
Platform: Windows Vista ™ Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Agere Systems) C:\Windows\System32\agr64svc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
(Egis Incorporated) C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
() C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(NewTech InfoSystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
() C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
(TeamViewer GmbH) C:\Users\Pats\AppData\Local\Temp\TeamViewer\TeamViewer_Service.exe
(ArcSoft, Inc.) C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
() C:\Program Files\bin32\nSvcAppFlt.exe
() C:\Program Files\bin32\nSvcIp.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(TeamViewer GmbH) C:\Users\Pats\AppData\Local\Temp\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Users\Pats\AppData\Local\Temp\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Users\Pats\AppData\Local\Temp\TeamViewer\tv_x64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG8\avgemc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
() C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
() C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
(Egis Incorporated) C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSLoader.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
() C:\Program Files (x86)\HP Button Manager\BM.exe
() C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG8\avgtray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Apple Inc.) C:\Program Files (x86)\iPod\bin\iPodService.exe
(TeamViewer GmbH) C:\Users\Pats\AppData\Local\Temp\TeamViewer\TeamViewer_Desktop.exe
(Egis inc.) C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSMSNLoader32.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [Acer Empowering Technology Monitor] => C:\Program Files\Acer\Empowering Technology\SysMonitor.exe [319488 2008-04-25] ()
HKLM\...\Run: [EmpoweringTechnology] => C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe [319488 2008-04-25] ()
HKLM\...\Run: [eDataSecurity Loader] => C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSloader.exe [560688 2008-03-05] (Egis Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6150656 2008-03-26] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.)
HKLM-x32\...\Run: [BkupTray] => C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe [34040 2008-04-07] ()
HKLM-x32\...\Run: [eRecoveryService] => [X]
HKLM-x32\...\Run: [Acer Product Registration] => C:\Program Files (x86)\Acer\Acer Registration\ACE1.exe [3387392 2007-11-26] (Leader Technologies)
HKLM-x32\...\Run: [Acer Assist Launcher] => C:\Program Files (x86)\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe [185896 2008-08-29] (RealNetworks, Inc.)
HKLM-x32\...\Run: [AVG8_TRAY] => C:\Program Files (x86)\AVG\AVG8\avgtray.exe [1261336 2008-11-27] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-03-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [141624 2010-06-15] (Apple Inc.)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [495616 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [856064 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [Nikon Message Center 2] => C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe [571392 2011-10-30] (Nikon Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\Run: [Messenger (Yahoo!)] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [4351216 2009-05-26] (Yahoo! Inc.)
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\Run: [WMPNSCFG] => C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\Run: [Deviup16] => rundll32 "C:\Windows\system32\Optierpt64.dll",CreateProcessNotify
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50378880 2015-12-17] (Skype Technologies S.A.)
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\MountPoints2: {151a0fde-71c7-11df-ada4-001d72a08fb3} - H:\PMBP_Win.exe
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\MountPoints2: {8b1cb2fa-44f8-11df-b74a-001d72a08fb3} - E:\.\Vado\Vado.exe
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [840704 2009-04-11] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll [2008-03-05] (Egis Incorporated)
ShellIconOverlayIdentifiers-x32: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll [2008-03-05] (Egis Incorporated)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Button Manager.lnk [2011-05-21]
ShortcutTarget: HP Button Manager.lnk -> C:\Program Files (x86)\HP Button Manager\BM.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 71.252.0.12
Tcpip\..\Interfaces\{C843A59D-0C97-42DB-8EAA-657E3D28862A}: [DhcpNameServer] 192.168.1.1 71.252.0.12

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://en.us.acer.yahoo.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*hxxp://www.yahoo.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://en.us.acer.yahoo.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*hxxp://www.yahoo.com
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*hxxp://www.yahoo.com
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://yahoo.com/
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://global.acer.com
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*hxxp://www.yahoo.com/ext/search/search.html
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-26508511-1022157919-3443729771-1000 -> DefaultScope {87E0B233-7E11-4A6D-9D72-7CBE7E12F39F} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-26508511-1022157919-3443729771-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-26508511-1022157919-3443729771-1000 -> {38A065A1-AF90-4B32-8585-D651563B5B3C} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
SearchScopes: HKU\S-1-5-21-26508511-1022157919-3443729771-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=UP22DF&PC=UP22&dt=122412&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-26508511-1022157919-3443729771-1000 -> {87E0B233-7E11-4A6D-9D72-7CBE7E12F39F} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-26508511-1022157919-3443729771-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=chr-acer
BHO: ShowBarObj Class -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\ActiveToolBand.dll [2008-03-05] (Egis)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll [2011-10-01] (Google Inc.)
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-08-29] (RealPlayer)
BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited)
BHO-x32: Yahoo! IE Services Button -> {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll [2007-12-12] (Yahoo! Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-12-16] (Oracle Corporation)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll [2011-10-01] (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-12-16] (Oracle Corporation)
Toolbar: HKLM - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDStoolbar.dll [2008-03-05] (Egis Incorporated.)
Toolbar: HKLM-x32 - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-03-05] (Egis Incorporated.)
DPF: HKLM-x32 {01113300-3E00-11D2-8470-0060089874ED} hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: HKLM-x32 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll [2008-11-01] (AVG Technologies CZ, s.r.o.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-05-14] (Skype Technologies S.A.)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2015-11-10] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2015-11-10] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2015-11-10] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2015-11-10] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Pats\AppData\Roaming\Mozilla\Firefox\Profiles\j7ydznv9.default
FF SearchEngineOrder.3: Bing
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_267.dll [2016-01-02] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_267.dll [2016-01-02] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll [2013-01-30] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2010-06-08] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-12-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-12-16] (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2009-05-26] (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin-x32: @pack.google.com/Google Updater;version=14 -> C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll [2011-10-01] (Google)
FF Plugin-x32: @real.com/nppl3260;version=6.0.12.46 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2008-08-29] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprjplug;version=1.0.3.46 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll [2008-08-29] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.46 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll [2008-08-29] (RealNetworks, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-07] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-26508511-1022157919-3443729771-1000: @nsroblox.roblox.com/launcher -> C:\Users\Pats\AppData\Local\Roblox\Versions\version-10ff6084ab364993\\NPRobloxProxy.dll [2012-12-31] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-26508511-1022157919-3443729771-1000: @nsroblox.roblox.com/launcher64 -> C:\Users\Pats\AppData\Local\Roblox\Versions\version-10ff6084ab364993\\NPRobloxProxy64.dll [2012-12-31] ( ROBLOX Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppl3260.dll [2008-08-29] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2010-06-27] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2010-06-27] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2010-06-27] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2010-06-27] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2010-06-27] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll [2010-06-27] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll [2010-06-27] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprjplug.dll [2008-08-29] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprpjplug.dll [2008-08-29] (RealNetworks, Inc.)
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Pats\AppData\Roaming\Mozilla\Firefox\Profiles\j7ydznv9.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-12-28] [not signed]
FF Extension: Yahoo! Toolbar - C:\Users\Pats\AppData\Roaming\Mozilla\Firefox\Profiles\j7ydznv9.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}(20) [2013-05-11] [not signed]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2016-01-08] [not signed]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2016-01-08] [not signed]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2016-01-08] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Program Files\Real\RealPlayer\browserrecord
FF Extension: RealPlayer Browser Record Plugin - C:\Program Files\Real\RealPlayer\browserrecord [2008-08-29] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{3f963a5b-e555-4543-90e2-c3908898db71}] - C:\Program Files (x86)\AVG\AVG8\Firefox
FF Extension: AVG Safe Search - C:\Program Files (x86)\AVG\AVG8\Firefox [2008-11-01] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-09] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR NewTab: Default -> "chrome-extension://aaffhmecfaelkngcbnfdkcckmillnoki/newtab.html"
CHR DefaultSearchURL: Default -> hxxp://www.youtube.com/results?search_query={searchTerms}&page={startPage?}&utm_source=opensearch
CHR DefaultSearchKeyword: Default -> youtube.com
CHR Profile: C:\Users\Pats\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Yahoo Web) - C:\Users\Pats\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaffhmecfaelkngcbnfdkcckmillnoki [2015-12-16]
CHR Extension: (Entanglement Web App) - C:\Users\Pats\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2014-01-01]
CHR Extension: (Skype) - C:\Users\Pats\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-12-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Pats\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-23]
CHR HKLM-x32\...\Chrome\Extension: [aaffhmecfaelkngcbnfdkcckmillnoki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 avg8emc; C:\Program Files (x86)\AVG\AVG8\avgemc.exe [875288 2008-11-01] (AVG Technologies CZ, s.r.o.)
R2 avg8wd; C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe [231704 2008-11-01] (AVG Technologies CZ, s.r.o.)
R2 BUNAgentSvc; C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [16384 2008-03-03] (NewTech Infosystems, Inc.) [File not signed]
R2 eDataSecurity Service; C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [500784 2008-03-05] (Egis Incorporated)
R2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-04-25] () [File not signed]
R2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\bin32\nSvcAppFlt.exe [920064 2008-01-29] () [File not signed]
S2 gupdate1c9664765a596da; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [144200 2015-08-29] (Google Inc.)
R3 iPod Service; C:\Program Files (x86)\iPod\bin\iPodService.exe [653616 2010-06-15] (Apple Inc.)
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.266\McCHSvc.exe [289256 2015-12-02] (McAfee, Inc.)
R2 nSvcIp; C:\Program Files\bin32\nSvcIp.exe [193024 2008-01-29] () [File not signed]
R2 NTISchedulerSvc; C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-04] () [File not signed]
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 TeamViewer; c:\users\pats\appdata\local\temp\teamviewer\TeamViewer_Service.exe [5532432 2015-12-14] (TeamViewer GmbH)
R2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)
S2 0209761220034164mcinstcleanup; C:\Windows\TEMP\020976~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2008-04-24] (ArcSoft, Inc.)
R1 AvgLdx64; C:\Windows\System32\Drivers\avgldx64.sys [114696 2008-11-01] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx64; C:\Windows\System32\Drivers\avgmfx64.sys [32392 2008-11-01] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiA; C:\Windows\System32\Drivers\avgtdia.sys [90632 2009-01-30] (AVG Technologies CZ, s.r.o.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [22064 2008-03-05] (Egis Incorporated)
R2 PSDNServ; C:\Windows\System32\DRIVERS\PSDNServ.sys [21040 2008-03-05] (Egis Incorporated)
R2 psdvdisk; C:\Windows\System32\DRIVERS\PSDVdisk.sys [60976 2008-03-05] (Egis Incorporated)
S3 WINFLASH64; C:\Users\Pats\Downloads\WinFlash64.sys [13632 2007-01-12] ()
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-09 13:59 - 2016-01-09 14:01 - 00027471 _____ C:\Users\Pats\Desktop\FRST.txt
2016-01-09 13:59 - 2016-01-09 13:59 - 00000000 ____D C:\FRST
2016-01-09 13:43 - 2016-01-09 13:43 - 02370560 _____ (Farbar) C:\Users\Pats\Desktop\FRST64.exe
2016-01-09 13:06 - 2016-01-09 13:06 - 04274096 _____ (BrightFort LLC ) C:\Users\Pats\Desktop\spywareblastersetup54.exe
2016-01-09 12:56 - 2016-01-09 12:57 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-09 12:56 - 2016-01-09 12:56 - 00000945 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-01-09 12:56 - 2016-01-09 12:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-09 12:55 - 2016-01-09 12:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-09 12:55 - 2016-01-09 12:55 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-01-09 12:55 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-01-09 12:55 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-01-09 12:55 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-01-09 12:52 - 2016-01-09 12:53 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(9).exe
2016-01-09 12:52 - 2016-01-09 12:52 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(8).exe
2016-01-09 12:52 - 2016-01-09 12:52 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(7).exe
2016-01-08 23:14 - 2016-01-08 23:19 - 00000000 ____D C:\AdwCleaner
2016-01-08 23:01 - 2016-01-08 23:02 - 06805440 _____ (Piriform Ltd) C:\Users\Pats\Desktop\ccsetup513.exe
2016-01-08 22:08 - 2016-01-08 22:08 - 00000000 _____ C:\Users\Pats\Desktop\New Text Document.txt
2016-01-08 21:49 - 2016-01-08 21:49 - 00000000 ____D C:\Users\Pats\AppData\Roaming\TeamViewer
2016-01-08 21:47 - 2016-01-08 21:47 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(6).exe
2016-01-08 21:45 - 2016-01-08 21:45 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(5).exe
2016-01-08 21:44 - 2016-01-08 21:45 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(4).exe
2016-01-08 20:41 - 2016-01-08 23:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-01-08 19:13 - 2016-01-08 19:13 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(2).exe
2016-01-08 19:12 - 2016-01-08 19:13 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(3).exe
2016-01-08 19:11 - 2016-01-08 19:11 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en(1).exe
2016-01-08 19:10 - 2016-01-08 19:11 - 06937888 _____ (TeamViewer) C:\Users\Pats\Downloads\TeamViewerQS_en.exe
2016-01-05 17:23 - 2016-01-05 17:23 - 00657744 _____ (PC Drivers HeadQuarters LP) C:\Users\Pats\Downloads\DriverSupport(1).exe
2016-01-05 17:22 - 2016-01-05 17:22 - 00657744 _____ (PC Drivers HeadQuarters LP) C:\Users\Pats\Downloads\DriverSupport.exe
2015-12-21 20:32 - 2015-12-21 20:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-12-20 17:03 - 2015-12-20 17:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2015-12-17 21:25 - 2015-12-20 17:51 - 00752394 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-12-17 20:58 - 2015-11-10 08:27 - 01147904 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-12-17 20:58 - 2015-11-10 08:27 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-12-17 20:58 - 2015-11-10 08:26 - 01491968 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-12-17 20:58 - 2015-11-10 08:26 - 00588800 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-12-17 20:58 - 2015-11-10 08:26 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-12-17 20:58 - 2015-11-10 08:25 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-12-17 20:58 - 2015-11-10 08:15 - 01068544 _____ (Microsoft Corporation) C:\Windows\system32\mstime.dll
2015-12-17 20:58 - 2015-11-10 08:15 - 00241664 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-12-17 20:58 - 2015-11-10 08:13 - 09344000 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-12-17 20:58 - 2015-11-10 08:13 - 00742912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-12-17 20:58 - 2015-11-10 08:13 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-12-17 20:58 - 2015-11-10 08:13 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-12-17 20:58 - 2015-11-10 08:10 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2015-12-17 20:58 - 2015-11-10 08:09 - 00820224 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-12-17 20:58 - 2015-11-10 08:09 - 00031744 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 12480000 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 02359296 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 01538560 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-12-17 20:58 - 2015-11-10 08:07 - 00459776 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 00252416 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 00219136 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 00132096 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-12-17 20:58 - 2015-11-10 08:07 - 00072192 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-12-17 20:58 - 2015-11-10 08:04 - 00505856 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-12-17 20:58 - 2015-11-10 08:04 - 00317952 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-12-17 20:58 - 2015-11-10 08:03 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\corpol.dll
2015-12-17 20:58 - 2015-11-10 06:55 - 00479744 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-12-17 20:58 - 2015-11-10 06:48 - 00916992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-12-17 20:58 - 2015-11-10 06:47 - 01214976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-12-17 20:58 - 2015-11-10 06:47 - 00423936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-12-17 20:58 - 2015-11-10 06:47 - 00236544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-12-17 20:58 - 2015-11-10 06:47 - 00105984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2015-12-17 20:58 - 2015-11-10 06:45 - 00206848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2015-12-17 20:58 - 2015-11-10 06:43 - 06012416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-12-17 20:58 - 2015-11-10 06:43 - 00630784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2015-12-17 20:58 - 2015-11-10 06:43 - 00630272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-12-17 20:58 - 2015-11-10 06:43 - 00193536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-12-17 20:58 - 2015-11-10 06:43 - 00067072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-12-17 20:58 - 2015-11-10 06:43 - 00055296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2015-12-17 20:58 - 2015-11-10 06:42 - 01469440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-12-17 20:58 - 2015-11-10 06:42 - 00729600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-12-17 20:58 - 2015-11-10 06:42 - 00043520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2015-12-17 20:58 - 2015-11-10 06:42 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 11086848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 02006016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 00387584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 00184320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 00164352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-12-17 20:58 - 2015-11-10 06:41 - 00055808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-12-17 20:58 - 2015-11-10 06:40 - 00348160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-12-17 20:58 - 2015-11-10 06:40 - 00216576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-12-17 20:58 - 2015-11-10 06:40 - 00019456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\corpol.dll
2015-12-17 20:58 - 2015-11-10 05:10 - 00162816 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-12-17 20:58 - 2015-11-10 05:09 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-12-17 20:58 - 2015-11-10 05:08 - 01638912 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-12-17 20:58 - 2015-11-10 05:08 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-12-17 20:58 - 2015-11-10 04:56 - 00385024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-12-17 20:58 - 2015-11-10 03:16 - 00133632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-12-17 20:58 - 2015-11-10 03:15 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2015-12-17 20:58 - 2015-11-10 03:13 - 00013312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2015-12-17 20:58 - 2015-11-10 03:12 - 01638912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-12-14 12:12 - 2015-11-05 04:07 - 00014848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshrm.dll
2015-12-14 12:12 - 2015-11-05 03:55 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\wshrm.dll
2015-12-14 12:12 - 2015-11-05 02:54 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-12-14 12:10 - 2015-11-06 12:05 - 00648704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2015-12-14 12:10 - 2015-11-06 11:43 - 00820224 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2015-12-14 12:10 - 2015-11-06 11:36 - 01268224 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2015-12-14 12:10 - 2015-11-06 11:36 - 00327680 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2015-12-14 12:10 - 2015-11-06 11:36 - 00287232 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2015-12-14 12:10 - 2015-11-06 11:36 - 00196096 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2015-12-14 12:10 - 2015-11-06 11:32 - 01029120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2015-12-14 12:10 - 2015-11-06 11:32 - 00219648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2015-12-14 12:10 - 2015-11-06 11:32 - 00189952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2015-12-14 12:10 - 2015-11-06 11:32 - 00160768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2015-12-14 12:10 - 2015-11-06 11:00 - 02002944 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-12-14 12:10 - 2015-11-06 10:59 - 00566272 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2015-12-14 12:10 - 2015-11-06 10:50 - 00834048 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2015-12-14 12:10 - 2015-11-06 10:47 - 01561600 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-12-14 12:10 - 2015-11-06 10:47 - 01154560 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-12-14 12:10 - 2015-11-06 10:37 - 02799104 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-12-14 12:10 - 2015-11-06 10:27 - 01172480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2015-12-14 12:10 - 2015-11-06 10:26 - 00486400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2015-12-14 12:10 - 2015-11-06 10:20 - 01073152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-12-14 12:10 - 2015-11-06 10:20 - 00682496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2015-12-14 12:10 - 2015-11-02 12:04 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\els.dll
2015-12-14 12:10 - 2015-11-02 11:44 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\els.dll
2015-12-14 11:40 - 2015-11-10 12:03 - 01208832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comsvcs.dll
2015-12-14 11:40 - 2015-11-10 12:03 - 00488448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\catsrvut.dll
2015-12-14 11:40 - 2015-11-10 11:40 - 01683968 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2015-12-14 11:40 - 2015-11-10 11:40 - 00533504 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2015-12-14 11:40 - 2015-11-05 02:42 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-12-14 11:40 - 2015-11-05 02:26 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-09 14:02 - 2013-07-07 11:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-01-09 13:59 - 2007-07-11 20:48 - 00000000 ____D C:\Windows
2016-01-09 13:58 - 2011-05-21 15:58 - 00000000 ____D C:\Users\Pats\AppData\Roaming\Skype
2016-01-09 13:57 - 2009-06-30 21:51 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-09 13:57 - 2008-04-30 15:16 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-09 13:57 - 2006-11-02 10:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-09 13:57 - 2006-11-02 10:22 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-09 13:57 - 2006-11-02 10:22 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-09 13:57 - 2006-10-20 03:10 - 00000000 _____ C:\Windows\system32\LogConfigTemp.xml
2016-01-09 13:56 - 2006-11-02 10:42 - 00032634 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-01-09 13:52 - 2009-06-30 21:51 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-09 13:10 - 2008-11-01 12:33 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-01-09 12:53 - 2015-06-04 15:29 - 00000733 _____ C:\Windows\wininit.ini
2016-01-09 12:40 - 2008-12-24 23:14 - 00000880 _____ C:\Windows\Tasks\Google Software Updater.job
2016-01-09 10:46 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\inf
2016-01-09 10:46 - 2006-11-02 07:46 - 00759082 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-09 10:39 - 2012-07-28 14:25 - 00000026 _____ C:\Windows\Zone.Identifier
2016-01-08 23:27 - 2013-04-15 11:45 - 00000000 ____D C:\Users\UpdatusUser.Pats-PC.000
2016-01-08 23:22 - 2012-12-28 12:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-01-08 23:22 - 2008-07-20 22:51 - 00000000 ____D C:\Users\Pats\AppData\Roaming\Yahoo!
2016-01-08 23:22 - 2008-04-30 15:57 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2016-01-08 23:19 - 2008-07-20 14:09 - 00000000 ____D C:\Users\Pats
2016-01-08 22:41 - 2014-02-15 12:45 - 00000000 ____D C:\Users\Pats\AppData\Local\Apps\2.0
2016-01-02 14:02 - 2013-07-07 11:29 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-01-02 14:02 - 2013-03-29 14:36 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-02 14:02 - 2013-03-29 14:36 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-21 20:32 - 2014-03-15 11:40 - 00001890 _____ C:\Users\Public\Desktop\Skype.lnk
2015-12-21 20:32 - 2014-03-15 11:40 - 00000000 ____D C:\Users\Pats\AppData\Local\Skype
2015-12-21 20:32 - 2011-05-21 15:57 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-12-21 20:32 - 2011-05-21 15:57 - 00000000 ____D C:\ProgramData\Skype
2015-12-20 17:03 - 2015-11-20 15:53 - 00000000 ____D C:\Program Files\McAfee Security Scan
2015-12-17 21:07 - 2008-12-24 23:15 - 00002029 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-12-16 20:04 - 2013-09-13 13:39 - 00000000 ____D C:\ProgramData\Oracle
2015-12-16 20:04 - 2013-09-13 13:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-12-16 20:04 - 2008-12-01 00:43 - 00000000 ____D C:\Program Files (x86)\Java
2015-12-16 20:03 - 2015-09-13 19:11 - 00000000 ____D C:\Users\Pats\.oracle_jre_usage
2015-12-16 20:03 - 2015-07-18 23:14 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-12-16 19:54 - 2006-11-02 08:34 - 00000000 ____D C:\Windows\system32\Msdtc
2015-12-16 19:53 - 2006-11-02 07:33 - 79691776 _____ C:\Windows\system32\config\software_previous
2015-12-16 19:53 - 2006-11-02 07:33 - 64749568 _____ C:\Windows\system32\config\components_previous
2015-12-16 19:53 - 2006-11-02 07:33 - 19660800 _____ C:\Windows\system32\config\system_previous
2015-12-16 19:53 - 2006-11-02 07:33 - 03932160 _____ C:\Windows\system32\config\default_previous
2015-12-16 19:53 - 2006-11-02 07:33 - 00262144 _____ C:\Windows\system32\config\security_previous
2015-12-16 19:53 - 2006-11-02 07:33 - 00262144 _____ C:\Windows\system32\config\sam_previous
2015-12-16 19:52 - 2013-03-29 14:36 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2015-12-16 19:52 - 2008-04-29 23:52 - 00000000 ____D C:\ACER
2015-12-16 19:52 - 2006-11-02 08:34 - 00000000 ____D C:\Windows\system32\spool
2015-12-16 19:52 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\registration
2015-12-16 00:40 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\rescache
2015-12-14 19:29 - 2006-11-02 10:21 - 00305992 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-14 12:13 - 2008-04-30 15:53 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-14 12:01 - 2013-08-16 12:35 - 00000000 ____D C:\Windows\system32\MRT
2015-12-14 11:42 - 2006-11-02 07:35 - 140158008 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

==================== Files in the root of some directories =======

2012-12-28 23:40 - 2012-12-28 23:40 - 0000268 ___RH () C:\Users\Pats\AppData\Roaming\Helper Scripts
2012-12-28 23:40 - 2012-12-28 23:40 - 0000268 ___RH () C:\Users\Pats\AppData\Roaming\Hip Hop
2012-12-28 23:40 - 2012-12-28 23:40 - 0000268 ___RH () C:\Users\Pats\AppData\Roaming\Home
2012-12-28 23:39 - 2012-12-28 23:39 - 0000268 ___RH () C:\Users\Pats\AppData\Roaming\Image Units
2008-08-03 16:44 - 2008-08-15 16:52 - 0024226 _____ () C:\Users\Pats\AppData\Roaming\UserTile.png
2008-08-28 21:23 - 2015-11-22 16:45 - 0007918 _____ () C:\Users\Pats\AppData\Roaming\wklnhst.dat
2008-07-20 22:15 - 2015-10-10 18:39 - 0010240 _____ () C:\Users\Pats\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-11-16 15:13 - 2015-11-16 15:13 - 0000000 _____ () C:\Users\Pats\AppData\Local\{47754753-D0F7-473D-9E40-63E5DC360F43}
2011-05-21 15:58 - 2011-05-21 15:58 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2012-12-28 23:40 - 2012-12-28 23:40 - 0000268 ___RH () C:\ProgramData\Horn Section
2012-12-28 23:40 - 2012-12-28 23:40 - 0000268 ___RH () C:\ProgramData\Horns
2012-12-28 23:40 - 2012-12-28 23:40 - 0000268 ___RH () C:\ProgramData\Hybrid Basic
2012-12-28 23:39 - 2012-12-28 23:39 - 0000268 ___RH () C:\ProgramData\Installer Plugin
2012-12-28 23:39 - 2012-12-28 23:39 - 0000020 ____H () C:\ProgramData\PKP_DLeo.DAT
2012-12-28 23:40 - 2012-12-28 23:40 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2012-12-28 23:40 - 2014-02-15 13:32 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2012-12-28 23:40 - 2012-12-28 23:44 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT

Some files in TEMP:
====================
C:\Users\Pats\AppData\Local\Temp\sqlite3.dll
C:\Users\Pats\AppData\Local\Temp\_is4327.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-01-09 14:06

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 16 January 2016 - 06:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/601933 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 emc20guru

emc20guru
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 17 January 2016 - 04:22 AM

Hello, after I ran FRST to produce the logs included in my first post the computer in question was shut down immediately and has not been booted since it was shut down.  Do need me to run FRST again since the description of the issue remains current and the state of the system still matches the log(s) in my initial post?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:30 AM

Posted 17 January 2016 - 10:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [eRecoveryService] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\Run: [Deviup16] => rundll32 "C:\Windows\system32\Optierpt64.dll",CreateProcessNotify
CHR NewTab: Default -> "chrome-extension://aaffhmecfaelkngcbnfdkcckmillnoki/newtab.html"
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
C:\Users\Pats\AppData\Local\Temp\sqlite3.dll
C:\Users\Pats\AppData\Local\Temp\_is4327.exe
C:\Windows\system32\Optierpt64.dll

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log for my review.
Include also the Addition.txt file that was created by the Farbar tool.

Let me know what problem persists.

#5 emc20guru

emc20guru
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 23 January 2016 - 05:10 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by Pats (2016-01-22 16:17:54) Run:1
Running from C:\Users\Pats\Desktop
Loaded Profiles: Pats & UpdatusUser (Available Profiles: Pats & UpdatusUser)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [eRecoveryService] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\...\Run: [Deviup16] => rundll32 "C:\Windows\system32\Optierpt64.dll",CreateProcessNotify
CHR NewTab: Default -> "chrome-extension://aaffhmecfaelkngcbnfdkcckmillnoki/newtab.html"
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
C:\Users\Pats\AppData\Local\Temp\sqlite3.dll
C:\Users\Pats\AppData\Local\Temp\_is4327.exe
C:\Windows\system32\Optierpt64.dll

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\eRecoveryService => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-26508511-1022157919-3443729771-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Deviup16 => value not found.
NewTab => not found.
IpInIp => service removed successfully
NwlnkFlt => service removed successfully
NwlnkFwd => service removed successfully
"C:\Users\Pats\AppData\Local\Temp\sqlite3.dll" => not found.
"C:\Users\Pats\AppData\Local\Temp\_is4327.exe" => not found.
C:\Windows\system32\Optierpt64.dll => moved successfully
EmptyTemp: => 117.7 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 16:20:19 ====



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:30 AM

Posted 23 January 2016 - 09:49 AM

How is the computer running now?

p.s.
Please post the Addition.txt file created by the Farbar tool.
I need to check it.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:30 AM

Posted 29 January 2016 - 09:19 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:30 AM

Posted 04 February 2016 - 08:47 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users