Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zip Arcade popups and other malware Kovter found with Security Essentials


  • This topic is locked This topic is locked
7 replies to this topic

#1 Tazman282

Tazman282

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 02 February 2016 - 08:34 AM

Consistently getting popups from Zip Arcade.

Security Essentials found Kovter and Tillail which were both quarantined.

Slow computer, Fan always running which is unusual

 

 

 

 

987421rporation) C:\Windows\SysWOW64\msfeeds.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00353792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2016-01-13 07:59 - 2015-12-15 16:43 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2016-01-06 20:29 - 2016-01-07 07:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-02 07:53 - 2013-03-08 20:26 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-02 07:51 - 2015-03-02 19:42 - 00000444 _____ C:\Windows\Tasks\HP Photo Creations Communicator.job
2016-02-02 07:32 - 2013-11-21 10:23 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-02 06:44 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-02 06:44 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-01 13:32 - 2013-11-21 10:23 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-01 13:27 - 2013-11-21 10:23 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-01 13:27 - 2013-11-21 10:23 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-02-01 11:49 - 2014-01-21 18:21 - 00002425 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2016-02-01 11:48 - 2015-07-11 15:57 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-02-01 10:05 - 2013-04-08 15:40 - 00000000 ____D C:\Users\The Dohrings\AppData\Roaming\HpUpdate
2016-02-01 10:03 - 2013-03-08 18:11 - 00003590 _____ C:\Windows\System32\Tasks\HP Health Check
2016-02-01 09:00 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\rescache
2016-02-01 08:49 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\inf
2016-02-01 08:49 - 2006-11-02 07:46 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-01 08:44 - 2006-11-02 10:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-01 08:43 - 2006-11-02 10:42 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-01-31 17:24 - 2014-12-02 08:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-24 08:28 - 2015-08-01 09:34 - 00000000 ____D C:\Users\The Dohrings\AppData\Roaming\uTorrent
2016-01-20 11:53 - 2013-03-08 20:26 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-20 11:53 - 2013-03-08 20:26 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-20 11:53 - 2013-03-08 20:26 - 00003684 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-01-13 13:21 - 2006-11-02 10:21 - 00314840 _____ C:\Windows\system32\FNTCACHE.DAT
2016-01-13 13:20 - 2009-04-22 04:40 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-01-13 13:18 - 2009-04-22 03:31 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2016-01-13 13:09 - 2013-03-08 20:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-13 13:06 - 2013-08-15 12:03 - 00000000 ____D C:\Windows\system32\MRT
2016-01-13 13:02 - 2006-11-02 07:35 - 143671360 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-01-07 07:47 - 2013-03-09 17:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2013-03-08 20:14 - 2015-10-09 14:33 - 0000584 _____ () C:\Users\The Dohrings\AppData\Roaming\wklnhst.dat
2013-04-25 06:51 - 2015-09-25 07:00 - 0006944 _____ () C:\Users\The Dohrings\AppData\Local\d3d9caps.dat
2013-03-09 09:14 - 2013-03-09 09:14 - 0382620 _____ () C:\Users\The Dohrings\AppData\Local\dd_vcredistMSI15A0.txt
2013-03-09 09:14 - 2013-03-09 09:14 - 0018696 _____ () C:\Users\The Dohrings\AppData\Local\dd_vcredistUI15A0.txt
2013-04-08 15:38 - 2013-04-08 15:38 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-03-10 09:09 - 2013-03-10 09:19 - 0000839 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\The Dohrings\AppData\Local\Temp\offer-8462BEA4-EEF4-4614-B49E-D3B64B7ACABA.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-02-01 20:51

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 02 February 2016 - 11:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your Addition.txt file is clean.

Your FRST.txt log is incomplete.
Post post it again.

Run this tool and clean everything.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


How is the computer running now?
Wait for further instructions.

#3 Tazman282

Tazman282
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 02 February 2016 - 05:40 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by The Dohrings (administrator) on THEDOHRINGS-PC (02-02-2016 17:32:45)
Running from C:\Users\The Dohrings\Desktop
Loaded Profiles: The Dohrings (Available Profiles: The Dohrings)
Platform: Windows Vista ™ Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agr64svc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
() C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.149\SSScheduler.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Hewlett-Packard Company) C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_286.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_286.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\The Dohrings\Desktop\FRST64(1).exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [HP Remote Software] => C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [172032 2009-02-06] ()
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [915512 2009-03-05] (Hewlett-Packard)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] => c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDIRShortCut] => c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] => c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe [210216 2009-02-02] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe [1328424 2009-04-10] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe [185640 2009-04-10] (CyberLink)
HKLM-x32\...\Run: [DVDAgent] => c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe [1148200 2009-03-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] => c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [224616 2009-02-06] (Microsoft Corp.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-08-05] (Apple Inc.)
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\...\Run: [WMPNSCFG] => C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31682144 2015-03-25] (Skype Technologies S.A.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-07-23]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.149\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk [2009-04-22]
ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)
Startup: C:\Users\The Dohrings\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 2510 series.lnk [2016-02-02]
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 2510 series.lnk -> C:\Program Files\HP\HP Deskjet 2510 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\The Dohrings\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk [2013-03-09]
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{71D2A4C1-0276-45D6-8713-CA0622385266}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.yahoo.com/?type=435371&fr=spigot-yhp-ie
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
SearchScopes: HKLM -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM -> {885581C1-C799-4E19-B72C-03BA11A7A773} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
SearchScopes: HKLM-x32 -> {2f96f370-d59b-44d4-a2ef-40e54920b3f6} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^ZL^xdm408^YY^us&ptb=D0610FF8-1CA9-4E04-A73F-CFC95BB4E859&ind=2013040609&n=77fc8fe1&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 -> {885581C1-C799-4E19-B72C-03BA11A7A773} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
SearchScopes: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> {02512FF0-B8BA-4EF1-A0C6-B2D01CEEE1BC} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=435371&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL =
SearchScopes: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> {885581C1-C799-4E19-B72C-03BA11A7A773} URL =
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-22] (Google Inc.)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll => No File
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-22] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-22] (Google Inc.)
Toolbar: HKLM-x32 - Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll [2009-01-22] (Microsoft Corp.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll [2009-04-22] (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-22] (Google Inc.)

FireFox:
========
FF ProfilePath: C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default
FF NewTab: about:blank
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF SelectedSearchEngine: Yahoo!
FF Homepage: hxxps://www.yahoo.com/
about:preferences
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_286.dll [2016-01-20] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_286.dll [2016-01-20] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1295408089-843128767-3191628613-1000: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Users\The Dohrings\AppData\Roaming\Visan\plugins\npRLSecurePluginLayer.dll [2011-02-02] (RocketLife, LLP)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2015-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2015-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2015-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2015-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2015-10-28] (Apple Inc.)
FF Extension:     Playtopus  - C:\Users\The Dohrings\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\links@playtopus.com [2013-03-17] [not signed]
FF Extension:     Playtopus  - C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\links@playtopus.com [2013-03-17] [not signed]
FF Extension: ZipArcade - C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\{74e039b8-a2db-4a41-9155-4ccfc2c86682}.xpi [2016-01-20]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-03-08] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: HP Smart Print - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2013-07-24] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-09-02] (Apple Inc.)
R2 HP Health Check Service; c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-12-04] (Hewlett-Packard) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-03-17] (Hewlett-Packard Company) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
R2 Norton Internet Security; C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [115560 2009-04-22] (Symantec Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
S4 nvrd64; C:\Windows\system32\drivers\nvrd64.sys [167456 2008-11-12] (NVIDIA Corporation)
S1 SRTSP; C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [474672 2009-04-22] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [32304 2009-04-22] (Symantec Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\EX64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-02 17:33 - 2016-02-02 17:33 - 01508352 _____ C:\Users\The Dohrings\Desktop\adwcleaner_5.032.exe
2016-02-02 17:32 - 2016-02-02 17:32 - 02370560 _____ (Farbar) C:\Users\The Dohrings\Desktop\FRST64(1).exe
2016-02-02 17:32 - 2016-02-02 17:32 - 00017828 _____ C:\Users\The Dohrings\Desktop\FRST.txt
2016-02-02 08:34 - 2016-02-02 08:34 - 00031244 _____ C:\Users\The Dohrings\Desktop\Addition.txt
2016-02-02 08:23 - 2016-02-02 08:23 - 00031244 _____ C:\Users\The Dohrings\Downloads\Addition.txt
2016-02-02 08:21 - 2016-02-02 17:32 - 00000000 ____D C:\FRST
2016-02-02 08:21 - 2016-02-02 08:34 - 00006121 _____ C:\Users\The Dohrings\Downloads\FRST.txt
2016-02-02 08:20 - 2016-02-02 08:20 - 02370560 _____ (Farbar) C:\Users\The Dohrings\Downloads\FRST64.exe
2016-02-01 08:34 - 2016-02-02 17:23 - 00000000 ____D C:\Users\The Dohrings\AppData\Roaming\Skype
2016-02-01 08:34 - 2016-02-01 08:34 - 00000000 ____D C:\Users\The Dohrings\AppData\Local\Skype
2016-02-01 08:33 - 2016-02-01 08:33 - 00001890 _____ C:\Users\Public\Desktop\Skype.lnk
2016-02-01 08:33 - 2016-02-01 08:33 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-02-01 08:33 - 2016-02-01 08:33 - 00000000 ____D C:\ProgramData\Skype
2016-02-01 08:33 - 2016-02-01 08:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-02-01 08:25 - 2009-08-04 03:12 - 01103872 _____ (Microsoft Corporation) C:\Windows\system32\webservices.dll
2016-02-01 08:25 - 2009-08-04 03:02 - 00754688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webservices.dll
2016-01-23 19:59 - 2016-01-23 19:59 - 00931045 _____ (Internet ) C:\Users\The Dohrings\Downloads\adobe_flash_player(6).exe
2016-01-23 19:59 - 2016-01-23 19:59 - 00931045 _____ (Internet ) C:\Users\The Dohrings\Downloads\adobe_flash_player(5).exe
2016-01-23 19:59 - 2016-01-23 19:59 - 00931045 _____ (Internet ) C:\Users\The Dohrings\Downloads\adobe_flash_player(4).exe
2016-01-13 13:08 - 2015-12-08 12:01 - 00801280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-01-13 13:08 - 2015-12-08 11:39 - 01065984 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-01-13 13:07 - 2015-12-05 12:03 - 02873344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2016-01-13 13:07 - 2015-12-05 12:03 - 01567744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVENCOD.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 01548288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 01377792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVSDECD.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 01326080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMSPDMOE.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 01314816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2016-01-13 13:07 - 2015-12-05 12:03 - 01114624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMADMOE.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 00867328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmpmde.dll
2016-01-13 13:07 - 2015-12-05 12:03 - 00767488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVSENCD.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 00759296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMADMOD.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 00650240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVXENCD.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 00605184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMSPDMOD.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 00506880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2016-01-13 13:07 - 2015-12-05 12:03 - 00497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2016-01-13 13:07 - 2015-12-05 12:03 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\VIDRESZR.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 00212992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RESAMPLEDMO.DLL
2016-01-13 13:07 - 2015-12-05 12:03 - 00208896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qasf.dll
2016-01-13 13:07 - 2015-12-05 12:02 - 00613888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSMPEG2VDEC.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00606208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MFWMAAEC.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00506880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSMPEG2ENC.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00480256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\evr.dll
2016-01-13 13:07 - 2015-12-05 12:02 - 00391680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSMPEG2ADEC.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00314880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MP4SDECD.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MPG4DECD.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MP43DECD.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00209920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfplat.dll
2016-01-13 13:07 - 2015-12-05 12:02 - 00158208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\COLORCNV.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00144384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ksproxy.ax
2016-01-13 13:07 - 2015-12-05 12:02 - 00080896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MP3DMOD.DLL
2016-01-13 13:07 - 2015-12-05 12:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\devenum.dll
2016-01-13 13:07 - 2015-12-05 12:02 - 00059392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfvdsp.dll
2016-01-13 13:07 - 2015-12-05 11:41 - 01886208 _____ (Microsoft Corporation) C:\Windows\system32\WMVENCOD.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 01706496 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 01539072 _____ (Microsoft Corporation) C:\Windows\system32\WMVSDECD.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 01350656 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOE.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 01127424 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOE.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 01090560 _____ (Microsoft Corporation) C:\Windows\system32\wmpmde.dll
2016-01-13 13:07 - 2015-12-05 11:41 - 00942592 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOD.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 00819200 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOD.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 00732160 _____ (Microsoft Corporation) C:\Windows\system32\WMVSENCD.DLL
2016-01-13 13:07 - 2015-12-05 11:41 - 00617984 _____ (Microsoft Corporation) C:\Windows\system32\WMVXENCD.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 03548672 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2016-01-13 13:07 - 2015-12-05 11:40 - 01571328 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2016-01-13 13:07 - 2015-12-05 11:40 - 00778752 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2VDEC.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00644608 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ENC.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00620544 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2016-01-13 13:07 - 2015-12-05 11:40 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ADEC.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00352256 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2016-01-13 13:07 - 2015-12-05 11:40 - 00309248 _____ (Microsoft Corporation) C:\Windows\system32\VIDRESZR.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00301056 _____ (Microsoft Corporation) C:\Windows\system32\MP4SDECD.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00252416 _____ (Microsoft Corporation) C:\Windows\system32\qasf.dll
2016-01-13 13:07 - 2015-12-05 11:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\MPG4DECD.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\MP43DECD.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\RESAMPLEDMO.DLL
2016-01-13 13:07 - 2015-12-05 11:40 - 00099328 _____ (Microsoft Corporation) C:\Windows\system32\MP3DMOD.DLL
2016-01-13 13:07 - 2015-12-05 11:39 - 01074176 _____ (Microsoft Corporation) C:\Windows\system32\mcmde.dll
2016-01-13 13:07 - 2015-12-05 11:39 - 00641024 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2016-01-13 13:07 - 2015-12-05 11:39 - 00471040 _____ (Microsoft Corporation) C:\Windows\system32\MFWMAAEC.DLL
2016-01-13 13:07 - 2015-12-05 11:39 - 00278016 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2016-01-13 13:07 - 2015-12-05 11:39 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\ksproxy.ax
2016-01-13 13:07 - 2015-12-05 11:39 - 00187392 _____ (Microsoft Corporation) C:\Windows\system32\COLORCNV.DLL
2016-01-13 13:07 - 2015-12-05 11:39 - 00074752 _____ (Microsoft Corporation) C:\Windows\system32\mfvdsp.dll
2016-01-13 13:07 - 2015-12-05 11:39 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\devenum.dll
2016-01-13 13:07 - 2015-12-05 11:22 - 00122368 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2016-01-13 13:06 - 2015-12-05 12:03 - 00304640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-01-13 13:06 - 2015-12-05 11:39 - 00390656 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-01-13 13:02 - 2015-12-05 10:34 - 02799616 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-01-13 13:01 - 2015-12-30 11:47 - 04694464 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-01-13 13:01 - 2015-11-13 11:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mapistub.dll
2016-01-13 13:01 - 2015-11-13 11:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mapi32.dll
2016-01-13 13:01 - 2015-11-13 11:42 - 00083456 _____ (Microsoft Corporation) C:\Windows\system32\mapistub.dll
2016-01-13 13:01 - 2015-11-13 11:42 - 00083456 _____ (Microsoft Corporation) C:\Windows\system32\mapi32.dll
2016-01-13 13:01 - 2015-11-13 10:27 - 00013824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fixmapi.exe
2016-01-13 07:59 - 2015-12-15 17:28 - 17892352 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-01-13 07:59 - 2015-12-15 17:25 - 02350080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-01-13 07:59 - 2015-12-15 17:21 - 10938368 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-01-13 07:59 - 2015-12-15 17:20 - 01388032 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-01-13 07:59 - 2015-12-15 17:20 - 00448512 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-01-13 07:59 - 2015-12-15 17:19 - 02158080 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-01-13 07:59 - 2015-12-15 17:19 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-01-13 07:59 - 2015-12-15 17:18 - 01494016 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-01-13 07:59 - 2015-12-15 17:18 - 00816128 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00579584 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00282112 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00173568 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-01-13 07:59 - 2015-12-15 17:18 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-01-13 07:59 - 2015-12-15 17:18 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-01-13 07:59 - 2015-12-15 17:18 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2016-01-13 07:59 - 2015-12-15 16:50 - 01814528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-01-13 07:59 - 2015-12-15 16:49 - 12388864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-01-13 07:59 - 2015-12-15 16:47 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-01-13 07:59 - 2015-12-15 16:46 - 09753088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-01-13 07:59 - 2015-12-15 16:45 - 01140224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-01-13 07:59 - 2015-12-15 16:45 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-01-13 07:59 - 2015-12-15 16:44 - 01804800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-01-13 07:59 - 2015-12-15 16:44 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-01-13 07:59 - 2015-12-15 16:44 - 00718848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-01-13 07:59 - 2015-12-15 16:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-01-13 07:59 - 2015-12-15 16:44 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2016-01-13 07:59 - 2015-12-15 16:44 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-01-13 07:59 - 2015-12-15 16:44 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-01-13 07:59 - 2015-12-15 16:43 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00353792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2016-01-13 07:59 - 2015-12-15 16:43 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2016-01-13 07:59 - 2015-12-15 16:43 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2016-01-06 20:29 - 2016-01-07 07:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-02 17:32 - 2013-11-21 10:23 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-02 17:31 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\inf
2016-02-02 17:31 - 2006-11-02 07:46 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-02 17:25 - 2013-11-21 10:23 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-02 17:25 - 2006-11-02 10:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-02 17:25 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-02 17:25 - 2006-11-02 10:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-02 17:24 - 2006-11-02 10:42 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-02-02 16:53 - 2013-03-08 20:26 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-02 16:51 - 2015-03-02 19:42 - 00000444 _____ C:\Windows\Tasks\HP Photo Creations Communicator.job
2016-02-01 13:27 - 2013-11-21 10:23 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-01 13:27 - 2013-11-21 10:23 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-02-01 11:49 - 2014-01-21 18:21 - 00002425 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2016-02-01 11:48 - 2015-07-11 15:57 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-02-01 10:05 - 2013-04-08 15:40 - 00000000 ____D C:\Users\The Dohrings\AppData\Roaming\HpUpdate
2016-02-01 10:03 - 2013-03-08 18:11 - 00003590 _____ C:\Windows\System32\Tasks\HP Health Check
2016-02-01 09:00 - 2006-11-02 08:33 - 00000000 ____D C:\Windows\rescache
2016-01-31 17:24 - 2014-12-02 08:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-24 08:28 - 2015-08-01 09:34 - 00000000 ____D C:\Users\The Dohrings\AppData\Roaming\uTorrent
2016-01-20 11:53 - 2013-03-08 20:26 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-20 11:53 - 2013-03-08 20:26 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-20 11:53 - 2013-03-08 20:26 - 00003684 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-01-13 13:21 - 2006-11-02 10:21 - 00314840 _____ C:\Windows\system32\FNTCACHE.DAT
2016-01-13 13:20 - 2009-04-22 04:40 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-01-13 13:18 - 2009-04-22 03:31 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2016-01-13 13:09 - 2013-03-08 20:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-13 13:06 - 2013-08-15 12:03 - 00000000 ____D C:\Windows\system32\MRT
2016-01-13 13:02 - 2006-11-02 07:35 - 143671360 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-01-07 07:47 - 2013-03-09 17:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2013-03-08 20:14 - 2015-10-09 14:33 - 0000584 _____ () C:\Users\The Dohrings\AppData\Roaming\wklnhst.dat
2013-04-25 06:51 - 2015-09-25 07:00 - 0006944 _____ () C:\Users\The Dohrings\AppData\Local\d3d9caps.dat
2013-03-09 09:14 - 2013-03-09 09:14 - 0382620 _____ () C:\Users\The Dohrings\AppData\Local\dd_vcredistMSI15A0.txt
2013-03-09 09:14 - 2013-03-09 09:14 - 0018696 _____ () C:\Users\The Dohrings\AppData\Local\dd_vcredistUI15A0.txt
2013-04-08 15:38 - 2013-04-08 15:38 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-03-10 09:09 - 2013-03-10 09:19 - 0000839 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\The Dohrings\AppData\Local\Temp\offer-8462BEA4-EEF4-4614-B49E-D3B64B7ACABA.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-02-02 17:35

==================== End of FRST.txt ============================



#4 Tazman282

Tazman282
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 02 February 2016 - 05:56 PM

Still infected with Zip Arcade

 

# AdwCleaner v5.032 - Logfile created 02/02/2016 at 17:49:42
# Updated 31/01/2016 by Xplode
# Database : 2016-02-02.1 [Server]
# Operating system : Windows ™ Vista Home Premium Service Pack 2 (x64)
# Username : The Dohrings - THEDOHRINGS-PC
# Running from : C:\Users\The Dohrings\Desktop\adwcleaner_5.032.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[#] Folder Deleted : C:\Program Files\DomaIQ Uninstaller
[#] Folder Deleted : C:\Program Files (x86)\AOL Toolbar
[#] Folder Deleted : C:\Program Files (x86)\PC TEKNIX
[#] Folder Deleted : C:\Program Files (x86)\PCFixSpeed
[#] Folder Deleted : C:\Program Files (x86)\SearchDonkey
[#] Folder Deleted : C:\Program Files (x86)\SweetIM
[#] Folder Deleted : C:\Program Files (x86)\tuguu sl
[#] Folder Deleted : C:\Program Files (x86)\Yahoo!\Companion
[#] Folder Deleted : C:\ProgramData\AOL Toolbar
[#] Folder Deleted : C:\ProgramData\apn
[#] Folder Deleted : C:\ProgramData\BoostSoftware
[#] Folder Deleted : C:\ProgramData\PCFixSpeed
[#] Folder Deleted : C:\ProgramData\Yahoo! Companion
[#] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Fix Speed
[#] Folder Deleted : C:\Users\The Dohrings\AppData\Local\AOL Toolbar
[#] Folder Deleted : C:\Users\The Dohrings\AppData\LocalLow\Yahoo! Companion
[#] Folder Deleted : C:\Users\The Dohrings\AppData\LocalLow\Yahoo!\Companion
[#] Folder Deleted : C:\Users\The Dohrings\AppData\Roaming\Yahoo!\Companion

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{62271480-66D1-42D0-A818-BE5E65C56FA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{670593B8-D230-4521-A3EF-59D400A645B8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{891DFD94-5982-46EC-9B4D-1E86B07F33F2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8953967E-9D15-4C6C-A1F1-D73EC0E8D0F0}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{920354F8-AA6D-4801-B277-D916472E2127}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A189396C-EB06-4361-A69D-1D5AC9EA9DBD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B140F2D1-BF2D-402A-AA19-0FC57AD53B25}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\Interface\{62271480-66D1-42D0-A818-BE5E65C56FA4}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\Interface\{891DFD94-5982-46EC-9B4D-1E86B07F33F2}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\Interface\{8953967e-9d15-4c6c-a1f1-d73ec0e8d0f0}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\Interface\{b140f2d1-bf2d-402a-aa19-0fc57ad53b25}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AAFD8D03-2188-41E5-98AA-0BF3375465C7}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AAFD8D03-2188-41E5-98AA-0BF3375465C7}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5B9AFA9A-424A-4B0F-A665-D6DC3D51C837}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8953967E-9D15-4C6C-A1F1-D73EC0E8D0F0}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B140F2D1-BF2D-402A-AA19-0FC57AD53B25}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C1B9C9B5-82D0-4B8F-9C29-019254E270A1}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E8DAA6C0-075A-4312-960C-F6827B6BB44B}
[!] Key Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5b9afa9a-424a-4b0f-a665-d6dc3d51c837}
[!] Key Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8953967e-9d15-4c6c-a1f1-d73ec0e8d0f0}
[!] Key Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b140f2d1-bf2d-402a-aa19-0fc57ad53b25}
[!] Key Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c1b9c9b5-82d0-4b8f-9c29-019254e270a1}
[!] Key Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e8daa6c0-075a-4312-960c-f6827b6bb44b}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{62271480-66D1-42D0-A818-BE5E65C56FA4}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{670593B8-D230-4521-A3EF-59D400A645B8}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{891DFD94-5982-46EC-9B4D-1E86B07F33F2}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8953967E-9D15-4C6C-A1F1-D73EC0E8D0F0}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{920354F8-AA6D-4801-B277-D916472E2127}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A189396C-EB06-4361-A69D-1D5AC9EA9DBD}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B140F2D1-BF2D-402A-AA19-0FC57AD53B25}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{62271480-66D1-42D0-A818-BE5E65C56FA4}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{891DFD94-5982-46EC-9B4D-1E86B07F33F2}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8953967e-9d15-4c6c-a1f1-d73ec0e8d0f0}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{b140f2d1-bf2d-402a-aa19-0fc57ad53b25}
[-] Key Deleted : HKLM\SOFTWARE\BoostSoftware
[-] Key Deleted : [x64] HKLM\SOFTWARE\BoostSoftware
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data Restored : HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{02512FF0-B8BA-4EF1-A0C6-B2D01CEEE1BC}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f96f370-d59b-44d4-a2ef-40e54920b3f6}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6C25BA45-81AC-490F-B4C6-580BEA37898F}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6C25BA45-81AC-490F-B4C6-580BEA37898F}
[!] Key Not Deleted : HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\SearchScopes\{02512FF0-B8BA-4EF1-A0C6-B2D01CEEE1BC}

***** [ Web browsers ] *****

[-] [C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", false);
[-] [C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "dailylocalguide@mindspark.com");

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [8065 bytes] ##########
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 03 February 2016 - 08:50 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.yahoo.com/?type=435371&fr=spigot-yhp-ie
SearchScopes: HKLM -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 -> {2f96f370-d59b-44d4-a2ef-40e54920b3f6} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^ZL^xdm408^YY^us&ptb=D0610FF8-1CA9-4E04-A73F-CFC95BB4E859&ind=2013040609&n=77fc8fe1&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL =
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll => No File
Toolbar: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
FF Extension:     Playtopus  - C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\links@playtopus.com [2013-03-17] [not signed]
FF Extension: ZipArcade - C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\{74e039b8-a2db-4a41-9155-4ccfc2c86682}.xpi [2016-01-20]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\EX64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
C:\Users\The Dohrings\AppData\Local\Temp\offer-8462BEA4-EEF4-4614-B49E-D3B64B7ACABA.exe
C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\links@playtopus.com
C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\{74e039b8-a2db-4a41-9155-4ccfc2c86682}.xpi

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Any remaining issues?

#6 Tazman282

Tazman282
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 03 February 2016 - 01:06 PM

Fix result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by The Dohrings (2016-02-03 12:43:47) Run:1
Running from C:\Users\The Dohrings\Desktop
Loaded Profiles: The Dohrings (Available Profiles: The Dohrings)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.yahoo.com/?type=435371&fr=spigot-yhp-ie
SearchScopes: HKLM -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 -> {2f96f370-d59b-44d4-a2ef-40e54920b3f6} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^ZL^xdm408^YY^us&ptb=D0610FF8-1CA9-4E04-A73F-CFC95BB4E859&ind=2013040609&n=77fc8fe1&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> {6C25BA45-81AC-490F-B4C6-580BEA37898F} URL =
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll => No File
Toolbar: HKU\S-1-5-21-1295408089-843128767-3191628613-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
FF Extension:     Playtopus  - C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\links@playtopus.com [2013-03-17] [not signed]
FF Extension: ZipArcade - C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\{74e039b8-a2db-4a41-9155-4ccfc2c86682}.xpi [2016-01-20]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\EX64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
C:\Users\The Dohrings\AppData\Local\Temp\offer-8462BEA4-EEF4-4614-B49E-D3B64B7ACABA.exe
C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\links@playtopus.com
C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\{74e039b8-a2db-4a41-9155-4ccfc2c86682}.xpi

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6C25BA45-81AC-490F-B4C6-580BEA37898F} => key not found.
HKCR\CLSID\{6C25BA45-81AC-490F-B4C6-580BEA37898F} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2f96f370-d59b-44d4-a2ef-40e54920b3f6} => key not found.
HKCR\Wow6432Node\CLSID\{2f96f370-d59b-44d4-a2ef-40e54920b3f6} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{6C25BA45-81AC-490F-B4C6-580BEA37898F} => key not found.
HKCR\Wow6432Node\CLSID\{6C25BA45-81AC-490F-B4C6-580BEA37898F} => key not found.
"HKU\S-1-5-21-1295408089-843128767-3191628613-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6C25BA45-81AC-490F-B4C6-580BEA37898F}" => key removed successfully
HKCR\CLSID\{6C25BA45-81AC-490F-B4C6-580BEA37898F} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E8A89AD-95D7-40EB-8D9D-083EF7066A01}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{0E8A89AD-95D7-40EB-8D9D-083EF7066A01}" => key removed successfully
HKU\S-1-5-21-1295408089-843128767-3191628613-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => value removed successfully
HKCR\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => key not found.
C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\links@playtopus.com => moved successfully
C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\{74e039b8-a2db-4a41-9155-4ccfc2c86682}.xpi => moved successfully
IpInIp => service removed successfully
NAVENG => service removed successfully
NAVEX15 => service removed successfully
NwlnkFlt => service removed successfully
NwlnkFwd => service removed successfully
PCDSRVC{F36B3A4C-F95654BD-06000000}_0 => service removed successfully
C:\Users\The Dohrings\AppData\Local\Temp\offer-8462BEA4-EEF4-4614-B49E-D3B64B7ACABA.exe => moved successfully
"C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\links@playtopus.com" => not found.
"C:\Users\The Dohrings\AppData\Roaming\Mozilla\Firefox\Profiles\9j1aoqo1.default\Extensions\{74e039b8-a2db-4a41-9155-4ccfc2c86682}.xpi" => not found.
EmptyTemp: => 709 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 12:45:24 ====



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 03 February 2016 - 02:59 PM

Is the problem solved?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 09 February 2016 - 07:51 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users