Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected PC - Even after factory reset. Please help


  • This topic is locked This topic is locked
50 replies to this topic

#1 nikki775117

nikki775117

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 22 January 2016 - 04:19 PM

Hello.

I am pretty sure my computer has one/several infections. It started last week when my mouse pad started working sporadically, moving of its own accord and randomly clicking on things. Every time I try and run antivirus software the computer just shuts down and restarts stating 'kernal inpage data error'. I have ran more than one anti virus software package and the same thing happens everytime. My firewall also randomly turns off. I do not have much knowledge of computers, but I have ran 2 complete system recovery's on my laptop and the problem still persists, and after doing some research think this virus may have infected the MBR? As i say just an assumption as I don't know much apart from i still have the problem after restoring factory settings.

Any help would be greatly appreciated.

Thanks

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:18-01-2016
Ran by NIKKI-LAURI (administrator) on NIK (22-01-2016 20:32:42)
Running from C:\Users\NIKKI-LAURI\Downloads
Loaded Profiles: NIKKI-LAURI (Available Profiles: NIKKI-LAURI)
Platform: Windows 8 (X64) Language: English (United Kingdom)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
(Dritek System INC.) C:\Windows\RfBtnSvc64.exe
(Atheros) C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(Qualcomm Atheros) C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
(Dolby Laboratories Inc.) C:\Dolby PCEE4\pcee4.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(CyberLink) C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.2.9200.16384_none_622908ad510eb05b\TiWorker.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.8.203.0\McCSPServiceHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Egis Technology Inc.) C:\Program Files\EgisTec IPS\PmmUpdate.exe
(Egis Technology Inc.) C:\Program Files\EgisTec IPS\EgisUpdate.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12936848 2012-07-31] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1214608 2012-07-31] (Realtek Semiconductor)
HKLM\...\Run: [BtPreLoad] => C:\Program Files (x86)\Bluetooth Suite\BtPreLoad.exe [64640 2012-07-31] ()
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2864016 2012-08-11] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [BakupManagerTray] => C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe [533056 2012-07-30] (NTI Corporation)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] => C:\Dolby PCEE4\pcee4.exe [508256 2012-04-23] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [LManager] => [X]
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2995904 2012-07-11] (Symantec Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{283C21BD-336D-46B2-B63C-3E0250E3BC30}: [DhcpNameServer] 192.15.128.24
Tcpip\..\Interfaces\{ECCF64C5-26E6-43B5-B301-8AA711871D75}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\S-1-5-21-1277154278-3929233272-1920280513-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer13.msn.com
HKU\S-1-5-21-1277154278-3929233272-1920280513-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
SearchScopes: HKU\S-1-5-21-1277154278-3929233272-1920280513-1001 -> DefaultScope {46D349AD-3ED5-4E0C-8B90-795216915AAF} URL = 
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-07-31] (Qualcomm Atheros Commnucations)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-12-02] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-12-02] (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2015-12-02] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2015-12-02] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll [2015-11-10] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2015-11-10] (McAfee, Inc.)
 
FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2015-11-10] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2015-11-10] ()
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll [2015-11-09] (McAfee, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-19] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2012-05-12] ()
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Extension: McAfee WebAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2015-11-23]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
 
Chrome: 
=======
CHR Profile: C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-01-19]
CHR Extension: (Google Docs) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-01-19]
CHR Extension: (Google Drive) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-19]
CHR Extension: (YouTube) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-19]
CHR Extension: (Google Search) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-19]
CHR Extension: (Google Sheets) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-19]
CHR Extension: (SiteAdvisor) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2016-01-20]
CHR Extension: (Google Docs Offline) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-01-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-01-19]
CHR Extension: (Gmail) - C:\Users\NIKKI-LAURI\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-19]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2016-01-19]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2016-01-19]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [207488 2012-07-31] (Qualcomm Atheros Commnucations) [File not signed]
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe [2415760 2012-07-27] (Acer Incorporated)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [466064 2012-07-30] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [659600 2012-07-31] (Acer Incorporated)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [157928 2015-12-02] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [863448 2015-11-10] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.8.203.0\McCSPServiceHost.exe [1694152 2015-12-02] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [679120 2015-10-20] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [451960 2015-11-02] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [233680 2015-09-21] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [378848 2015-10-21] (McAfee, Inc.)
R3 mfevtp; C:\Windows\system32\mfevtps.exe [256840 2015-09-21] (McAfee, Inc.)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3939008 2012-07-11] (Symantec Corporation)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [259136 2012-07-30] (NTI Corporation)
R2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [93296 2012-08-29] (Dritek System INC.)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14920 2013-01-29] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [81536 2012-07-31] (Atheros) [File not signed]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [5139968 2012-06-02] (Broadcom Corporation)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-07-31] (Qualcomm Atheros)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00A\ccSetx64.sys [168608 2012-05-26] (Symantec Corporation)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [80760 2015-09-23] (McAfee, Inc.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3295984 2012-07-26] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207208 2015-05-19] (McAfee, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-22] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [415976 2015-09-23] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [351120 2015-09-23] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [82072 2015-09-23] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [497888 2015-09-23] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [841944 2015-09-23] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [537192 2015-10-06] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [109480 2015-10-06] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [37960 2015-12-02] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [244544 2015-09-23] (McAfee, Inc.)
R3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2012-08-29] (Dritek System Inc.)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35232 2013-01-29] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [230904 2013-01-28] (Microsoft Corporation)
S3 MFE_RR; \??\C:\Users\NIKKI-~1\AppData\Local\Temp\mfe_rr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-22 20:33 - 2016-01-22 20:33 - 00000117 _____ C:\Windows\system32\netcfg-949750.txt
2016-01-22 20:32 - 2016-01-22 20:35 - 00018045 _____ C:\Users\NIKKI-LAURI\Downloads\FRST.txt
2016-01-22 20:32 - 2016-01-22 20:32 - 00000000 ____D C:\FRST
2016-01-22 20:31 - 2016-01-22 20:31 - 02370560 _____ (Farbar) C:\Users\NIKKI-LAURI\Downloads\FRST64.exe
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-124750.txt
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-120921.txt
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-117843.txt
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-114265.txt
2016-01-22 20:19 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-110578.txt
2016-01-20 23:21 - 2016-01-20 23:21 - 00000117 _____ C:\Windows\system32\netcfg-485140.txt
2016-01-20 23:15 - 2016-01-20 23:15 - 00000117 _____ C:\Windows\system32\netcfg-104796.txt
2016-01-20 22:55 - 2016-01-20 22:55 - 00000117 _____ C:\Windows\system32\netcfg-65343.txt
2016-01-20 22:55 - 2016-01-20 22:55 - 00000117 _____ C:\Windows\system32\netcfg-59843.txt
2016-01-20 22:54 - 2016-01-20 22:54 - 00000117 _____ C:\Windows\system32\netcfg-344984.txt
2016-01-20 22:50 - 2016-01-20 22:50 - 00000117 _____ C:\Windows\system32\netcfg-98093.txt
2016-01-20 22:48 - 2016-01-20 22:48 - 00000117 _____ C:\Windows\system32\netcfg-91140.txt
2016-01-20 22:37 - 2016-01-20 22:37 - 00000117 _____ C:\Windows\system32\netcfg-61718.txt
2016-01-20 22:34 - 2016-01-20 22:34 - 00000117 _____ C:\Windows\system32\netcfg-2494406.txt
2016-01-20 22:25 - 2016-01-20 22:30 - 00000000 ____D C:\Windows\system32\MRT
2016-01-20 22:25 - 2016-01-20 22:25 - 143671360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-01-20 21:58 - 2016-01-20 21:59 - 00015118 _____ C:\Users\NIKKI-LAURI\Desktop\MBRCheck_01.20.16_21.58.37.txt
2016-01-20 21:58 - 2016-01-20 21:58 - 00006172 _____ C:\Users\NIKKI-LAURI\Desktop\MBRCheck_01.20.16_21.58.34.txt
2016-01-20 21:58 - 2016-01-20 21:58 - 00000512 _____ C:\Users\NIKKI-LAURI\Downloads\MBRCheck_MBR_Backup_01-20-16_21-58-20.bak
2016-01-20 21:56 - 2016-01-20 21:58 - 00015828 _____ C:\Users\NIKKI-LAURI\Desktop\MBRCheck_01.20.16_21.56.13.txt
2016-01-20 21:56 - 2016-01-20 21:57 - 00015214 _____ C:\Users\NIKKI-LAURI\Desktop\MBRCheck_01.20.16_21.56.12.txt
2016-01-20 21:56 - 2016-01-20 21:57 - 00015183 _____ C:\Users\NIKKI-LAURI\Desktop\MBRCheck_01.20.16_21.56.09.txt
2016-01-20 21:56 - 2016-01-20 21:56 - 00000039 _____ C:\Users\NIKKI-LAURI\Desktop\MBRCheck_01.20.16_21.56.10.txt
2016-01-20 21:39 - 2016-01-20 21:39 - 00000117 _____ C:\Windows\system32\netcfg-24312.txt
2016-01-20 21:39 - 2016-01-20 21:39 - 00000117 _____ C:\Windows\system32\netcfg-2274515.txt
2016-01-20 21:38 - 2016-01-20 21:38 - 00000512 _____ C:\Users\NIKKI-LAURI\Downloads\MBRCheck_MBR_Backup_01-20-16_21-38-11.bak
2016-01-20 21:33 - 2016-01-20 21:38 - 00015806 _____ C:\Users\NIKKI-LAURI\Desktop\MBRCheck_01.20.16_21.33.04.txt
2016-01-20 21:32 - 2016-01-20 21:33 - 00080384 _____ C:\Users\NIKKI-LAURI\Downloads\MBRCheck.exe
2016-01-20 21:16 - 2016-01-20 21:16 - 05200384 _____ (AVAST Software) C:\Users\NIKKI-LAURI\Downloads\aswmbr.exe
2016-01-20 21:14 - 2016-01-20 21:14 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Roaming\McAfee
2016-01-20 21:13 - 2016-01-20 21:13 - 00211312 _____ (McAfee, Inc.) C:\Users\NIKKI-LAURI\Downloads\mvt.exe
2016-01-20 21:07 - 2016-01-20 21:07 - 00784152 _____ (McAfee, Inc.) C:\Users\NIKKI-LAURI\Downloads\rootkitremover.exe
2016-01-20 21:01 - 2016-01-20 21:01 - 00000117 _____ C:\Windows\system32\netcfg-29578.txt
2016-01-20 21:00 - 2016-01-20 21:00 - 00000117 _____ C:\Windows\system32\netcfg-2428593.txt
2016-01-20 20:58 - 2016-01-20 20:59 - 01931088 _____ (Symantec Corporation) C:\Users\NIKKI-LAURI\Downloads\FixTDSS.exe
2016-01-20 20:03 - 2016-01-20 20:05 - 00690242 _____ C:\TDSSKiller.3.1.0.9_20.01.2016_20.03.26_log.txt
2016-01-20 20:03 - 2016-01-20 20:03 - 00000117 _____ C:\Windows\system32\netcfg-39656.txt
2016-01-20 20:02 - 2016-01-20 20:02 - 00000117 _____ C:\Windows\system32\netcfg-1576843.txt
2016-01-20 20:00 - 2016-01-20 20:02 - 00229028 _____ C:\TDSSKiller.3.1.0.9_20.01.2016_20.00.39_log.txt
2016-01-20 20:00 - 2016-01-20 20:00 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\NIKKI-LAURI\Downloads\tdsskiller.exe
2016-01-20 19:36 - 2016-01-20 19:36 - 00285848 _____ C:\Windows\Minidump\012016-23640-01.dmp
2016-01-20 19:31 - 2014-11-08 11:22 - 00238080 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2016-01-20 19:31 - 2014-11-08 06:57 - 00187904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2016-01-20 19:31 - 2014-10-23 12:47 - 00079872 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2016-01-20 19:31 - 2014-10-23 11:04 - 00068096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2016-01-20 19:30 - 2015-04-24 23:13 - 00652288 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2016-01-20 19:30 - 2015-01-24 06:43 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2016-01-20 19:30 - 2015-01-24 05:00 - 00368640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2016-01-20 19:29 - 2015-08-01 14:50 - 17562112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2016-01-20 19:29 - 2015-08-01 13:56 - 19778048 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-01-20 19:29 - 2015-04-25 03:41 - 00541696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2016-01-20 19:28 - 2015-07-09 21:47 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\notepad.exe
2016-01-20 19:28 - 2015-07-09 21:47 - 00243712 _____ (Microsoft Corporation) C:\Windows\notepad.exe
2016-01-20 19:28 - 2015-07-09 20:18 - 00233984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
2016-01-20 19:28 - 2014-04-03 11:22 - 02233176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2016-01-20 19:28 - 2013-03-02 09:59 - 00411880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2016-01-20 19:26 - 2016-01-20 19:26 - 02870984 _____ (ESET) C:\Users\NIKKI-LAURI\Downloads\esetsmartinstaller_enu.exe
2016-01-20 19:26 - 2014-12-19 04:35 - 00142336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2016-01-20 19:24 - 2015-12-08 15:43 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-01-20 19:24 - 2015-12-08 15:16 - 00897024 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-01-20 19:24 - 2013-01-29 01:57 - 00035232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdBoot.sys
2016-01-20 19:24 - 2013-01-28 23:08 - 00230904 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdFilter.sys
2016-01-20 19:23 - 2015-12-30 23:29 - 06972760 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-01-20 19:23 - 2015-11-16 14:42 - 00171864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-01-20 19:23 - 2015-11-16 14:29 - 00961536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usercpl.dll
2016-01-20 19:23 - 2015-11-16 14:29 - 00452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2016-01-20 19:23 - 2015-11-16 14:29 - 00273920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-01-20 19:23 - 2015-11-16 14:29 - 00178688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-01-20 19:23 - 2015-11-16 14:29 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-01-20 19:23 - 2015-11-16 14:28 - 00668160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-01-20 19:23 - 2015-11-16 14:28 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-01-20 19:23 - 2015-11-16 14:27 - 00578048 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2016-01-20 19:23 - 2015-11-16 14:26 - 01282560 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 01043968 _____ (Microsoft Corporation) C:\Windows\system32\usercpl.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00830464 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00588800 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00439808 _____ (Microsoft Corporation) C:\Windows\system32\lsm.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00318464 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00094720 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-01-20 19:23 - 2015-11-16 14:26 - 00020480 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-01-20 19:23 - 2015-09-23 13:10 - 00570256 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2016-01-20 19:23 - 2015-09-22 17:53 - 01405408 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-01-20 19:23 - 2015-09-22 17:53 - 01273184 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2016-01-20 19:23 - 2015-06-25 18:29 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-01-20 19:23 - 2015-06-25 18:27 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-01-20 19:23 - 2015-05-02 06:28 - 00100184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-01-20 19:23 - 2015-01-15 09:38 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-01-20 19:23 - 2015-01-15 09:09 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-01-20 19:23 - 2015-01-07 04:25 - 00403456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-01-20 19:23 - 2014-10-11 05:41 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-01-20 19:23 - 2014-10-11 05:05 - 00146944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-01-20 19:23 - 2014-04-12 06:58 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\workerdd.dll
2016-01-20 19:23 - 2014-03-11 00:39 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-01-20 19:23 - 2014-03-11 00:38 - 00027648 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-01-20 19:23 - 2014-03-10 01:27 - 00099840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-01-20 19:23 - 2013-05-24 22:09 - 01217352 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-01-20 19:23 - 2013-05-24 22:09 - 01093904 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2016-01-20 19:21 - 2015-12-04 00:55 - 00595968 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2016-01-20 19:21 - 2015-12-03 21:47 - 00497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2016-01-20 18:26 - 2015-10-01 13:10 - 00869568 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll
2016-01-20 18:26 - 2015-10-01 13:09 - 00875720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr120_clr0400.dll
2016-01-20 18:25 - 2014-06-10 22:44 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2016-01-20 18:25 - 2014-06-10 22:43 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2016-01-20 18:13 - 2016-01-20 18:13 - 00285848 _____ C:\Windows\Minidump\012016-15953-01.dmp
2016-01-20 17:35 - 2014-05-15 01:02 - 00059424 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-01-20 17:35 - 2014-05-14 22:43 - 03286528 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-01-20 17:35 - 2014-05-14 22:43 - 01623040 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-01-20 17:35 - 2014-05-14 22:43 - 00253440 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2016-01-20 17:35 - 2014-05-14 22:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\storewuauth.dll
2016-01-20 17:34 - 2013-08-16 05:21 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2016-01-20 17:34 - 2012-11-06 04:20 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\wuaext.dll
2016-01-20 17:34 - 2012-11-06 04:00 - 00099328 _____ (Microsoft Corporation) C:\Windows\system32\wushareduxresources.dll
2016-01-20 15:31 - 2016-01-20 15:31 - 00001110 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-01-20 15:31 - 2016-01-20 15:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-20 15:31 - 2016-01-20 15:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-20 15:31 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-01-20 15:31 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-01-20 15:20 - 2016-01-20 15:21 - 00285848 _____ C:\Windows\Minidump\012016-15234-01.dmp
2016-01-20 15:17 - 2016-01-20 15:18 - 22908888 _____ (Malwarebytes ) C:\Users\NIKKI-LAURI\Downloads\mbam-setup-2.2.0.1024.exe
2016-01-20 14:30 - 2016-01-22 20:20 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-20 14:30 - 2016-01-20 15:31 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-01-20 14:30 - 2016-01-20 15:17 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-01-20 14:29 - 2016-01-20 15:17 - 00000000 ____D C:\Users\NIKKI-LAURI\Desktop\mbar
2016-01-20 14:29 - 2016-01-20 14:29 - 16563352 _____ (Malwarebytes Corp.) C:\Users\NIKKI-LAURI\Downloads\mbar-1.09.3.1001.exe
2016-01-20 14:29 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-01-20 10:21 - 2016-01-20 10:21 - 00000000 ____D C:\Program Files (x86)\ESET
2016-01-20 10:15 - 2016-01-20 10:15 - 00000117 _____ C:\Windows\system32\netcfg-25718.txt
2016-01-20 10:13 - 2016-01-20 10:13 - 00000117 _____ C:\Windows\system32\netcfg-119093.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-39937.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-39812.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-35656.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-35531.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-30500.txt
2016-01-20 09:59 - 2016-01-20 10:05 - 00327910 _____ C:\Windows\ntbtlog.txt
2016-01-20 09:58 - 2016-01-20 09:58 - 00000117 _____ C:\Windows\system32\netcfg-67046.txt
2016-01-20 09:32 - 2016-01-20 09:32 - 00000117 _____ C:\Windows\system32\netcfg-31750.txt
2016-01-20 09:31 - 2016-01-20 09:31 - 00000117 _____ C:\Windows\system32\netcfg-285859.txt
2016-01-20 09:26 - 2016-01-20 09:27 - 00285848 _____ C:\Windows\Minidump\012016-19515-01.dmp
2016-01-20 09:26 - 2016-01-20 09:26 - 00000000 __SHD C:\found.000
2016-01-20 09:06 - 2016-01-20 09:06 - 00000117 _____ C:\Windows\system32\netcfg-39875.txt
2016-01-20 09:06 - 2016-01-20 09:06 - 00000117 _____ C:\Windows\system32\netcfg-36796.txt
2016-01-20 09:05 - 2016-01-20 19:36 - 568807601 _____ C:\Windows\MEMORY.DMP
2016-01-20 09:05 - 2016-01-20 19:36 - 00000000 ____D C:\Windows\Minidump
2016-01-20 09:05 - 2016-01-20 09:05 - 00285848 _____ C:\Windows\Minidump\012016-17500-01.dmp
2016-01-20 09:03 - 2016-01-20 09:03 - 00000117 _____ C:\Windows\system32\netcfg-57130265.txt
2016-01-20 09:03 - 2016-01-20 09:03 - 00000117 _____ C:\Windows\system32\netcfg-57129234.txt
2016-01-19 20:20 - 2016-01-19 20:20 - 00000117 _____ C:\Windows\system32\netcfg-11378734.txt
2016-01-19 20:20 - 2016-01-19 20:20 - 00000117 _____ C:\Windows\system32\netcfg-11373062.txt
2016-01-19 17:19 - 2016-01-20 21:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-01-19 17:19 - 2016-01-19 17:19 - 00001924 _____ C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2016-01-19 17:18 - 2016-01-19 17:18 - 00003080 _____ C:\Windows\System32\Tasks\McAfeeLogon
2016-01-19 17:18 - 2016-01-19 17:18 - 00000000 ____D C:\Windows\System32\Tasks\McAfee
2016-01-19 17:18 - 2016-01-19 17:18 - 00000000 ____D C:\Program Files (x86)\McAfee.com
2016-01-19 17:18 - 2015-09-23 09:43 - 00497888 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfefirek.sys
2016-01-19 17:18 - 2015-09-23 09:43 - 00082072 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeelamk.sys
2016-01-19 17:18 - 2015-09-23 09:43 - 00080760 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\cfwids.sys
2016-01-19 17:18 - 2015-05-19 13:59 - 00207208 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\HipShieldK.sys
2016-01-19 17:17 - 2016-01-20 21:13 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-01-19 17:17 - 2016-01-19 17:18 - 00000000 ____D C:\Program Files\McAfee
2016-01-19 17:17 - 2016-01-19 17:17 - 00003344 _____ C:\Windows\System32\Tasks\McAfee Remediation (Prepare)
2016-01-19 17:17 - 2016-01-19 17:17 - 00000000 ____D C:\Program Files\McAfee.com
2016-01-19 17:17 - 2016-01-19 17:17 - 00000000 ____D C:\Program Files\Common Files\AV
2016-01-19 17:17 - 2015-09-23 09:43 - 00244544 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfewfpk.sys
2016-01-19 17:15 - 2015-09-23 09:43 - 00415976 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeaack.sys
2016-01-19 17:15 - 2015-09-23 09:43 - 00351120 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeavfk.sys
2016-01-19 17:14 - 2016-01-19 17:18 - 00000000 ____D C:\Program Files\Common Files\McAfee
2016-01-19 17:14 - 2015-09-23 09:43 - 00841944 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2016-01-19 17:14 - 2015-09-21 13:33 - 00256840 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2016-01-19 17:11 - 2016-01-19 17:11 - 00000117 _____ C:\Windows\system32\netcfg-48218.txt
2016-01-19 17:10 - 2016-01-19 17:10 - 00000117 _____ C:\Windows\system32\netcfg-2359109.txt
2016-01-19 16:58 - 2016-01-19 16:58 - 08205288 _____ (McAfee, Inc.) C:\Users\NIKKI-LAURI\Downloads\McAfeeSetup.exe
2016-01-19 16:54 - 2016-01-19 16:54 - 00002263 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-01-19 16:54 - 2016-01-19 16:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2016-01-19 16:53 - 2016-01-22 20:19 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-19 16:53 - 2016-01-22 19:58 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-19 16:53 - 2016-01-20 15:05 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Local\Google
2016-01-19 16:53 - 2016-01-19 16:53 - 00003888 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-01-19 16:53 - 2016-01-19 16:53 - 00003652 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-01-19 16:53 - 2016-01-19 16:53 - 00000000 ____D C:\Program Files (x86)\Google
2016-01-19 16:52 - 2016-01-19 16:53 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Local\Deployment
2016-01-19 16:52 - 2016-01-19 16:52 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Local\Apps\2.0
2016-01-19 16:50 - 2016-01-19 16:50 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Local\EgisTec IPS
2016-01-19 16:47 - 2016-01-19 17:05 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1277154278-3929233272-1920280513-1001
2016-01-19 16:43 - 2016-01-19 16:43 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Roaming\Macromedia
2016-01-19 16:42 - 2016-01-19 16:42 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Roaming\Atheros
2016-01-19 16:41 - 2016-01-19 16:41 - 00002609 _____ C:\Users\Public\Desktop\eBay.lnk
2016-01-19 16:41 - 2016-01-19 16:41 - 00002029 _____ C:\Users\Public\Desktop\LOVEFiLM.lnk
2016-01-19 16:41 - 2016-01-19 16:41 - 00001438 _____ C:\Users\NIKKI-LAURI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-01-19 16:41 - 2016-01-19 16:41 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Roaming\Adobe
2016-01-19 16:41 - 2016-01-19 16:41 - 00000000 ____D C:\Program Files\Preload
2016-01-19 16:41 - 2016-01-19 16:41 - 00000000 ____D C:\Program Files (x86)\OEM
2016-01-19 16:40 - 2016-01-20 09:06 - 00000000 ____D C:\Users\NIKKI-LAURI
2016-01-19 16:40 - 2016-01-19 16:41 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Local\Packages
2016-01-19 16:40 - 2016-01-19 16:40 - 00001938 _____ C:\Users\Public\Desktop\Netflix.lnk
2016-01-19 16:40 - 2016-01-19 16:40 - 00001736 _____ C:\Users\Public\Desktop\Buy Online.lnk
2016-01-19 16:40 - 2016-01-19 16:40 - 00000020 ___SH C:\Users\NIKKI-LAURI\ntuser.ini
2016-01-19 16:40 - 2016-01-19 16:40 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Roaming\lm
2016-01-19 16:40 - 2016-01-19 16:40 - 00000000 ____D C:\Users\NIKKI-LAURI\AppData\Local\VirtualStore
2016-01-19 16:40 - 2016-01-19 16:40 - 00000000 ____D C:\ProgramData\OEM_E471269A730E
2016-01-19 16:40 - 2016-01-19 16:40 - 00000000 ____D C:\Program Files\Accessory Store
2016-01-19 16:38 - 2016-01-19 16:38 - 00000117 _____ C:\Windows\system32\netcfg-444484.txt
2016-01-19 16:38 - 2016-01-19 16:38 - 00000117 _____ C:\Windows\system32\netcfg-444406.txt
2016-01-19 16:38 - 2016-01-19 16:38 - 00000117 _____ C:\Windows\system32\netcfg-441250.txt
2016-01-19 16:34 - 2016-01-19 16:34 - 00000117 _____ C:\Windows\system32\netcfg-198140.txt
2016-01-19 16:31 - 2016-01-19 16:31 - 00000000 __RHD C:\Users\Public\AccountPictures
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-22 20:33 - 2012-07-26 07:59 - 00000000 ____D C:\Windows\CbsTemp
2016-01-22 20:32 - 2012-07-26 05:37 - 00000000 ____D C:\Windows
2016-01-22 20:19 - 2012-08-29 19:42 - 00000868 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2016-01-22 20:18 - 2012-08-07 03:35 - 00053284 _____ C:\Windows\system32\wpbbin.exe
2016-01-22 20:18 - 2012-07-26 07:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-20 23:23 - 2012-07-26 07:28 - 00848230 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-20 23:23 - 2012-07-26 05:37 - 00000000 ____D C:\Windows\Inf
2016-01-20 22:35 - 2012-07-26 08:12 - 00000000 ___RD C:\Windows\ToastData
2016-01-20 22:35 - 2012-07-26 08:12 - 00000000 ____D C:\Windows\SysWOW64\en-GB
2016-01-20 22:35 - 2012-07-26 08:12 - 00000000 ____D C:\Windows\system32\en-GB
2016-01-20 22:35 - 2012-07-26 08:12 - 00000000 ____D C:\Program Files\Windows Defender
2016-01-20 22:35 - 2012-07-26 08:12 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-01-20 21:13 - 2012-08-07 03:47 - 00000000 ____D C:\ProgramData\McAfee
2016-01-20 15:00 - 2012-07-26 08:12 - 00000000 ___HD C:\Program Files\WindowsApps
2016-01-20 14:44 - 2012-08-29 19:42 - 00000870 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2016-01-20 10:21 - 2012-07-26 08:12 - 00000000 ___SD C:\Windows\Downloaded Program Files
2016-01-20 01:30 - 2012-07-26 08:13 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2016-01-19 17:19 - 2012-07-26 05:26 - 00262144 ___SH C:\Windows\system32\config\ELAM
2016-01-19 17:18 - 2012-07-26 08:12 - 00000000 ___HD C:\Windows\ELAMBKUP
2016-01-19 17:10 - 2012-07-26 05:26 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-01-19 16:50 - 2012-08-29 20:23 - 00000000 ____D C:\ProgramData\EgisTec IPS
2016-01-19 16:41 - 2012-08-07 04:34 - 00000225 _____ C:\Windows\User.xml
2016-01-19 16:41 - 2012-08-03 18:05 - 00000000 ___HD C:\Elements
2016-01-19 16:40 - 2012-08-30 03:57 - 00000224 _____ C:\Windows\WisLangCode.ini
2016-01-19 16:40 - 2012-08-29 20:07 - 00000000 ____D C:\ProgramData\OEM
2016-01-19 16:40 - 2012-08-07 03:40 - 00000165 __RSH C:\Windows\Preload.rev
2016-01-19 16:40 - 2012-07-26 08:12 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2016-01-19 16:40 - 2012-07-26 08:12 - 00000000 ____D C:\Windows\WinStore
2016-01-19 16:33 - 2012-07-26 08:12 - 00000000 ____D C:\Windows\rescache
2015-12-26 08:54 - 2012-07-26 08:14 - 00826328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-26 08:54 - 2012-07-26 08:14 - 00176096 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
 
==================== Files in the root of some directories =======
 
2012-08-29 19:43 - 2012-08-29 19:43 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\NIKKI-LAURI\AppData\Local\Temp\McCSPInstall.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2012-08-03 17:14
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 22 January 2016 - 04:39 PM

Hello nikki775117 and Welcome to the BleepingComputer. :welcome:
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
---------------------------------------------------------------------------------------------------------

 I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

=================================

İmportant:

Addition.txt is created by default from the first run of FRST, can you check inside this folder: C:\FRST\Logs I need to see that log before we progress. If no Addition log inside the Logs folder run FRST scan one more time, ensure "Addition" is checked in the optional scan box...

Attached Images

 

Ashampoo_Snap_20140927_13h17m38s_001_Far

Sincerely  . :hello:

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 22 January 2016 - 05:22 PM

Hello Yilmaz.

Thank you for your reply.

Please find log attached

 

 

Attached Files



#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 22 January 2016 - 07:01 PM

Hi nikki775117,
 

McAfee Firewall (Enabled)
Windows Firewall is enabled

 Multiple Firewall Programs installed!

I do not recommend that you have more than one Firewall product installed and running on your computer at a time.

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause.  Firewall programs take up an enormous amount of your computer's resources when they are actively scanning your computer.  Having two     Firewall programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
 
PleaseWindows Firewalldisable.
http://www.wikihow.com/Turn-off-Firewall

======================================================================================

Have you downloaded  and installed, Symantec Norton Online Backup software ?

=======================================================================

C:\Windows\Minidump\012016-15953-01.dmp

Please send the latest dated file

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 23 January 2016 - 04:56 AM

Hello

I checked the firewall and it says the windows firewall is off.

I have not installed the norton back up.

I cannot open the minidump file. Do I need a specific program to do this?



#6 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 23 January 2016 - 09:52 AM

Hello

I checked the firewall and it says the windows firewall is off.

I have not installed the norton back up.

I cannot open the minidump file. Do I need a specific program to do this?

Okay. I understand.

Yes, it need. please you just send the file copy

============================================

 

Uninstall:

Norton Online Backup
C:\Program Files (x86)\Symantec

And system restart

====================================

C:\TDSSKiller.3.1.0.9_20.01.2016_20.03.26_log.txt
C:\TDSSKiller.3.1.0.9_20.01.2016_20.00.39_log.txt

 

Please send me this files.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 23 January 2016 - 01:12 PM

Hi.

I will remove norton and restart.

It says I cannot add the minidump file as I do not have permission? I am logged on as an administrator 

Attached Files



#8 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 23 January 2016 - 02:24 PM

Hi nikki775117,

 

==================== Accounts: =============================
Administrator (S-1-5-21-1277154278-3929233272-1920280513-500 - Administrator - Disabled)
NIKKI-LAURI (S-1-5-21-1277154278-3929233272-1920280513-1001 - Administrator - Enabled) => C:\Users\NIKKI-LAURI

 

So maybe, there is a lack of permit !

===============================================

Step 1:
 FRST Script:
 Please download this attached  Attached File  Fixlist.txt   5.56KB   6 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:

aswMBR Rootkit:

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

 

Step 3:

RogueKiller by Tigzy

  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 23 January 2016 - 03:22 PM

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by NIKKI-LAURI (2016-01-23 19:37:18) Run:1
Running from C:\Users\NIKKI-LAURI\Downloads
Loaded Profiles: NIKKI-LAURI (Available Profiles: NIKKI-LAURI)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [LManager] => [X]
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
C:\Windows\system32\netcfg - * txt
2016-01-22 20:33 - 2016-01-22 20:33 - 00000117 _____ C:\Windows\system32\netcfg-949750.txt
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-124750.txt
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-120921.txt
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-117843.txt
2016-01-22 20:20 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-114265.txt
2016-01-22 20:19 - 2016-01-22 20:20 - 00000117 _____ C:\Windows\system32\netcfg-110578.txt
2016-01-20 23:21 - 2016-01-20 23:21 - 00000117 _____ C:\Windows\system32\netcfg-485140.txt
2016-01-20 23:15 - 2016-01-20 23:15 - 00000117 _____ C:\Windows\system32\netcfg-104796.txt
2016-01-20 22:55 - 2016-01-20 22:55 - 00000117 _____ C:\Windows\system32\netcfg-65343.txt
2016-01-20 22:55 - 2016-01-20 22:55 - 00000117 _____ C:\Windows\system32\netcfg-59843.txt
2016-01-20 22:54 - 2016-01-20 22:54 - 00000117 _____ C:\Windows\system32\netcfg-344984.txt
2016-01-20 22:50 - 2016-01-20 22:50 - 00000117 _____ C:\Windows\system32\netcfg-98093.txt
2016-01-20 22:48 - 2016-01-20 22:48 - 00000117 _____ C:\Windows\system32\netcfg-91140.txt
2016-01-20 22:37 - 2016-01-20 22:37 - 00000117 _____ C:\Windows\system32\netcfg-61718.txt
2016-01-20 22:34 - 2016-01-20 22:34 - 00000117 _____ C:\Windows\system32\netcfg-2494406.txt
2016-01-20 21:39 - 2016-01-20 21:39 - 00000117 _____ C:\Windows\system32\netcfg-24312.txt
2016-01-20 21:39 - 2016-01-20 21:39 - 00000117 _____ C:\Windows\system32\netcfg-2274515.txt
2016-01-20 21:01 - 2016-01-20 21:01 - 00000117 _____ C:\Windows\system32\netcfg-29578.txt
2016-01-20 21:00 - 2016-01-20 21:00 - 00000117 _____ C:\Windows\system32\netcfg-2428593.txt
2016-01-20 20:03 - 2016-01-20 20:03 - 00000117 _____ C:\Windows\system32\netcfg-39656.txt
2016-01-20 20:02 - 2016-01-20 20:02 - 00000117 _____ C:\Windows\system32\netcfg-1576843.txt
2016-01-20 10:15 - 2016-01-20 10:15 - 00000117 _____ C:\Windows\system32\netcfg-25718.txt
2016-01-20 10:13 - 2016-01-20 10:13 - 00000117 _____ C:\Windows\system32\netcfg-119093.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-39937.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-39812.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-35656.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-35531.txt
2016-01-20 10:12 - 2016-01-20 10:12 - 00000117 _____ C:\Windows\system32\netcfg-30500.txt
2016-01-20 09:58 - 2016-01-20 09:58 - 00000117 _____ C:\Windows\system32\netcfg-67046.txt
2016-01-20 09:32 - 2016-01-20 09:32 - 00000117 _____ C:\Windows\system32\netcfg-31750.txt
2016-01-20 09:31 - 2016-01-20 09:31 - 00000117 _____ C:\Windows\system32\netcfg-285859.txt
2016-01-20 09:06 - 2016-01-20 09:06 - 00000117 _____ C:\Windows\system32\netcfg-39875.txt
2016-01-20 09:06 - 2016-01-20 09:06 - 00000117 _____ C:\Windows\system32\netcfg-36796.txt
2016-01-20 09:03 - 2016-01-20 09:03 - 00000117 _____ C:\Windows\system32\netcfg-57130265.txt
2016-01-20 09:03 - 2016-01-20 09:03 - 00000117 _____ C:\Windows\system32\netcfg-57129234.txt
2016-01-19 20:20 - 2016-01-19 20:20 - 00000117 _____ C:\Windows\system32\netcfg-11378734.txt
2016-01-19 20:20 - 2016-01-19 20:20 - 00000117 _____ C:\Windows\system32\netcfg-11373062.txt
2016-01-19 17:11 - 2016-01-19 17:11 - 00000117 _____ C:\Windows\system32\netcfg-48218.txt
2016-01-19 17:10 - 2016-01-19 17:10 - 00000117 _____ C:\Windows\system32\netcfg-2359109.txt
2016-01-19 16:38 - 2016-01-19 16:38 - 00000117 _____ C:\Windows\system32\netcfg-444484.txt
2016-01-19 16:38 - 2016-01-19 16:38 - 00000117 _____ C:\Windows\system32\netcfg-444406.txt
2016-01-19 16:38 - 2016-01-19 16:38 - 00000117 _____ C:\Windows\system32\netcfg-441250.txt
2016-01-19 16:34 - 2016-01-19 16:34 - 00000117 _____ C:\Windows\system32\netcfg-198140.txt
C:\ProgramData\DP45977C.lfl
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\98498539.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\98498539.sys => ""="Driver"
2016-01-20 14:44 - 2012-08-29 19:42 - 00000870 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2016-01-22 20:19 - 2012-08-29 19:42 - 00000868 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
C:\Users\NIKKI-LAURI\AppData\Roaming\lm
C:\Users\NIKKI-LAURI\AppData\Local\Packages
C:\Program Files (x86)\Symantec\Norton Online Backup
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00A\ccSetx64.sys [168608 2012-05-26] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3939008 2012-07-11] (Symantec Corporation)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2995904 2012-07-11] (Symantec Corporation)
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: ipconfig /flushdns
EmptyTemp:
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\LManager => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IsMyWinLockerReboot => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IsMyWinLockerReboot => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IsMyWinLockerReboot => value removed successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value removed successfully
 
=========== "C:\Windows\system32\netcfg - * txt" ==========
 
not found
 
========= End -> "C:\Windows\system32\netcfg - * txt" ========
 
C:\Windows\system32\netcfg-949750.txt => moved successfully
C:\Windows\system32\netcfg-124750.txt => moved successfully
C:\Windows\system32\netcfg-120921.txt => moved successfully
C:\Windows\system32\netcfg-117843.txt => moved successfully
C:\Windows\system32\netcfg-114265.txt => moved successfully
C:\Windows\system32\netcfg-110578.txt => moved successfully
C:\Windows\system32\netcfg-485140.txt => moved successfully
C:\Windows\system32\netcfg-104796.txt => moved successfully
C:\Windows\system32\netcfg-65343.txt => moved successfully
C:\Windows\system32\netcfg-59843.txt => moved successfully
C:\Windows\system32\netcfg-344984.txt => moved successfully
C:\Windows\system32\netcfg-98093.txt => moved successfully
C:\Windows\system32\netcfg-91140.txt => moved successfully
C:\Windows\system32\netcfg-61718.txt => moved successfully
C:\Windows\system32\netcfg-2494406.txt => moved successfully
C:\Windows\system32\netcfg-24312.txt => moved successfully
C:\Windows\system32\netcfg-2274515.txt => moved successfully
C:\Windows\system32\netcfg-29578.txt => moved successfully
C:\Windows\system32\netcfg-2428593.txt => moved successfully
C:\Windows\system32\netcfg-39656.txt => moved successfully
C:\Windows\system32\netcfg-1576843.txt => moved successfully
C:\Windows\system32\netcfg-25718.txt => moved successfully
C:\Windows\system32\netcfg-119093.txt => moved successfully
C:\Windows\system32\netcfg-39937.txt => moved successfully
C:\Windows\system32\netcfg-39812.txt => moved successfully
C:\Windows\system32\netcfg-35656.txt => moved successfully
C:\Windows\system32\netcfg-35531.txt => moved successfully
C:\Windows\system32\netcfg-30500.txt => moved successfully
C:\Windows\system32\netcfg-67046.txt => moved successfully
C:\Windows\system32\netcfg-31750.txt => moved successfully
C:\Windows\system32\netcfg-285859.txt => moved successfully
C:\Windows\system32\netcfg-39875.txt => moved successfully
C:\Windows\system32\netcfg-36796.txt => moved successfully
C:\Windows\system32\netcfg-57130265.txt => moved successfully
C:\Windows\system32\netcfg-57129234.txt => moved successfully
C:\Windows\system32\netcfg-11378734.txt => moved successfully
C:\Windows\system32\netcfg-11373062.txt => moved successfully
C:\Windows\system32\netcfg-48218.txt => moved successfully
C:\Windows\system32\netcfg-2359109.txt => moved successfully
C:\Windows\system32\netcfg-444484.txt => moved successfully
C:\Windows\system32\netcfg-444406.txt => moved successfully
C:\Windows\system32\netcfg-441250.txt => moved successfully
C:\Windows\system32\netcfg-198140.txt => moved successfully
C:\ProgramData\DP45977C.lfl => moved successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\98498539.sys" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\98498539.sys" => key removed successfully
C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job => moved successfully
C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job => moved successfully
C:\Users\NIKKI-LAURI\AppData\Roaming\lm => moved successfully
 
"C:\Users\NIKKI-LAURI\AppData\Local\Packages" folder move:
 
Could not move "C:\Users\NIKKI-LAURI\AppData\Local\Packages" => Scheduled to move on reboot.
 
C:\Program Files (x86)\Symantec\Norton Online Backup => moved successfully
ccSet_NARA => service not found.
NOBU => service not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Norton Online Backup => value not found.
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe => No running process found
 
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
ERROR: The system was unable to find the specified registry key or value.
 
 
========= End of Reg: =========
 
 
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
EmptyTemp: => 144.7 MB temporary data Removed.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-01-23 19:41:47)
 
C:\Users\NIKKI-LAURI\AppData\Local\Packages => Is moved successfully
 
==== End of Fixlog 19:41:47 ====
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2016-01-23 19:51:09
-----------------------------
19:51:09.234    OS Version: Windows x64 6.2.9200 
19:51:09.234    Number of processors: 2 586 0x2A07
19:51:09.234    ComputerName: NIK  UserName: 
19:51:12.907    Initialize success
19:51:13.188    VM: initialized successfully
19:51:13.188    VM: Intel CPU virtualization not supported 
19:56:12.262    AVAST engine defs: 16012301
19:57:43.461    The log file has been saved successfully to "C:\Users\NIKKI-LAURI\Desktop\aswMBR.txt"
 
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2016-01-23 19:51:09
-----------------------------
19:51:09.234    OS Version: Windows x64 6.2.9200 
19:51:09.234    Number of processors: 2 586 0x2A07
19:51:09.234    ComputerName: NIK  UserName: 
19:51:12.907    Initialize success
19:51:13.188    VM: initialized successfully
19:51:13.188    VM: Intel CPU virtualization not supported 
19:56:12.262    AVAST engine defs: 16012301
19:57:43.461    The log file has been saved successfully to "C:\Users\NIKKI-LAURI\Desktop\aswMBR.txt"
19:58:22.620    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000034
19:58:22.620    Disk 0 Vendor: WDC_WD5000LPVT-22G33T0 01.01A01 Size: 476940MB BusType: 11
19:58:22.823    Disk 0 MBR read successfully
19:58:22.823    Disk 0 MBR scan
19:58:22.995    Disk 0 unknown MBR code
19:58:23.010    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
19:58:23.401    Disk 0 scanning C:\Windows\system32\drivers
19:59:17.208    Service scanning
20:00:54.939    Modules scanning
20:00:54.939    Disk 0 trace - called modules:
20:00:55.470    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll iaStorA.sys 
20:00:55.486    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80047fb060]
20:00:55.501    3 CLASSPNP.SYS[fffff880013808aa] -> nt!IofCallDriver -> \Device\00000034[0xfffffa8004448060]
20:00:58.423    AVAST engine scan C:\Windows
20:01:09.236    AVAST engine scan C:\Windows\system32
20:11:16.692    AVAST engine scan C:\Windows\system32\drivers
20:12:18.399    AVAST engine scan C:\Users\NIKKI-LAURI
20:13:43.805    AVAST engine scan C:\ProgramData
20:15:28.446    Disk 0 statistics 2724508/0/0 @ 4.53 MB/s
20:15:28.446    Scan finished successfully
20:18:04.159    Disk 0 MBR has been saved successfully to "C:\Users\NIKKI-LAURI\Desktop\MBR.dat"
20:18:04.205    The log file has been saved successfully to "C:\Users\NIKKI-LAURI\Desktop\aswMBR.txt"
 

 

Attached Files

  • Attached File  MBR.zip   144bytes   1 downloads


#10 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 23 January 2016 - 03:49 PM

RogueKiller V11.0.8.0 [Jan 19 2016] (Free) by Adlice Software
 
Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : NIKKI-LAURI [Administrator]
Started from : C:\Users\NIKKI-LAURI\Desktop\RogueKiller.exe
Mode : Scan -- Date : 01/23/2016 20:47:52
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 12 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MFE_RR (\??\C:\Users\NIKKI-~1\AppData\Local\Temp\mfe_rr.sys) -> Found
[Suspicious.Path|Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR (\??\C:\Users\NIKKI-~1\AppData\Local\Temp\aswMBR.sys) -> Found
[Suspicious.Path|Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm (\??\C:\Users\NIKKI-~1\AppData\Local\Temp\aswVmm.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR (\??\C:\Users\NIKKI-~1\AppData\Local\Temp\mfe_rr.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR (\??\C:\Users\NIKKI-~1\AppData\Local\Temp\aswMBR.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswVmm (\??\C:\Users\NIKKI-~1\AppData\Local\Temp\aswVmm.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1277154278-3929233272-1920280513-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1277154278-3929233272-1920280513-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1277154278-3929233272-1920280513-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1277154278-3929233272-1920280513-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer13.msn.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{283C21BD-336D-46B2-B63C-3E0250E3BC30} | DhcpNameServer : 192.15.128.24 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{283C21BD-336D-46B2-B63C-3E0250E3BC30} | DhcpNameServer : 192.15.128.24 ([X])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVT-22G33T0 +++++
--- User ---
[MBR] 6e5538e5b42d8a9dc78d66b1fb6c6a4e
[BSP] aade57f27a3fca63029553562271db89 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 463309 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 950554624 | Size: 12802 MB
User = LL1 ... OK
User = LL2 ... OK


#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 23 January 2016 - 05:53 PM

Hi nikki775117,
 
MalwareBytes Anti-Rootkit scan

  • Download and extract Malwarebytes Anti-Rootkit from here mbar-1.09.1.1004.zip and save it to your desktop.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double-click mbar.exe inside the mbar folder then click 'Next'.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.
  • Click 'Update'.
  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
    • 'Could not load protection driver'. Click 'OK'.
    • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please zip and attach the two log files created by the tool within the folder from which it was run.

The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

==============================================================================

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

====================================================================================
Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

=========================================================================
How is the machine running now and any issues ? Please let me know.
----------------------------------------------------------------
Things I would like to see in your next reply. :thumbup2:

  • Eset report
  • Emsisoft report

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 24 January 2016 - 03:52 PM

Hi. I am managed to run the mbar and emisoft programs, but am having difficulty obtaining the logs as the cursor is going crazy. Randomly moving and clicking. Is seemed a lot better after your steps yesterday but after switching the computer on today it is as bad as ever. Any suggestions/reason for this? Both programs came back with no infection. I will try the eset now

#13 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 24 January 2016 - 04:08 PM

The eset scan caused the computer to restart again with the kernel error

#14 nikki775117

nikki775117
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 24 January 2016 - 05:13 PM

I redid steps 1-3 from previous post and the computer is working a lot better again. Hopefully I will now be able to complete your last post. More to follow...



#15 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 24 January 2016 - 05:40 PM

All browsers and programs must be closed during operation. Including antivirus and firewall

 

Note:

Windows Firewall is enabled.

 

Please check Windows Firewall and disable.


Edited by olgun52, 24 January 2016 - 05:54 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users