Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible RAT infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 Revocide

Revocide

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 14 February 2016 - 11:56 AM

Hello members of Bleeping Computer

 

I am in need of some technical assistance. My wife noticed the cursor moving on it's own using Chromium App Launcher, attempts to close the app or shut down the machine were thwarted. She ended up pulling out the power and battery. This activity happened when she left the computer unattended with web pages open.

 

As per buddy215' advice I tried to look for evidence of said rat to no avail.

 

As per request here is the FRST.txt log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-02-2016
Ran by Barbara-Ann (administrator) on BARBI (15-02-2016 00:14:26)
Running from C:\Users\Barbara-Ann\Downloads
Loaded Profiles: Barbara-Ann (Available Profiles: UpdatusUser & Barbara-Ann & Administrator)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files\Hola\app\chromium\hola_cr.exe" -- "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\WINDOWS\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\WINDOWS\System32\nvvsvc.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Amazon Inc.) C:\Program Files (x86)\Amazon\Amazon1ButtonApp\Amazon1ButtonService64.Exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
() C:\WINDOWS\System32\DptfParticipantProcessorService.exe
() C:\WINDOWS\System32\DptfPolicyConfigTDPService.exe
(Hola Networks Ltd.) C:\Program Files\Hola\app\hola_svc.exe
(Hola Networks Ltd.) C:\Program Files\Hola\app\hola_updater.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnWMI.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnCfg.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(Microsoft Corporation) C:\WINDOWS\System32\SkyDrive.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\WINDOWS\System32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxsrvc.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(Hola Networks Ltd.) C:\Program Files\Hola\app\hola.exe
(Polar Electro Oy) C:\Program Files (x86)\Polar\Polar FlowSync\flowsync.exe
(ASUSTeK) C:\WINDOWS\SysWOW64\ACEngSvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\WINDOWS\System32\GWX\GWX.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\System32\SettingSyncHost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13191312 2012-08-07] (Realtek Semiconductor)
HKLM\...\Run: [ACMON] => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [107192 2012-08-25] (ASUS)
HKLM\...\Run: [hola] => C:\Program Files\Hola\app\hola.exe [2031232 2016-02-09] (Hola Networks Ltd.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [91432 2012-03-29] (CyberLink Corp.)
HKLM-x32\...\Run: [ASUSWebStorage] => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\AsusWSPanel.exe [3417984 2012-08-28] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-12-22] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2566630262-1872725292-3610738231-1002\...\Run: [Polar FlowSync] => C:\Program Files (x86)\Polar\Polar FlowSync\flowsync.exe [1191936 2015-11-19] (Polar Electro Oy)
HKU\S-1-5-21-2566630262-1872725292-3610738231-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-16] (Piriform Ltd)
ShellIconOverlayIdentifiers: [AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.9.120\ASUSWSShellExt64.dll [2012-03-13] (ASUS Cloud Corporation.)
Startup: C:\Users\Barbara-Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-11-23]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{BC67E38D-AAC5-4E32-80E6-71730D9989BB}: [DhcpNameServer] 10.0.0.138

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKU\S-1-5-21-2566630262-1872725292-3610738231-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p17_serp_ie_us_display?ie=UTF8&tagbase=bds-p17&tbrId=v1_abb-channel-17_0_1201_1403_20160130_AU_ie_sp_
SearchScopes: HKU\S-1-5-21-2566630262-1872725292-3610738231-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2566630262-1872725292-3610738231-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2566630262-1872725292-3610738231-1002 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p17_serp_ie_us_display?ie=UTF8&tagbase=bds-p17&tbrId=v1_abb-channel-17_0_1201_1403_20160130_AU_ie_ds_&tag=bds-p17-serp-us-ie-20&query={searchTerms}
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-12-17] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_71\bin\ssv.dll [2016-01-30] (Oracle Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-01-21] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_71\bin\jp2ssv.dll [2016-01-30] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\ssv.dll [2016-01-30] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\jp2ssv.dll [2016-01-30] (Oracle Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-05-05] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Barbara-Ann\AppData\Roaming\Mozilla\Firefox\Profiles\bloegj7h.default
FF NewTab:
FF SearchEngineOrder.1: Amazon
FF SelectedSearchEngine: Internet Search
FF Homepage: hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p17_serp_ff_us_display?ie=UTF8&tagbase=bds-p17&tbrId=v1_abb-channel-17_0_1201_1403_20160130_AU_ff_sp_
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_20_0_0_306.dll [2016-02-10] ()
FF Plugin: @java.com/DTPlugin,version=11.71.2 -> C:\Program Files\Java\jre1.8.0_71\bin\dtplugin\npDeployJava1.dll [2016-01-30] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.71.2 -> C:\Program Files\Java\jre1.8.0_71\bin\plugin2\npjp2.dll [2016-01-30] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-10] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\dtplugin\npDeployJava1.dll [2016-01-30] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\plugin2\npjp2.dll [2016-01-30] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-27] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-04] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\Barbara-Ann\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [2016-02-09] ()
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\Barbara-Ann\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [2016-02-09] (Hola)
FF Plugin HKU\S-1-5-21-2566630262-1872725292-3610738231-1002: @hola.org/FlashPlayer -> C:\Users\Barbara-Ann\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [2016-02-09] ()
FF Plugin HKU\S-1-5-21-2566630262-1872725292-3610738231-1002: @hola.org/vlc -> C:\Users\Barbara-Ann\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [2016-02-09] (Hola)
FF user.js: detected! => C:\Users\Barbara-Ann\AppData\Roaming\Mozilla\Firefox\Profiles\bloegj7h.default\user.js [2014-05-03]
FF Extension: Amazon Assistant for Firefox - C:\Users\Barbara-Ann\AppData\Roaming\Mozilla\Firefox\Profiles\bloegj7h.default\Extensions\abb@amazon.com.xpi [2016-02-11]
FF Extension: Adblock Plus - C:\Users\Barbara-Ann\AppData\Roaming\Mozilla\Firefox\Profiles\bloegj7h.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-01-20]

Chrome:
=======
CHR HomePage: Default -> amazon.com/websearch/?ie=UTF8__PARAM__
CHR DefaultSearchURL: Default -> hxxps://www.amazon.com/websearch/?ie=UTF8__PARAM__&query={searchTerms}
CHR DefaultSearchKeyword: Default -> amazon
CHR Profile: C:\Users\Barbara-Ann\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Adblock Plus) - C:\Users\Barbara-Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-02-06]
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\Barbara-Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2016-02-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Barbara-Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-26]
CHR Extension: (Amazon Smart Search) - C:\Users\Barbara-Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooebgdicanjhnamfmdlmlbcnkgehkkmf [2016-01-31]
CHR HKU\S-1-5-21-2566630262-1872725292-3610738231-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ooebgdicanjhnamfmdlmlbcnkgehkkmf] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2566630262-1872725292-3610738231-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pbjikboenpfhbbejgkoklgkhjpfogcam] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Amazon 1Button App Service; C:\Program Files (x86)\Amazon\Amazon1ButtonApp\Amazon1ButtonService64.Exe [451072 2016-01-11] (Amazon Inc.) [File not signed]
R2 ASUS InstantOn; C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe [277120 2012-04-14] (ASUS)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2787512 2015-12-22] (Microsoft Corporation)
R2 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [29056 2012-07-30] ()
R2 DptfPolicyConfigTDPService; C:\Windows\system32\DptfPolicyConfigTDPService.exe [30592 2012-07-30] ()
R2 hola_svc; C:\Program Files\Hola\app\hola_svc.exe [8126592 2016-02-09] (Hola Networks Ltd.)
R2 hola_updater; C:\Program Files\Hola\app\hola_updater.exe [8104576 2015-10-22] (Hola Networks Ltd.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-28] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-26] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [61824 2012-11-01] (ASUS Corporation)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
R3 DptfDevDram; C:\Windows\system32\DRIVERS\DptfDevDram.sys [107328 2012-07-13] (Intel Corporation)
R3 DptfDevFan; C:\Windows\system32\DRIVERS\DptfDevFan.sys [42816 2012-07-13] (Intel Corporation)
R3 DptfDevGen; C:\Windows\system32\DRIVERS\DptfDevGen.sys [64832 2012-07-13] (Intel Corporation)
R3 DptfDevPch; C:\Windows\system32\DRIVERS\DptfDevPch.sys [96064 2012-07-13] (Intel Corporation)
R3 DptfDevProc; C:\Windows\system32\DRIVERS\DptfDevProc.sys [228672 2012-07-13] (Intel Corporation)
R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [361792 2012-07-13] (Intel Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-02] ( )
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-15 00:14 - 2016-02-15 00:14 - 00018814 _____ C:\Users\Barbara-Ann\Downloads\FRST.txt
2016-02-15 00:13 - 2016-02-15 00:14 - 00000000 ____D C:\FRST
2016-02-15 00:12 - 2016-02-15 00:12 - 02370560 _____ (Farbar) C:\Users\Barbara-Ann\Downloads\FRST64.exe
2016-02-15 00:02 - 2016-02-15 00:02 - 00291312 _____ C:\WINDOWS\Minidump\021516-30546-01.dmp
2016-02-14 23:08 - 2016-02-14 23:08 - 00291504 _____ C:\WINDOWS\Minidump\021416-34093-01.dmp
2016-02-14 21:32 - 2016-02-15 00:02 - 417930502 _____ C:\WINDOWS\MEMORY.DMP
2016-02-14 21:32 - 2016-02-14 21:32 - 00293768 _____ C:\WINDOWS\Minidump\021416-38031-01.dmp
2016-02-12 08:15 - 2016-02-13 16:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-02-10 11:35 - 2016-02-06 18:48 - 25839104 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-02-10 11:35 - 2016-02-06 18:24 - 02887680 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-02-10 11:35 - 2016-02-06 18:01 - 20366848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-02-10 11:35 - 2016-02-06 17:43 - 02280448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-02-10 11:35 - 2016-02-06 17:32 - 14458368 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-02-10 11:35 - 2016-02-06 17:16 - 12857856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-02-10 11:35 - 2016-02-06 17:09 - 01547264 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-02-10 11:35 - 2016-02-06 16:54 - 01312256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-02-10 11:05 - 2016-01-15 09:42 - 00033472 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-02-10 11:05 - 2016-01-15 04:44 - 01362944 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-02-10 11:05 - 2016-01-15 04:44 - 01162240 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-02-10 11:05 - 2016-01-15 04:44 - 00696320 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-02-10 11:05 - 2016-01-15 04:44 - 00677376 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-02-10 11:05 - 2016-01-15 04:44 - 00499200 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-02-10 11:05 - 2016-01-15 04:44 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-02-10 11:05 - 2016-01-11 03:37 - 00442720 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2016-02-10 11:05 - 2016-01-11 02:39 - 00332640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2016-02-10 11:05 - 2016-01-11 02:15 - 00401920 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2016-02-10 11:05 - 2016-01-11 02:15 - 00202240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2016-02-10 11:05 - 2016-01-11 01:50 - 00062464 _____ (Microsoft Corporation) C:\WINDOWS\system32\cfgbkend.dll
2016-02-10 11:05 - 2016-01-11 01:43 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2016-02-10 11:05 - 2016-01-11 01:31 - 00162304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msorcl32.dll
2016-02-10 11:05 - 2016-01-11 01:16 - 00898048 _____ (Microsoft Corporation) C:\WINDOWS\system32\CPFilters.dll
2016-02-10 11:05 - 2016-01-11 01:14 - 00048640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cfgbkend.dll
2016-02-10 11:05 - 2016-01-11 01:12 - 00532480 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDec.dll
2016-02-10 11:05 - 2016-01-11 01:09 - 01442304 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-02-10 11:05 - 2016-01-11 01:09 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2016-02-10 11:05 - 2016-01-11 01:02 - 00987648 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-02-10 11:05 - 2016-01-11 00:58 - 00166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\mtxoci.dll
2016-02-10 11:05 - 2016-01-11 00:56 - 00186880 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpapisrv.dll
2016-02-10 11:05 - 2016-01-11 00:51 - 00702976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CPFilters.dll
2016-02-10 11:05 - 2016-01-11 00:49 - 00443392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\EncDec.dll
2016-02-10 11:05 - 2016-01-11 00:43 - 00801792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-02-10 11:05 - 2016-01-11 00:40 - 00116736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mtxoci.dll
2016-02-10 11:05 - 2016-01-08 02:34 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2016-02-10 11:05 - 2015-12-29 23:45 - 07783936 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-02-10 11:05 - 2015-12-29 23:45 - 07075328 _____ (Microsoft Corporation) C:\WINDOWS\system32\glcndFilter.dll
2016-02-10 11:05 - 2015-12-29 23:43 - 05267968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\glcndFilter.dll
2016-02-10 11:05 - 2015-12-29 23:42 - 05264384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-02-10 11:04 - 2016-01-22 16:01 - 22365992 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-02-10 11:04 - 2016-01-22 15:11 - 19794896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-02-10 11:04 - 2016-01-22 13:25 - 14467072 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-02-10 11:04 - 2016-01-22 13:14 - 12879360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-02-10 11:04 - 2016-01-22 13:07 - 02778624 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2016-02-10 11:04 - 2016-01-22 12:58 - 02464256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2016-02-10 11:04 - 2016-01-20 03:14 - 07453024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-02-10 11:04 - 2016-01-20 03:13 - 02175008 _____ (Microsoft Corporation) C:\WINDOWS\system32\combase.dll
2016-02-10 11:04 - 2016-01-20 03:13 - 01063464 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinTypes.dll
2016-02-10 11:04 - 2016-01-20 03:12 - 01737088 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2016-02-10 11:04 - 2016-01-20 03:12 - 01133744 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2016-02-10 11:04 - 2016-01-20 02:23 - 01564496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\combase.dll
2016-02-10 11:04 - 2016-01-20 02:23 - 01501496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2016-02-10 11:04 - 2016-01-20 02:23 - 00548024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinTypes.dll
2016-02-10 11:04 - 2016-01-20 02:15 - 00246784 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2016-02-10 11:04 - 2016-01-20 01:30 - 00862720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2016-02-10 11:04 - 2016-01-20 00:37 - 00267776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wincorlib.dll
2016-02-10 11:04 - 2016-01-07 02:25 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2016-02-10 11:03 - 2016-01-22 14:40 - 00571904 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-02-10 11:03 - 2016-01-22 14:29 - 06052352 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-02-10 11:03 - 2016-01-22 14:28 - 00108544 _____ (Microsoft Corporation) C:\WINDOWS\system32\hlink.dll
2016-02-10 11:03 - 2016-01-22 14:27 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2016-02-10 11:03 - 2016-01-22 14:02 - 00496640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-02-10 11:03 - 2016-01-22 13:55 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2016-02-10 11:03 - 2016-01-22 13:52 - 00099328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hlink.dll
2016-02-10 11:03 - 2016-01-22 13:51 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2016-02-10 11:03 - 2016-01-22 13:50 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2016-02-10 11:03 - 2016-01-22 13:48 - 00718336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-02-10 11:03 - 2016-01-22 13:48 - 00372224 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-02-10 11:03 - 2016-01-22 13:47 - 00798208 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-02-10 11:03 - 2016-01-22 13:46 - 02123264 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-02-10 11:03 - 2016-01-22 13:35 - 04611072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-02-10 11:03 - 2016-01-22 13:31 - 02597376 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-02-10 11:03 - 2016-01-22 13:31 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2016-02-10 11:03 - 2016-01-22 13:28 - 02880000 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2016-02-10 11:03 - 2016-01-22 13:27 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2016-02-10 11:03 - 2016-01-22 13:25 - 00687104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-02-10 11:03 - 2016-01-22 13:25 - 00325632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2016-02-10 11:03 - 2016-01-22 13:24 - 02050560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-02-10 11:03 - 2016-01-22 13:08 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-02-10 11:03 - 2016-01-22 13:07 - 02120704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-02-10 11:03 - 2016-01-22 13:02 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-02-10 11:03 - 2016-01-11 03:37 - 00136912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-02-10 11:03 - 2016-01-11 00:51 - 03707392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-02-10 11:03 - 2016-01-11 00:38 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2016-02-10 11:03 - 2016-01-11 00:36 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2016-02-10 11:03 - 2016-01-11 00:36 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2016-02-10 11:03 - 2016-01-11 00:35 - 02243584 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2016-02-10 11:03 - 2016-01-11 00:35 - 00897024 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2016-02-10 11:03 - 2016-01-11 00:29 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2016-02-10 11:03 - 2016-01-11 00:26 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2016-02-10 11:03 - 2015-12-29 05:42 - 00713216 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSync.dll
2016-02-10 11:03 - 2015-12-29 04:31 - 00578048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinSync.dll
2016-02-10 11:02 - 2016-01-11 00:39 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2016-02-10 11:02 - 2016-01-11 00:29 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2016-02-10 11:02 - 2016-01-11 00:27 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2016-02-10 11:02 - 2015-12-18 02:29 - 00131584 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll
2016-02-10 11:02 - 2015-12-18 00:17 - 03547648 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll
2016-02-07 20:11 - 2016-02-07 20:11 - 00000836 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-02-07 20:08 - 2016-02-07 20:08 - 06828320 _____ (Piriform Ltd) C:\Users\Barbara-Ann\Downloads\ccsetup514.exe
2016-02-07 19:45 - 2016-02-07 19:45 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Local\Chromium
2016-02-06 13:40 - 2016-02-06 13:40 - 18348472 _____ (Adobe Systems Inc.) C:\Users\Barbara-Ann\Downloads\AdobeAIRInstaller.exe
2016-02-06 13:40 - 2016-02-06 13:40 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2016-02-06 13:40 - 2016-02-06 13:40 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2016-02-04 17:09 - 2016-02-04 17:09 - 00000000 ____D C:\Users\Barbara-Ann\Desktop\camping
2016-02-04 14:40 - 2016-02-15 00:02 - 00000000 ____D C:\WINDOWS\Minidump
2016-02-02 21:39 - 2016-02-02 21:39 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Local\Cyberlink
2016-02-02 19:13 - 2016-02-02 19:13 - 00000000 ____D C:\Users\Public\CyberLink
2016-02-02 19:11 - 2016-02-02 19:11 - 00000000 ____D C:\Users\Barbara-Ann\Desktop\Documents\CyberLink
2016-02-02 19:11 - 2016-02-02 19:11 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Roaming\CyberLink
2016-02-02 19:11 - 2016-02-02 19:11 - 00000000 ____D C:\ProgramData\CyberLink
2016-01-30 20:24 - 2016-02-15 00:10 - 00004610 _____ C:\WINDOWS\System32\Tasks\DistromaticSearchProtect-hourly
2016-01-30 20:24 - 2016-01-30 20:24 - 00004486 _____ C:\WINDOWS\System32\Tasks\DistromaticUpdater-periodic
2016-01-30 20:24 - 2016-01-30 20:24 - 00004088 _____ C:\WINDOWS\System32\Tasks\DistromaticSearchProtect-logon
2016-01-30 20:24 - 2016-01-30 20:24 - 00003962 _____ C:\WINDOWS\System32\Tasks\DistromaticUpdater-logon
2016-01-30 20:24 - 2016-01-30 20:24 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Local\Amazon Browser Settings
2016-01-30 20:24 - 2016-01-30 20:24 - 00000000 ____D C:\Program Files (x86)\Amazon Browser Settings
2016-01-30 20:24 - 2016-01-30 20:24 - 00000000 ____D C:\Program Files (x86)\Amazon
2016-01-24 11:55 - 2016-01-24 11:55 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Local\Intel_Corporation
2016-01-23 20:48 - 2016-02-13 08:46 - 00002265 _____ C:\Users\Barbara-Ann\Desktop\Chromium App Launcher.lnk
2016-01-23 20:48 - 2016-02-13 08:46 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium Apps
2016-01-23 20:48 - 2016-01-23 20:48 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium
2016-01-22 09:22 - 2016-01-22 09:22 - 00094705 _____ C:\Users\Barbara-Ann\Downloads\Application-Package-Administrator-Bunbury-20012016.pdf
2016-01-21 08:04 - 2015-04-28 21:13 - 00513480 _____ C:\WINDOWS\SysWOW64\locale.nls
2016-01-21 08:04 - 2015-04-28 21:13 - 00513480 _____ C:\WINDOWS\system32\locale.nls

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-15 00:09 - 2015-04-25 18:31 - 00000000 ____D C:\Users\Barbara-Ann\OneDrive
2016-02-15 00:08 - 2014-05-03 16:14 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-15 00:08 - 2013-07-24 21:56 - 00000408 _____ C:\Users\Barbara-Ann\AppData\Roaming\sp_data.sys
2016-02-15 00:02 - 2013-08-22 22:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-02-15 00:02 - 2013-08-19 21:21 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-02-14 23:38 - 2014-05-03 16:14 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-14 23:19 - 2014-11-21 16:44 - 00892386 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-02-14 23:19 - 2013-08-22 21:36 - 00000000 ____D C:\WINDOWS\Inf
2016-02-14 21:33 - 2015-04-25 17:02 - 00000000 ____D C:\Users\Barbara-Ann
2016-02-14 20:27 - 2015-04-27 12:39 - 00003938 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{38CE1095-E8A0-4986-9353-3E6595D2E759}
2016-02-13 16:46 - 2013-08-22 21:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-02-13 16:46 - 2013-07-24 22:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-02-13 09:17 - 2013-08-22 23:36 - 00000000 ____D C:\WINDOWS\rescache
2016-02-13 09:14 - 2013-07-24 22:03 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2566630262-1872725292-3610738231-1002
2016-02-13 07:26 - 2013-08-22 22:44 - 00371720 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-02-13 07:21 - 2015-04-30 21:21 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-02-13 07:21 - 2014-11-21 16:25 - 00000000 ____D C:\Program Files\Windows Journal
2016-02-13 07:21 - 2013-08-22 23:36 - 00000000 ___RD C:\WINDOWS\ToastData
2016-02-11 17:45 - 2013-08-22 23:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-02-11 07:42 - 2014-05-03 16:16 - 00002234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-02-11 07:42 - 2014-05-03 16:16 - 00002205 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-02-10 18:44 - 2013-08-19 21:21 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-02-10 17:57 - 2013-08-22 23:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-02-10 11:43 - 2012-07-26 15:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-02-10 11:40 - 2013-08-24 22:33 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-02-10 11:37 - 2013-07-27 08:00 - 146614896 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-02-09 09:06 - 2015-09-18 10:33 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Roaming\Hola
2016-02-07 20:26 - 2015-04-26 08:50 - 00000000 ___DC C:\WINDOWS\Panther
2016-02-07 20:11 - 2013-07-24 22:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-02-07 20:03 - 2015-04-27 12:39 - 00000000 __SHD C:\Users\Barbara-Ann\AppData\Local\EmieUserList
2016-02-07 20:03 - 2015-04-27 12:39 - 00000000 __SHD C:\Users\Barbara-Ann\AppData\Local\EmieSiteList
2016-02-07 20:03 - 2015-04-27 12:39 - 00000000 __SHD C:\Users\Barbara-Ann\AppData\Local\EmieBrowserModeList
2016-02-06 21:06 - 2013-09-15 09:04 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Local\Adobe
2016-02-06 13:40 - 2015-11-06 07:57 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-02-06 13:40 - 2013-07-24 21:56 - 00000000 ____D C:\Users\Barbara-Ann\AppData\Roaming\Adobe
2016-02-06 13:40 - 2012-08-05 09:42 - 00000000 ____D C:\ProgramData\Adobe
2016-02-04 15:30 - 2014-05-03 16:14 - 00003890 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-04 15:30 - 2014-05-03 16:14 - 00003654 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-02-02 10:37 - 2014-11-22 00:03 - 00828920 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-02-02 10:37 - 2014-11-22 00:03 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-30 20:23 - 2015-10-22 21:17 - 00000000 ____D C:\Users\Barbara-Ann\.oracle_jre_usage
2016-01-30 20:23 - 2013-09-14 10:24 - 00000000 ____D C:\Program Files\Java
2016-01-30 20:23 - 2013-09-14 10:23 - 00000000 ____D C:\ProgramData\Oracle
2016-01-30 20:23 - 2013-09-14 10:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-01-30 20:23 - 2013-09-14 10:23 - 00000000 ____D C:\Program Files (x86)\Java
2016-01-30 20:22 - 2013-09-14 10:24 - 00110176 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2016-01-30 20:05 - 2015-12-25 15:55 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-01-24 16:57 - 2015-11-23 21:57 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-01-22 15:44 - 2015-11-11 07:48 - 00561952 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-01-22 15:44 - 2015-11-11 07:48 - 00177496 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-01-21 08:10 - 2013-08-22 23:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-01-21 08:09 - 2013-07-24 22:57 - 00000000 ____D C:\Program Files\Microsoft Office 15

==================== Files in the root of some directories =======

2014-04-29 11:28 - 2014-04-29 11:30 - 0000320 _____ () C:\Users\Barbara-Ann\AppData\Roaming\aps.uninstall.scan.results
2013-07-24 21:56 - 2016-02-15 00:08 - 0000408 _____ () C:\Users\Barbara-Ann\AppData\Roaming\sp_data.sys
2013-12-20 19:19 - 2014-03-30 09:39 - 0000174 _____ () C:\Users\Barbara-Ann\AppData\Roaming\WB.CFG
2012-08-05 09:42 - 2012-07-30 14:03 - 0000217 _____ () C:\ProgramData\SetStretch.cmd
2012-08-05 09:42 - 2009-07-22 18:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe

Some files in TEMP:
====================
C:\Users\Barbara-Ann\AppData\Local\Temp\jre-8u73-windows-au.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-02-14 18:35

==================== End of FRST.txt ============================

 

Any assistance will be greatly appreciated, I know that can't buy a coffee or a drink of any sort but I do appreciate the help offered here.

 

Revocide

Attached Files


Edited by Revocide, 14 February 2016 - 12:03 PM.


BC AdBot (Login to Remove)

 


#2 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 15 February 2016 - 01:40 PM

Hello Revocide,
 
I'm Stan and I will be helping you for this problem.
 
First of all I want to clear some things about the malware removal process:

  • Do not run/install any tools on your own. This may affect the process of removal and may cause both slowdown and additional problems.
  • Read carefully the steps that I suggest you to do. Any mismatch will prolong this case.
  • Copy any scripts carefully so they stay exactly the same with the original. Otherwise the script may not work and we will need to rerun/recreate it.
  • Feel free to copy all the steps in offline environment. They may be easier to read and follow in this way.
  • Feel free to ask any questions about the malware removal process. I'm here to help you so nothing must be hidden or misunderstood.
  • Share with me any problems/changes you experience while working with the current system.
  • Please, do not use any quotes or code boxes when you post logs.

I want to inform you that I will be able to respond in the evenings - 07:00 P.M - 11:00 P.M. (UTC + 02:00) - since I'm working during most of the daytime. If I haven't posted anything for 48 hours straight, please, feel free to send me a personal message. I will bump the topic if there is no response from you for 3 days. After 5 days of inactivity, the topic will be closed.
 
I want to inform you that I'm still in my training program so my posts must be reviewed by an instructor. This may lead to a slight delay in my answers.

 

********************

 

Thank you for the provided logs. I will take a look at them and when ready, be back with further instructions. Meanwhile, I want to ask you couple of questions:

  • You said that any attempts of closing the application and shutting down the machine have been unsuccessful. Did any error messages pop out?
  • Did the machine start shutting down or there was no response to the command sent?
  • Did you reproduce the problem second time or it was one time experience?

Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#3 Revocide

Revocide
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 16 February 2016 - 07:05 PM

Hello Stan, thank you for your time and effort with my issue.

 

Regarding your questions, no error message popped up and she could not begin to shut down the machine. She said that someone else had control over this computer and any attempts at moving the cursor from this end were futile. This was a one time only deal. No further signs of this type of activity.

 

Somethings to note though: when using netflix the movies she tries to watch are constantly buffering/loading, this was not happening before this incident of remote access. Possibly a  coincidence.

 

The other issue is when I attempted to create a system image (using windows own utility) the process would crash and yield a "something has gone wrong and windows needs to restart" along with the KERNAL_DATA_INPAGE_ERROR message. This happened twice when near the end of making the system image. Could be unrelated though.

 

Again I appreciate you volunteering your time and effort to help with this issue.

 

Regards

 

Revocide



#4 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 17 February 2016 - 01:06 AM

Hello Revocide,
 

While those issues are possibly not malware related, I understand your worries and we will check what is the reason for the problem appearing. Meanwhile, there are some other things that should be fixed on a first place.

I can see that there is a Hola application installed on your system. While it may look legitimate, the software is known for its malware-type behavior and it is advised to be removed from the system. This is what we will do next.
 
Note: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

  • Please download the attached Attached File  fixlist.txt   1.72KB   11 downloads and save it to the same location as FRST.

Note: It's important that both files, FRST.exe and fixlist.txt are in the same location or the fix will not work. In your case, this should be the Downloads folder

  • Run FRST.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
  • When finished, FRST will generate a log - Fixlog.txt - and a second file - MBRDUMP.txt - the same location the tool was run.

Please, attach (do not paste) both files to your next reply. 

********************
 
I also see that there is an Amazon software present on the system - Amazon Assistant. Did you install that intentionally or you are not aware of its presence?


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#5 Revocide

Revocide
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 18 February 2016 - 11:42 PM

Hello Stan, thank you for your time.

 

I did run the FRST.exe and the fix you created, please find the necessary logs attached.

 

Regarding the Amazon assistant, I asked my wife about it and she informs me that she did not knowingly install it. Oracle like to add things to their updates to try and have people install software that they do not want, perhaps this was a similar occurrence.

 

Again I do appreciate your time and effort with this issue.

 

Regards

 

Revocide

 

Attached Files



#6 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 20 February 2016 - 07:08 AM

Hello Revocide,
 
Please download aswMBR and save the file on your Desktop.

  • Right-click over aswMBR.exe and choose Run as Administrator.
  • When asked if you'd like to download the latest definitions, please, choose Yes.
  • When ready, please, push the Scan button.
  • When completed, push the save log button and save the log at a destination of your choice.

Please, paste the content of the log in your next reply. 
 
********************
 
Please, download GSmartControl and save the file on your Desktop.

  • Unzip the downloaded archive (gsmartcontrol-0.8.7-win32.zip) to destination by your choice.
  • Double-click on gsmartcontrol.exe to start the application.
  • A list of available hard drives will be shown.
  • Double-click over your hard drive entry to see more detailed information.
  • Please, push the Save As button to save the displayed content.

Please, attach the generated file to your next post.


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#7 Revocide

Revocide
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 22 February 2016 - 11:40 AM

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-02-22 23:12:03
-----------------------------
23:12:03.710    OS Version: Windows x64 6.2.9200
23:12:03.710    Number of processors: 4 586 0x3A09
23:12:03.710    ComputerName: BARBI  UserName:
23:12:05.757    Initialize success
23:12:06.201    VM: initialized successfully
23:12:06.201    VM: Intel CPU supported
23:12:18.561    VM: disk I/O iaStorA.sys
23:15:57.425    AVAST engine defs: 16022200
23:16:15.066    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000039
23:16:15.066    Disk 0 Vendor: ST1000LM024_HN-M101MBB 2AR10001 Size: 953869MB BusType: 11
23:16:15.206    Disk 0 MBR read successfully
23:16:15.206    Disk 0 MBR scan
23:16:15.238    Disk 0 unknown MBR code
23:16:15.238    Disk 0 Partition 1 00     EE            GPT           2097151 MB offset 1
23:16:15.378    Disk 0 scanning C:\WINDOWS\system32\drivers
23:16:34.419    Service scanning
23:17:34.527    Modules scanning
23:17:34.543    Disk 0 trace - called modules:
23:17:34.590    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll iaStorA.sys
23:17:34.605    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000c2ee8060]
23:17:34.621    3 CLASSPNP.SYS[fffff801ec99a170] -> nt!IofCallDriver -> [0xffffe000c0db1b20]
23:17:34.636    5 ACPI.sys[fffff801ecabfc21] -> nt!IofCallDriver -> \Device\00000039[0xffffe000c0db1060]
23:17:35.324    AVAST engine scan C:\WINDOWS
23:17:39.559    AVAST engine scan C:\WINDOWS\system32
23:26:08.681    AVAST engine scan C:\WINDOWS\system32\drivers
23:26:43.088    AVAST engine scan C:\Users\Barbara-Ann
23:33:04.096    File: C:\Users\Barbara-Ann\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe  **INFECTED** Win32:Mobogenie-O [Adw]
23:33:11.944    File: C:\Users\Barbara-Ann\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe  **INFECTED** Win32:Mobogenie-N [Adw]
23:48:46.775    AVAST engine scan C:\ProgramData
23:54:08.074    Disk 0 statistics 3661724/0/0 @ 248.88 MB/s
23:54:08.090    Scan finished successfully
00:25:46.368    Disk 0 MBR has been saved successfully to "C:\Users\Barbara-Ann\Desktop\MBR.dat"
00:25:46.400    The log file has been saved successfully to "C:\Users\Barbara-Ann\Desktop\aswMBR.txt"

Attach file not appearing, will add file tomorrow,



#8 Revocide

Revocide
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 22 February 2016 - 07:17 PM

Attached file from Gsmart

Attached Files



#9 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 23 February 2016 - 01:41 PM

Hello Revocide,
 
Let's first remove the Amazon software present on the system. For this purpose, please:

  • Press Windows key + X key simultaneously -> Choose Control Panel.
  • Choose Uninstall a program under Programs section (if the list appears in Category view) or Programs and Features (if the list appears in Large/Small icons view).
  • Find the following entry, right-click over it and choose either Uninstall or Remove.
Amazon Assistant
  • Follow the steps to uninstall the software.

********************
 
Note: The instructions below can be used for any browser except Internet Explorer.

  • Please go here, download the ESET Smart Installer, and save it to your Desktop.
  • Double-click on the file you just downloaded.
  • Place a checkmark next to "YES, I accept the Terms of Use" and click the Start button.
  • Click Yes to the UAC (User Account Control) warning, then ESET will download it's components, register itself, and start itself.
  • In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Now click on: start.png
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may appear to be finished sometimes but if there is a progress bar visible, it is still scanning.
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.

********************
 
Please, launch FRST again. In the main window of the program, please, put a checkmark in the checkbox in front of Addition.txt in the Optional Scan section and push the Scan button. When ready, two log files named FRST.txt and Addition.txt will be generated in the same directory where the tool was run from. Please, paste the content of both files in your next reply.
 
How is the system running now? Is there any improvement? Are there any additional issues present?


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#10 Revocide

Revocide
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 26 February 2016 - 11:50 PM

Hello Stan, sorry for the late reply. Life = busy.

I managed to remove/uninstall the Amazon assistant, Firefox closed immediately, when I reopened Firefox it was back to normal with the default Firefox home page, no Amazon home page so that's a positive. There is an Amazon 1 button app still in the list of programs and features.

Onto the ESET tool, windows thought it was an awesome time to restart the machine whilst doing the scan, coincidence? I don't know. Tried again and the computer encountered an KERNEL_INPAGE_DATA_ERROR.Coincidence again? hmm

 

So after all this crashing and so on I have no reports to copy paste or attach.

 

Revocide



#11 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 27 February 2016 - 05:58 AM

Hello Revocide,
 
There is no problem for the delay. We need to go deeper. I suspect what the reason for that error is but we need to double-check that. For that reason, please:

  • Press Windows key + X simultaneously -> Choose Command Prompt (Admin)

Note: If User Account Control window appears, please, choose Yes.

  • In the main window of the program, please type the following text and push Enter:
chkdsk /f /r

Note: Please, note the intervals between the three strings. 
 
The command will execute the Check Disk built-in utility to check and attempt to fix and file system errors present or bad sectors on the hard drive. Depending on the size of the disk, the scan can take some time to finish. If it was successful and the system did not show any Blue Screen of Dead (BSOD), please continue with the next part.

  • Push the Windows key to go to the Start screen and type Windows Powershell.
  • When the search result appears, please, right-click over Windows Powershell and choose "Run as Administrator"
  • Please, copy and paste the following line in the main window of the program and push Enter:
Get-WinEvent -FilterHashTable @{logname="Application"; id="1001"}| fl timecreated, message | Out-File $env:userprofile\Desktop\Results.txt

When ready, a text file named Results.txt should be created on your Desktop. Please, attach the file to your next reply. Please, notify me in your next reply if the system is unable to finish the first scanning process or if any other errors appear.


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#12 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 01 March 2016 - 12:41 AM

Hello Revocide,
 
Are you still with me? It has been almost three days from my last reply. Please, note that after two more days of inactivity the topic will be closed.

Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#13 Revocide

Revocide
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 March 2016 - 10:06 AM

Hello Stan

 

Yes still with you.

 

From command prompt admin

 

C:\WINDOWS\system32>chkdsk /f /r
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N) y

This volume will be checked the next time the system restarts.

C:\WINDOWS\system32>

I shall try a restart and see if it works then.



#14 Revocide

Revocide
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 March 2016 - 10:21 AM

Hello Stan

 

The restart did not seem to do any fixing or repairing. Is there another command line to use?

 

Revocide



#15 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 02 March 2016 - 01:53 PM

Hello Revocide,

 

Sorry for the delay but I had quite busy start of the work week. Please, follow the steps related to Windows Powershell in this post. Also, after pressing Enter after the first command, please copy and paste the following line into Powershell window and again press Enter:

Get-WmiObject Win32_DiskDrive | Out-File $env:userprofile\Desktop\Results.txt -Append

When ready, please, attach Results.txt to your next reply.

 


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users