Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

various problems


  • This topic is locked This topic is locked
48 replies to this topic

#1 TwymonMeyers

TwymonMeyers

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 12 March 2016 - 01:11 AM

Hi.  Since Wednesday, i've been experienced a number of problems - Firefox is most often very slow, it hangs, won't load pages, crashes altogether, etc.  Also, iTunes and Windows Media Player stop in the middle of what they're doing, my Downloads folder won't open from the Desktop, and the whole computer will reboot by itself . . .

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by USER (administrator) on USER-PC (11-03-2016 23:57:10)
Running from C:\Users\USER\Downloads
Loaded Profiles: USER (Available Profiles: USER)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
(Visicom Media Inc.) C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
() C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe
() C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\avastui.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpsystray.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_182.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_182.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60688 2015-10-13] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-07-01] (Avast Software s.r.o.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157456 2015-10-16] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-08-06] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [286992 2016-01-01] (RealNetworks, Inc.)
HKLM-x32\...\Run: [RealDownloader] => C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe [719632 2015-11-04] ()
HKLM-x32\...\Run: [PSUAMain] => C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe [54520 2015-10-22] (Panda Security, S.L.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2142212455-911606912-4286033560-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [3074128 2016-03-10] (Valve Corporation)
HKU\S-1-5-21-2142212455-911606912-4286033560-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50599552 2016-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-2142212455-911606912-4286033560-1000\...\MountPoints2: {358a0e69-0de1-11e4-af16-f0def1404670} - E:\HPLauncher.exe
HKU\S-1-5-21-2142212455-911606912-4286033560-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-07-01] (Avast Software s.r.o.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealTimes.lnk [2016-01-01]
ShortcutTarget: RealTimes.lnk -> C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpsystray.exe (RealNetworks, Inc.)
GroupPolicyScripts-x32: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{07B2C44B-F5C6-4996-A6BE-4C7FAEC826A0}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{0D5CE2C6-99B2-4A8E-8849-8E950A60B81F}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-2142212455-911606912-4286033560-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.yahoo.com/?type=711278&fr=sp_tr_ie
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-2142212455-911606912-4286033560-1000 -> DefaultScope {D27FEAD8-06AF-41FB-B6D1-A8A3D06FDDDE} URL = hxxps://search.yahoo.com/search?fr=sp_tr_ie&ei=utf-8&ilc=12&type=711278&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2142212455-911606912-4286033560-1000 -> {D27FEAD8-06AF-41FB-B6D1-A8A3D06FDDDE} URL = hxxps://search.yahoo.com/search?fr=sp_tr_ie&ei=utf-8&ilc=12&type=711278&p={searchTerms}
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll [2015-11-04] (RealDownloader)
BHO: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-07-01] (Avast Software s.r.o.)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2015-11-04] (RealDownloader)
BHO-x32: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-07-01] (Avast Software s.r.o.)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File

FireFox:
========
FF ProfilePath: C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\ij8dzsgu.default-1425092044551
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://www.google.com/?gws_rd=ssl
FF Keyword.URL: hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_182.dll [2016-03-10] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-10] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=18.1.2.175 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll [2016-01-01] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=18.1.2.175 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll [2016-01-01] (RealPlayer)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Extension: Video DownloadHelper - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\ij8dzsgu.default-1425092044551\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-10-30]
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-08] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-10]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-07-01]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-07-01] (Avast Software s.r.o.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-02-26] (SurfRight B.V.)
R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2014-06-27] (Nero AG)
R2 NanoServiceMain; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [142072 2015-10-18] (Panda Security, S.L.)
R2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [73176 2016-02-22] (Panda Security, S.L.)
R2 panda_url_filtering; C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe [291336 2015-05-19] (Visicom Media Inc.)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [337776 2013-09-13] (arvato digital services llc)
R2 PSUAService; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [38136 2015-10-22] (Panda Security, S.L.)
R2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [33088 2015-11-04] ()
R2 RealTimes Desktop Service; C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe [1095976 2016-01-01] (RealNetworks, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [60288 2009-07-13] (Microsoft Corporation)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-07-01] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [89944 2015-07-01] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-07-01] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-07-01] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-07-01] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [442264 2015-07-01] (Avast Software s.r.o.)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [137288 2015-07-01] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [272248 2015-07-01] ()
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2016-01-01] (Symantec Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [49584 2016-03-11] ()
R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [94456 2015-07-09] (Panda Security, S.L.)
R1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [201976 2015-07-09] (Panda Security, S.L.)
R1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110840 2015-07-09] (Panda Security, S.L.)
R1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [110840 2015-07-09] (Panda Security, S.L.)
R1 NNSNAHSL; C:\Windows\System32\DRIVERS\NNSNAHSL.sys [57648 2015-05-20] (Panda Security, S.L.)
R1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [103160 2015-07-09] (Panda Security, S.L.)
R1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [73464 2015-08-31] (Panda Security, S.L.)
R1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124152 2015-07-09] (Panda Security, S.L.)
R1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [300280 2015-07-09] (Panda Security, S.L.)
R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [170232 2015-07-09] (Panda Security, S.L.)
R1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113400 2015-07-09] (Panda Security, S.L.)
R1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257784 2015-07-09] (Panda Security, S.L.)
R1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106232 2015-07-09] (Panda Security, S.L.)
R3 panda_url_filteringd; C:\ProgramData\Panda Security URL Filtering\panda_url_filteringd.sys [51288 2014-03-19] (Visicom Media Inc.)
R2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [164088 2015-07-19] (Panda Security, S.L.)
R2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121592 2015-07-19] (Panda Security, S.L.)
R1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197880 2015-07-19] (Panda Security, S.L.)
R2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124152 2015-07-19] (Panda Security, S.L.)
R2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [134392 2015-07-19] (Panda Security, S.L.)
R2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107768 2015-07-19] (Panda Security, S.L.)
R3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [61712 2015-05-22] (Panda Security, S.L.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2013-03-18] (Apple, Inc.) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-11 23:57 - 2016-03-11 23:57 - 00015918 _____ C:\Users\USER\Downloads\FRST.txt
2016-03-11 23:56 - 2016-03-11 23:57 - 00000000 ____D C:\FRST
2016-03-11 23:51 - 2016-03-11 23:51 - 02374144 _____ (Farbar) C:\Users\USER\Downloads\FRST64.exe
2016-03-11 23:26 - 2016-03-11 23:26 - 00266288 _____ C:\Windows\Minidump\031116-22573-01.dmp
2016-03-11 20:20 - 2015-05-22 02:45 - 00061712 _____ (Panda Security, S.L.) C:\Windows\system32\Drivers\PSKMAD.sys
2016-03-11 20:07 - 2016-03-11 20:18 - 00186025 _____ C:\unp305059874121741684.mdmp
2016-03-11 20:00 - 2016-03-11 20:00 - 00266288 _____ C:\Windows\Minidump\031116-22900-01.dmp
2016-03-11 14:50 - 2016-03-11 14:50 - 00266288 _____ C:\Windows\Minidump\031116-21980-01.dmp
2016-03-11 14:33 - 2016-03-11 14:33 - 00049584 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2016-03-09 21:45 - 2016-03-09 21:45 - 00262144 _____ C:\Windows\Minidump\030916-24648-01.dmp
2016-03-08 12:28 - 2016-03-09 10:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-03-06 03:47 - 2016-03-11 09:35 - 00003482 _____ C:\Windows\System32\Tasks\ReclaimerUpdateXML_USER
2016-03-06 03:47 - 2016-03-10 09:34 - 00003488 _____ C:\Windows\System32\Tasks\ReclaimerUpdateFiles_USER
2016-03-06 03:47 - 2016-03-06 03:47 - 00003606 _____ C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_USER
2016-03-06 03:47 - 2016-03-06 03:47 - 00003188 _____ C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_USER
2016-03-02 22:05 - 2016-03-02 22:06 - 00000000 ____D C:\Program Files (x86)\BookWright
2016-02-27 21:23 - 2016-02-27 21:23 - 00000139 _____ C:\Users\USER\Documents\song for maria.txt
2016-02-23 16:45 - 2016-02-23 16:45 - 19866988 _____ C:\Users\USER\Downloads\Erik's video.zip
2016-02-19 19:48 - 2016-02-19 19:48 - 00000000 ____D C:\Users\USER\Desktop\lcs_win32_4.07.0
2016-02-13 14:58 - 2016-02-13 14:58 - 00276301 _____ C:\Users\USER\Downloads\Neil young shirt !.zip
2016-02-13 14:02 - 2016-02-13 14:03 - 00000000 ____D C:\Users\USER\Desktop\joni live
2016-02-11 11:15 - 2016-02-12 23:43 - 00000000 ____D C:\Users\USER\AppData\Roaming\BrowserExtensions
2016-02-11 10:19 - 2016-02-11 10:22 - 00000000 ____D C:\6e56f77812abbb65bb2089a7354648
2016-02-11 10:16 - 2016-02-11 10:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Free Antivirus
2016-02-10 12:03 - 2016-01-16 12:54 - 01162240 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-02-10 12:03 - 2016-01-11 08:08 - 01362944 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-02-10 12:03 - 2016-01-11 08:08 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-02-10 12:03 - 2016-01-11 08:08 - 00677376 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-02-10 12:03 - 2016-01-07 11:53 - 03211776 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-02-10 12:03 - 2016-01-06 13:02 - 00275456 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2016-02-10 12:03 - 2016-01-06 13:02 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2016-02-10 12:03 - 2016-01-06 12:41 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2016-02-10 12:02 - 2016-02-06 04:48 - 25839104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-02-10 12:02 - 2016-02-06 04:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-02-10 12:02 - 2016-02-06 04:24 - 02887680 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-02-10 12:02 - 2016-02-06 04:11 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-02-10 12:02 - 2016-02-06 04:10 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-02-10 12:02 - 2016-02-06 04:01 - 20366848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-02-10 12:02 - 2016-02-06 03:54 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-02-10 12:02 - 2016-02-06 03:43 - 02280448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-02-10 12:02 - 2016-02-06 03:38 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-02-10 12:02 - 2016-02-06 03:37 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-02-10 12:02 - 2016-02-06 03:32 - 14458368 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-02-10 12:02 - 2016-02-06 03:16 - 12857856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-02-10 12:02 - 2016-02-06 03:09 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-02-10 12:02 - 2016-02-06 02:54 - 01312256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-02-10 12:02 - 2016-01-22 14:31 - 00387784 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-02-10 12:02 - 2016-01-22 14:10 - 00341200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-02-10 12:02 - 2016-01-22 00:56 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-02-10 12:02 - 2016-01-22 00:41 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-02-10 12:02 - 2016-01-22 00:40 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-02-10 12:02 - 2016-01-22 00:40 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-02-10 12:02 - 2016-01-22 00:40 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-02-10 12:02 - 2016-01-22 00:40 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-02-10 12:02 - 2016-01-22 00:33 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-02-10 12:02 - 2016-01-22 00:32 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-02-10 12:02 - 2016-01-22 00:29 - 06052352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-02-10 12:02 - 2016-01-22 00:27 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-02-10 12:02 - 2016-01-22 00:27 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-02-10 12:02 - 2016-01-22 00:27 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-02-10 12:02 - 2016-01-22 00:20 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-02-10 12:02 - 2016-01-22 00:17 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-02-10 12:02 - 2016-01-22 00:09 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-02-10 12:02 - 2016-01-22 00:08 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-02-10 12:02 - 2016-01-22 00:05 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-02-10 12:02 - 2016-01-22 00:04 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-02-10 12:02 - 2016-01-22 00:02 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-02-10 12:02 - 2016-01-22 00:02 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-02-10 12:02 - 2016-01-22 00:02 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-02-10 12:02 - 2016-01-22 00:01 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-02-10 12:02 - 2016-01-22 00:01 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-02-10 12:02 - 2016-01-22 00:00 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-02-10 12:02 - 2016-01-22 00:00 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-02-10 12:02 - 2016-01-21 23:55 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-02-10 12:02 - 2016-01-21 23:55 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-02-10 12:02 - 2016-01-21 23:51 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-02-10 12:02 - 2016-01-21 23:51 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-02-10 12:02 - 2016-01-21 23:50 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-02-10 12:02 - 2016-01-21 23:48 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-02-10 12:02 - 2016-01-21 23:47 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-02-10 12:02 - 2016-01-21 23:46 - 02123264 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-02-10 12:02 - 2016-01-21 23:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-02-10 12:02 - 2016-01-21 23:43 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-02-10 12:02 - 2016-01-21 23:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-02-10 12:02 - 2016-01-21 23:38 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-02-10 12:02 - 2016-01-21 23:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-02-10 12:02 - 2016-01-21 23:35 - 04611072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-02-10 12:02 - 2016-01-21 23:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-02-10 12:02 - 2016-01-21 23:34 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-02-10 12:02 - 2016-01-21 23:33 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-02-10 12:02 - 2016-01-21 23:31 - 02597376 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-02-10 12:02 - 2016-01-21 23:27 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-02-10 12:02 - 2016-01-21 23:25 - 00687104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-02-10 12:02 - 2016-01-21 23:24 - 02050560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-02-10 12:02 - 2016-01-21 23:24 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-02-10 12:02 - 2016-01-21 23:08 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-02-10 12:02 - 2016-01-21 23:07 - 02120704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-02-10 12:02 - 2016-01-21 23:02 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-02-10 12:02 - 2016-01-16 13:06 - 00025024 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-02-10 12:02 - 2016-01-11 08:08 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-02-10 12:02 - 2016-01-11 08:08 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-02-10 12:00 - 2016-01-11 13:05 - 03169792 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-02-10 12:00 - 2016-01-11 13:05 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2016-02-10 12:00 - 2016-01-11 13:05 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2016-02-10 12:00 - 2016-01-11 12:52 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2016-02-10 12:00 - 2016-01-11 12:47 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2016-02-10 12:00 - 2016-01-11 12:26 - 02610176 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-02-10 12:00 - 2016-01-11 12:24 - 00709120 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-02-10 12:00 - 2016-01-11 12:23 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-02-10 12:00 - 2016-01-11 12:23 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2016-02-10 12:00 - 2016-01-11 12:23 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2016-02-10 12:00 - 2016-01-11 12:23 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2016-02-10 12:00 - 2016-01-11 12:23 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2016-02-10 12:00 - 2016-01-11 12:14 - 00573440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-02-10 12:00 - 2016-01-11 12:14 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2016-02-10 12:00 - 2016-01-11 12:14 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2016-02-10 12:00 - 2016-01-11 12:14 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2016-02-10 12:00 - 2016-01-07 11:42 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2016-02-10 11:55 - 2016-01-22 00:19 - 14179840 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-02-10 11:54 - 2016-01-22 00:15 - 01866752 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2016-02-10 11:54 - 2016-01-22 00:12 - 01940992 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2016-02-10 11:54 - 2016-01-22 00:05 - 12877824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2016-02-10 11:54 - 2016-01-22 00:00 - 01498624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2016-02-10 11:54 - 2016-01-21 23:59 - 01805824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2016-02-10 11:54 - 2016-01-21 23:19 - 03231232 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2016-02-10 11:54 - 2016-01-21 23:12 - 02973184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-11 23:57 - 2014-07-11 21:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-03-11 23:56 - 2014-06-15 16:26 - 00000000 ____D C:\Users\USER\AppData\Local\CrashDumps
2016-03-11 23:49 - 2014-06-18 12:11 - 00000000 ____D C:\Users\USER\AppData\Roaming\Skype
2016-03-11 23:41 - 2009-07-13 22:45 - 00032080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-11 23:41 - 2009-07-13 22:45 - 00032080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-11 23:35 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-11 23:34 - 2009-07-13 23:08 - 00032610 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-11 23:27 - 2015-12-30 16:07 - 00000000 ____D C:\Users\USER\AppData\Local\HTC MediaHub
2016-03-11 23:27 - 2015-06-05 15:03 - 00000000 ____D C:\Program Files (x86)\Steam
2016-03-11 23:26 - 2014-09-18 11:18 - 00000000 ____D C:\Windows\Minidump
2016-03-11 22:44 - 2014-07-11 20:24 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-03-11 22:41 - 2015-08-10 13:19 - 00000000 ____D C:\ProgramData\panda_url_filtering
2016-03-11 15:47 - 2014-06-29 16:05 - 00000000 ____D C:\Users\USER\Desktop\Linda Ronstadt
2016-03-10 21:31 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\NDF
2016-03-10 16:59 - 2014-07-11 21:47 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-03-10 16:59 - 2014-06-12 11:29 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-03-10 16:59 - 2014-06-12 11:29 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-03-10 12:34 - 2009-07-13 23:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-10 12:34 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2016-03-09 18:59 - 2016-01-01 18:36 - 00000404 ____H C:\Windows\Tasks\Norton Security Scan for USER.job
2016-03-09 13:36 - 2014-06-12 11:35 - 00000000 ____D C:\Users\USER\Desktop\New folder
2016-03-09 10:03 - 2014-06-12 10:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-03-08 15:26 - 2015-12-08 23:36 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-03-06 18:41 - 2015-12-28 02:31 - 00000000 ____D C:\Users\USER\Desktop\tumblr fb
2016-03-06 00:46 - 2016-01-01 17:02 - 00000000 ____D C:\Users\USER\AppData\Roaming\Real
2016-03-06 00:46 - 2016-01-01 17:00 - 00000000 ____D C:\ProgramData\Real
2016-03-05 21:28 - 2014-06-29 16:05 - 00000000 ____D C:\Users\USER\Desktop\pm
2016-03-05 15:27 - 2014-09-23 20:51 - 00000000 ____D C:\Users\USER\Desktop\joni mitchell
2016-03-04 20:51 - 2014-06-18 12:11 - 00000000 ____D C:\ProgramData\Skype
2016-03-02 23:10 - 2015-03-24 08:17 - 00000000 ____D C:\Users\USER\AppData\Local\Blurb
2016-03-02 22:23 - 2015-03-20 18:56 - 00000000 ____D C:\Users\USER\Desktop\pm songbook
2016-03-02 18:54 - 2014-10-14 16:56 - 00000809 _____ C:\Users\USER\Documents\links.txt
2016-03-02 18:01 - 2014-11-09 20:50 - 00000000 ____D C:\Users\USER\Desktop\bily
2016-02-26 19:28 - 2015-11-28 16:44 - 00000000 ____D C:\Users\USER\Desktop\new songbook
2016-02-20 16:16 - 2015-03-28 12:42 - 00000000 ____D C:\Users\USER\Desktop\pirates
2016-02-19 19:42 - 2015-01-10 17:56 - 00790623 _____ C:\Users\USER\Desktop\lcs_win32_4.07.0.zip
2016-02-19 01:17 - 2015-04-26 18:45 - 00002463 _____ C:\Users\USER\Documents\basketball players.txt
2016-02-17 09:08 - 2016-01-07 01:27 - 00000000 ____D C:\Users\USER\Desktop\george joni
2016-02-13 18:15 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache
2016-02-13 17:31 - 2014-07-30 18:40 - 00001883 _____ C:\Users\USER\Documents\phone numbers.txt
2016-02-13 14:02 - 2016-01-22 18:12 - 01934374 _____ C:\Windows\ntbtlog.txt
2016-02-12 22:01 - 2015-11-12 18:30 - 00000000 ____D C:\Users\USER\.gimp-2.8
2016-02-12 10:26 - 2014-06-02 12:40 - 00774404 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-02-11 11:15 - 2014-06-12 10:30 - 00072592 _____ C:\Users\USER\AppData\Local\GDIPFONTCACHEV1.DAT
2016-02-11 11:10 - 2009-07-13 22:45 - 00341936 _____ C:\Windows\system32\FNTCACHE.DAT
2016-02-11 11:06 - 2014-12-11 10:51 - 00000000 ____D C:\Windows\system32\appraiser
2016-02-11 11:06 - 2014-06-02 13:07 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-02-11 11:06 - 2011-04-12 02:28 - 00000000 ____D C:\Program Files\Windows Journal
2016-02-11 10:35 - 2014-06-02 12:00 - 00000000 ____D C:\Windows\system32\MRT
2016-02-11 10:26 - 2014-06-02 12:00 - 146614896 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-02-10 21:37 - 2014-07-11 20:22 - 00000000 ____D C:\Users\USER\AppData\Roaming\Browser Extensions
2016-02-10 11:10 - 2015-08-10 13:14 - 00000000 ____D C:\Program Files (x86)\Panda Security

==================== Files in the root of some directories =======

2014-10-24 13:24 - 2015-06-06 16:26 - 0005120 _____ () C:\Users\USER\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-02-03 00:08 - 2016-02-03 00:08 - 0022879 _____ () C:\Users\USER\AppData\Local\recently-used.xbel
2014-06-12 10:30 - 2014-06-12 10:30 - 0200530 _____ () C:\ProgramData\1402590513.bdinstall.bin
2014-07-11 20:19 - 2014-07-11 20:19 - 0037823 _____ () C:\ProgramData\1405131581.bdinstall.bin
2014-07-11 20:21 - 2014-07-11 20:21 - 0097916 _____ () C:\ProgramData\1405131583.bdinstall.bin

Some files in TEMP:
====================
C:\Users\USER\AppData\Local\Temp\el-xp16r.dll
C:\Users\USER\AppData\Local\Temp\huqgyydx.dll
C:\Users\USER\AppData\Local\Temp\jhynz_f-.dll
C:\Users\USER\AppData\Local\Temp\lowproc.exe
C:\Users\USER\AppData\Local\Temp\stubhelper.dll
C:\Users\USER\AppData\Local\Temp\vnrwybo5.dll
C:\Users\USER\AppData\Local\Temp\{90DA3969-4DC0-409C-B084-C28D11FBB1E4}.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-09 19:01

==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 12 March 2016 - 06:53 AM

Hello TwymonMeyers and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here
Thanks
  =========================================================================================== 
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 13 March 2016 - 03:19 PM

I am sorry. Are you stiil with me.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 TwymonMeyers

TwymonMeyers
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 14 March 2016 - 12:22 AM

yes



#5 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 15 March 2016 - 12:04 PM

Hi TwymonMeyers,
 
Sorry for the delay.

=======================

Panda Free Antivirus (Enabled)
avast! Antivirus (Enabled)

Multiple Anti-virus Programs
You are operating your computer with multiple Anti-virus programs installed:
Avast!
Panda Free Antivirus (Enabled)

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them NOW.

========================================================================================================================

Windows Firewall is enabled.

 

Please be sure to temporarily disable Windows Firewall software.

============================================================

Uninstall some programs:
We need to uninstall some unwanted/unneeded programs.

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of programs to uninstall:

  • Browser Extensions
  • Norton Security Scan
  • Adobe Flash Player 10 ActiveX

After completing uninstalls, please manually reboot your machine!

:step1:    If you get the message like: An error occurred while trying to uninstall, just press Yes.
:step2:    If you are unable to uninstall all programs, please inform me, but continue with other steps.

==================================================================================

FRST Fixlist run:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

start
Task: {A32EE40B-B177-403A-89F4-C2A7CDC3528D} - System32\Tasks\avastBCLRestartS-1-5-21-2142212455-911606912-4286033560-1000 => Firefox.exe
Task: C:\Windows\Tasks\Norton Security Scan for USER.job => C:\PROGRA~2\NORTON~2\Engine\430~1.43\Nss.exe
HKU\S-1-5-21-2142212455-911606912-4286033560-1000\...\MountPoints2: {358a0e69-0de1-11e4-af16-f0def1404670} - E:\HPLauncher.exe
GroupPolicyScripts-x32: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-2142212455-911606912-4286033560-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.yahoo.com/?type=711278&fr=sp_tr_ie
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-2142212455-911606912-4286033560-1000 -> DefaultScope {D27FEAD8-06AF-41FB-B6D1-A8A3D06FDDDE} URL = hxxps://search.yahoo.com/search?fr=sp_tr_ie&ei=utf-8&ilc=12&type=711278&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2142212455-911606912-4286033560-1000 -> {D27FEAD8-06AF-41FB-B6D1-A8A3D06FDDDE} URL = hxxps://search.yahoo.com/search?fr=sp_tr_ie&ei=utf-8&ilc=12&type=711278&p={searchTerms}
BHO: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
BHO-x32: No Name -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF ProfilePath: C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\ij8dzsgu.default-1425092044551
FF Keyword.URL: hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF Extension: Video DownloadHelper - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\ij8dzsgu.default-1425092044551\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-10-30]
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2016-01-01] (Symantec Corporation)
2016-02-11 11:15 - 2016-02-12 23:43 - 00000000 ____D C:\Users\USER\AppData\Roaming\BrowserExtensions
2016-02-11 10:19 - 2016-02-11 10:22 - 00000000 ____D C:\6e56f77812abbb65bb2089a7354648
2016-03-11 23:56 - 2014-06-15 16:26 - 00000000 ____D C:\Users\USER\AppData\Local\CrashDumps
2016-03-11 23:49 - 2014-06-18 12:11 - 00000000 ____D C:\Users\USER\AppData\Roaming\Skype
2016-03-11 23:27 - 2015-12-30 16:07 - 00000000 ____D C:\Users\USER\AppData\Local\HTC MediaHub
2016-03-09 18:59 - 2016-01-01 18:36 - 00000404 ____H C:\Windows\Tasks\Norton Security Scan for USER.job
2016-03-06 00:46 - 2016-01-01 17:02 - 00000000 ____D C:\Users\USER\AppData\Roaming\Real
C:\Users\USER\AppData\Local\Temp\el-xp16r.dll
C:\Users\USER\AppData\Local\Temp\huqgyydx.dll
C:\Users\USER\AppData\Local\Temp\jhynz_f-.dll
C:\Users\USER\AppData\Local\Temp\lowproc.exe
C:\Users\USER\AppData\Local\Temp\stubhelper.dll
C:\Users\USER\AppData\Local\Temp\vnrwybo5.dll
C:\Users\USER\AppData\Local\Temp\{90DA3969-4DC0-409C-B084-C28D11FBB1E4}.exe
2014-10-24 13:24 - 2015-06-06 16:26 - 0005120 _____ () C:\Users\USER\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-02-03 00:08 - 2016-02-03 00:08 - 0022879 _____ () C:\Users\USER\AppData\Local\recently-used.xbel
2014-06-12 10:30 - 2014-06-12 10:30 - 0200530 _____ () C:\ProgramData\1402590513.bdinstall.bin
2014-07-11 20:19 - 2014-07-11 20:19 - 0037823 _____ () C:\ProgramData\1405131581.bdinstall.bin
2014-07-11 20:21 - 2014-07-11 20:21 - 0097916 _____ () C:\ProgramData\1405131583.bdinstall.bin
EmptyTemp:
Reboot:
end

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

==================================================================================================

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

Have a nice day.


Edited by olgun52, 15 March 2016 - 12:05 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 TwymonMeyers

TwymonMeyers
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 15 March 2016 - 02:57 PM

Zemana AntiMalware 2.20.2.8 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/3/15
Operating System       : Windows 7 64-bit
Processor              : 4X Intel® Core™ i5 CPU M 520 @ 2.40GHz
BIOS Mode              : Legacy
CUID                   : 00B9BE534BA1EB4F7E0389
Scan Type              : Smart Scan
Duration               : 12m 22s
Scanned Objects        : 28379
Detected Objects       : 5
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : ON
Detect All Extensions  : OFF
Scan Documents         : OFF
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

mediacoder-64-bit-.exe
Status             : Scanned
Object             : %userprofile%\desktop\refuse\mediacoder-64-bit-.exe
MD5                : CF219B3626164104A4E87DDB4EF1EED1
Publisher          : CHIP Digital GmbH
Size               : 613200
Version            : 1.0.0.0
Detection          : PUA:Win32/CHIP.AdsDownloader!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\desktop\refuse\mediacoder-64-bit-.exe

cbsidlm-cbsi188-Free_MOV_to_MP4_Converter-SEO-75959675.exe
Status             : Scanned
Object             : %userprofile%\desktop\refuse\cbsidlm-cbsi188-free_mov_to_mp4_converter-seo-75959675.exe
MD5                : 122E0FE0BD52D264FFB874E538114473
Publisher          : CBS Interactive
Size               : 929416
Version            : 5.4.0.188
Detection          : Adware:Win32/CNETBundle!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\desktop\refuse\cbsidlm-cbsi188-free_mov_to_mp4_converter-seo-75959675.exe

cbsidlm-cbsi188-Free_MOV_to_MP4_Converter-SEO-75959675(1).exe
Status             : Scanned
Object             : %userprofile%\desktop\refuse\cbsidlm-cbsi188-free_mov_to_mp4_converter-seo-75959675(1).exe
MD5                : 122E0FE0BD52D264FFB874E538114473
Publisher          : CBS Interactive
Size               : 929416
Version            : 5.4.0.188
Detection          : Adware:Win32/CNETBundle!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\desktop\refuse\cbsidlm-cbsi188-free_mov_to_mp4_converter-seo-75959675(1).exe

avast-free-antivirus.exe
Status             : Scanned
Object             : %userprofile%\desktop\refuse\avast-free-antivirus.exe
MD5                : C4C052FC9F3F9D277714C524903F08C6
Publisher          : CHIP Digital GmbH
Size               : 961360
Version            : 7.0.0.0
Detection          : PUA:Win32/CHIP.AdsDownloader!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\desktop\refuse\avast-free-antivirus.exe

panda_url_filteringd.sys
Status             : Scanned
Object             : %programdata%\panda security url filtering\panda_url_filteringd.sys
MD5                : 6925454E20B184E482CD65F297D51DB5
Publisher          : Visicom Media Inc.
Size               : 51288
Version            : 2.1.0.1
Detection          : Adware:Win32/VisicomToolbar!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %programdata%\panda security url filtering\panda_url_filteringd.sys
                Registry Entry - HKLM\System\CurrentControlSet\Services\panda_url_filteringd\ImagePath = \??\C:\ProgramData\Panda Security URL Filtering\panda_url_filteringd.sys


Cleaning Result
-------------------------------------------------------
Cleaned               : 5
Reported as safe      : 0
Failed                : 0
 

Attached Files



#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 16 March 2016 - 06:32 AM

Hi TwymonMeyers,
 
Step1:
Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step2:
ComboFix run:
Please be sure to run our tools with administrator rights.
* IMPORTAN: 1   Place ComboFix.exe on your Desktop
* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 TwymonMeyers

TwymonMeyers
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 16 March 2016 - 01:37 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/16/2016
Scan Time: 12:28 PM
Logfile: Malwarebytes.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.16.04
Rootkit Database: v2016.03.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: USER

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 354907
Time Elapsed: 16 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.BrowserExtensions, HKU\S-1-5-21-2142212455-911606912-4286033560-1000\SOFTWARE\APPDATALOW\SOFTWARE\BROWSER EXTENSIONS, No Action By User, [afc50781a4f50036eaed9567966d0cf4],

Registry Values: 1
PUP.Optional.BrowserExtensions, HKU\S-1-5-21-2142212455-911606912-4286033560-1000\SOFTWARE\APPDATALOW\SOFTWARE\BROWSER EXTENSIONS|SS_Ver, 2.8.8.11, No Action By User, [afc50781a4f50036eaed9567966d0cf4]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 6
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\Button.exe, No Action By User, [e193a3e55049ba7cc1cdab91a263dc24],
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\Button64.exe, No Action By User, [155f03850b8e74c2c1cd4def47be5ca4],
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\ButtonWrap.dll, No Action By User, [017390f84a4ff83ec5c9053717eeef11],
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\ButtonWrap64.dll, No Action By User, [a2d2e0a8f6a300367f0f73c99372f60a],
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\Coupons64.dll, No Action By User, [0b6953357f1a989ebfcf64d8a85dec14],
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\CouponsHelper.exe, No Action By User, [561eddab128792a45d31df5d749103fd],

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

ComboFix 16-03-14.01 - USER 03/16/2016  13:18:00.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3892.2045 [GMT -5:00]
Running from: c:\users\USER\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\ntdll.dll . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2016-02-16 to 2016-03-16  )))))))))))))))))))))))))))))))
.
.
2016-03-16 18:32 . 2016-03-16 18:32    --------    d-----w-    c:\users\Default\AppData\Local\temp
2016-03-16 18:31 . 2016-03-16 18:31    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{F4D30A31-6C1C-4A76-9BA0-D4AB836A6F6F}\offreg.1156.dll
2016-03-15 21:21 . 2016-03-15 21:21    --------    d-----w-    c:\users\Default\AppData\Roaming\RealNetworks
2016-03-15 19:33 . 2016-03-15 19:33    202144    ----a-w-    c:\windows\system32\drivers\zamguard64.sys
2016-03-15 19:33 . 2016-03-15 19:33    202144    ----a-w-    c:\windows\system32\drivers\zam64.sys
2016-03-15 19:33 . 2016-03-15 19:33    --------    d-----w-    c:\program files (x86)\Zemana AntiMalware
2016-03-15 19:32 . 2016-03-15 19:32    --------    d-----w-    c:\users\USER\AppData\Local\Zemana
2016-03-15 18:59 . 2016-03-16 18:00    --------    d-----w-    c:\users\USER\AppData\Local\HTC MediaHub
2016-03-15 18:58 . 2016-03-16 18:02    --------    d-----w-    c:\users\USER\AppData\Roaming\Skype
2016-03-15 18:53 . 2016-03-16 17:09    --------    d-----w-    c:\users\USER\AppData\Local\CrashDumps
2016-03-15 18:17 . 2016-03-02 21:59    11249080    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{F4D30A31-6C1C-4A76-9BA0-D4AB836A6F6F}\mpengine.dll
2016-03-12 05:56 . 2016-03-15 18:46    --------    d-----w-    C:\FRST
2016-03-09 18:44 . 2016-01-11 19:11    1684416    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2016-03-09 18:44 . 2016-02-03 18:07    91648    ----a-w-    c:\windows\system32\drivers\USBSTOR.SYS
2016-03-09 18:44 . 2016-02-03 18:58    862208    ----a-w-    c:\windows\system32\oleaut32.dll
2016-03-09 18:44 . 2016-02-03 18:52    84992    ----a-w-    c:\windows\system32\asycfilt.dll
2016-03-09 18:44 . 2016-02-03 18:49    572416    ----a-w-    c:\windows\SysWow64\oleaut32.dll
2016-03-09 18:44 . 2016-02-03 18:43    67584    ----a-w-    c:\windows\SysWow64\asycfilt.dll
2016-03-09 18:23 . 2015-11-19 14:07    994760    ----a-w-    c:\windows\system32\ucrtbase.dll
2016-03-09 18:05 . 2016-02-11 18:56    5572032    ----a-w-    c:\windows\system32\ntoskrnl.exe
2016-03-09 18:04 . 2016-02-11 18:45    315392    ----a-w-    c:\windows\system32\msv1_0.dll
2016-03-09 18:03 . 2016-02-11 18:41    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-03-09 18:02 . 2016-02-11 18:30    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2016-03-09 18:02 . 2016-02-11 17:32    2048    ----a-w-    c:\windows\SysWow64\user.exe
2016-03-09 18:02 . 2016-02-11 18:41    686080    ----a-w-    c:\windows\system32\adtschema.dll
2016-03-09 18:02 . 2016-02-11 18:30    686080    ----a-w-    c:\windows\SysWow64\adtschema.dll
2016-03-09 18:02 . 2016-02-11 18:45    146432    ----a-w-    c:\windows\system32\msaudite.dll
2016-03-09 18:02 . 2016-02-11 18:45    60416    ----a-w-    c:\windows\system32\msobjs.dll
2016-03-09 18:02 . 2016-02-11 18:34    146432    ----a-w-    c:\windows\SysWow64\msaudite.dll
2016-03-09 18:02 . 2016-02-11 18:35    60416    ----a-w-    c:\windows\SysWow64\msobjs.dll
2016-03-09 17:58 . 2016-02-05 17:48    372736    ----a-w-    c:\windows\system32\atmfd.dll
2016-03-09 17:58 . 2016-02-05 17:43    299520    ----a-w-    c:\windows\SysWow64\atmfd.dll
2016-03-09 17:58 . 2016-02-05 18:54    41472    ----a-w-    c:\windows\system32\lpk.dll
2016-03-09 17:58 . 2016-02-05 18:54    100864    ----a-w-    c:\windows\system32\fontsub.dll
2016-03-09 17:58 . 2016-02-05 18:53    14336    ----a-w-    c:\windows\system32\dciman32.dll
2016-03-09 17:58 . 2016-02-05 18:53    46080    ----a-w-    c:\windows\system32\atmlib.dll
2016-03-09 17:58 . 2016-02-05 18:44    70656    ----a-w-    c:\windows\SysWow64\fontsub.dll
2016-03-09 17:58 . 2016-02-05 18:50    25600    ----a-w-    c:\windows\SysWow64\lpk.dll
2016-03-09 17:58 . 2016-02-05 18:42    10240    ----a-w-    c:\windows\SysWow64\dciman32.dll
2016-03-09 17:58 . 2016-02-05 17:43    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2016-03-09 17:43 . 2016-02-09 09:55    30720    ----a-w-    c:\windows\system32\seclogon.dll
2016-03-09 16:41 . 2016-02-05 01:19    381440    ----a-w-    c:\windows\system32\mfds.dll
2016-03-09 16:41 . 2016-02-04 18:41    296448    ----a-w-    c:\windows\SysWow64\mfds.dll
2016-03-09 16:41 . 2016-02-19 14:07    1373184    ----a-w-    c:\windows\system32\appraiser.dll
2016-03-09 16:41 . 2016-02-19 18:54    1168896    ----a-w-    c:\windows\system32\aeinv.dll
2016-03-09 16:41 . 2016-02-11 14:07    689152    ----a-w-    c:\windows\system32\generaltel.dll
2016-03-09 16:41 . 2016-02-05 14:07    696832    ----a-w-    c:\windows\system32\invagent.dll
2016-03-09 16:41 . 2016-02-19 19:02    38336    ----a-w-    c:\windows\system32\CompatTelRunner.exe
2016-03-09 16:41 . 2016-02-05 14:07    499200    ----a-w-    c:\windows\system32\devinv.dll
2016-03-09 16:41 . 2016-02-05 14:07    76800    ----a-w-    c:\windows\system32\acmigration.dll
2016-03-03 04:05 . 2016-03-03 04:06    --------    d-----w-    c:\program files (x86)\BookWright
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-03-16 17:27 . 2014-06-15 23:21    192216    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-03-14 06:32 . 2014-06-02 18:00    143659408    ----a-w-    c:\windows\system32\MRT.exe
2016-03-10 22:59 . 2014-06-12 17:29    797376    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2016-03-10 22:59 . 2014-06-12 17:29    142528    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-02-11 18:30 . 2016-03-09 18:04    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2016-01-22 06:19 . 2016-02-10 17:55    14179840    ----a-w-    c:\windows\system32\shell32.dll
2016-01-22 06:15 . 2016-02-10 17:54    1866752    ----a-w-    c:\windows\system32\ExplorerFrame.dll
2016-01-22 06:12 . 2016-02-10 17:54    1940992    ----a-w-    c:\windows\system32\authui.dll
2016-01-22 06:00 . 2016-02-10 17:54    1498624    ----a-w-    c:\windows\SysWow64\ExplorerFrame.dll
2016-01-22 05:59 . 2016-02-10 17:54    1805824    ----a-w-    c:\windows\SysWow64\authui.dll
2016-01-22 05:19 . 2016-02-10 17:54    3231232    ----a-w-    c:\windows\explorer.exe
2016-01-22 05:12 . 2016-02-10 17:54    2973184    ----a-w-    c:\windows\SysWow64\explorer.exe
2016-01-07 17:42 . 2016-02-10 18:00    141312    ----a-w-    c:\windows\system32\drivers\mrxdav.sys
2016-01-06 19:02 . 2016-02-10 18:03    24576    ----a-w-    c:\windows\system32\jnwmon.dll
2016-01-06 19:02 . 2016-02-10 18:03    275456    ----a-w-    c:\windows\system32\InkEd.dll
2016-01-06 18:41 . 2016-02-10 18:03    216064    ----a-w-    c:\windows\SysWow64\InkEd.dll
2016-01-01 23:03 . 2016-01-01 23:03    354064    ----a-w-    c:\windows\SysWow64\msvcr71.dll
2016-01-01 23:03 . 2016-01-01 23:03    505616    ----a-w-    c:\windows\SysWow64\msvcp71.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2016-03-10 3074128]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2016-02-10 50599552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-10-13 60688]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-07-02 5515496]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2015-10-16 157456]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2015-08-06 421888]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2016-01-01 286992]
"RealDownloader"="c:\program files (x86)\RealNetworks\RealDownloader\downloader2.exe" [2016-02-24 720112]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
RealTimes.lnk - c:\program files (x86)\Real\RealPlayer\RPDS\Bin\rpsystray.exe [2016-1-1 1196328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"MaxGPOScriptWait"= 600 (0x258)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys;c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys;c:\windows\SYSNATIVE\DRIVERS\htcnprot.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 panda_url_filteringd;panda_url_filteringd driver;c:\programdata\Panda Security URL Filtering\panda_url_filteringd.sys;c:\programdata\Panda Security URL Filtering\panda_url_filteringd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 ZAM;ZAM Helper Driver;c:\windows\System32\drivers\zam64.sys;c:\windows\SYSNATIVE\drivers\zam64.sys [x]
S1 ZAM_Guard;ZAM Guard Driver;c:\windows\System32\drivers\zamguard64.sys;c:\windows\SYSNATIVE\drivers\zamguard64.sys [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe;c:\program files\HitmanPro\hmpsched.exe [x]
S2 HTCMonitorService;HTCMonitorService;c:\program files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe;c:\program files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [x]
S2 panda_url_filtering;panda_url_filtering Service;c:\programdata\Panda Security URL Filtering\Panda_URL_Filteringb.exe;c:\programdata\Panda Security URL Filtering\Panda_URL_Filteringb.exe [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [x]
S2 PSI_SVC_2_x64;Protexis Licensing V2 x64;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [x]
S2 RealPlayerUpdateSvc;RealPlayer Update Service;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe;c:\program files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [x]
S2 RealTimes Desktop Service;RealTimes Desktop Service;c:\program files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe;c:\program files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe [x]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys;c:\windows\SYSNATIVE\DRIVERS\rimspe64.sys [x]
S2 ZAMSvc;ZAM Controller Service;c:\program files (x86)\Zemana AntiMalware\ZAM.exe;c:\program files (x86)\Zemana AntiMalware\ZAM.exe [x]
S3 e1kexpress;Intel® Network Connections Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1k62x64.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
.
Contents of the 'Scheduled Tasks' folder
.
2016-03-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-06-12 22:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-07-02 02:50    722400    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 417560]
"ZAM"="c:\program files (x86)\Zemana AntiMalware\ZAM.exe" [2016-03-10 12776176]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
mDefault_Page_URL = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\ij8dzsgu.default-1425092044551\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{C17978EB-5A2C-40E3-B351-F03A27245BF9}_is1 - c:\program files (x86)\BookWright\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-03-16  13:35:43
ComboFix-quarantined-files.txt  2016-03-16 18:35
.
Pre-Run: 28,846,161,920 bytes free
Post-Run: 29,071,294,464 bytes free
.
- - End Of File - - D6430252A20C2C7D698105037805DD52
A36C5E4F47E84449FF07ED3517B43A31
 



#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 17 March 2016 - 08:05 AM

Hi again,

Please try scann again with malwarebytes and delete found viruses

===============================================================

Please do the following for me

Please download SystemLook from one of the links below and save it to your Desktop.
Download 1
Download 2

  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
:filefind
ntdll.dll

:regfind
ntdll.dll
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan.
  • Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks.


Edited by olgun52, 17 March 2016 - 08:07 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 TwymonMeyers

TwymonMeyers
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 17 March 2016 - 10:46 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 10:34 on 17/03/2016 by USER
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "ntdll.dll"
C:\Windows\System32\ntdll.dll --a---- 1733592 bytes [18:05 09/03/2016] [18:52 11/02/2016] 9C3035A9AA1986DAA9A7A233724BA71B
C:\Windows\SysWOW64\ntdll.dll --a---- 1314328 bytes [18:05 09/03/2016] [18:41 11/02/2016] B8E6C6411AAE69972DE30D2CC6ECABFD
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17514_none_b6fce3b112cd3657\ntdll.dll --a---- 1731936 bytes [03:23 21/11/2010] [03:23 21/11/2010] 3556D5A8BF2CC508BDAB51DEC38D7C61
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18229_none_b6f6f8bd12d0f327\ntdll.dll --a---- 1732032 bytes [17:46 02/06/2014] [02:15 02/08/2013] 5B79D52A0388D8DEC5BF68411EA05A02
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18247_none_b6df585112e2f85b\ntdll.dll --a---- 1732032 bytes [17:44 02/06/2014] [02:16 29/08/2013] CAAAC014C5C56A69F710B5F1B836DE22
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18798_none_b6aa527d130a8f2a\ntdll.dll --a---- 1727904 bytes [13:05 15/04/2015] [05:19 17/03/2015] 96C2380819EBAC0BF592A7E8977E9E8A
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18839_none_b6ec343512d8fe02\ntdll.dll --a---- 1728960 bytes [14:55 13/05/2015] [19:26 27/04/2015] 8453010B6512DAEAFC61CC0836FA137E
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18869_none_b6cbc47112f151d5\ntdll.dll --a---- 1728960 bytes [19:33 10/06/2015] [18:21 25/05/2015] 53042708C242959B3924242FBBE297B1
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18923_none_b6f1044b12d6472e\ntdll.dll --a---- 1730496 bytes [15:01 12/08/2015] [03:22 15/07/2015] 81F571768E5AA4EB032966F5F732FCC6
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18933_none_b6e6345f12de631f\ntdll.dll --a---- 1730496 bytes [15:02 12/08/2015] [18:12 15/07/2015] 3F63C62D9183235792A46C0B66EAAD04
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18939_none_b6ec361b12d8fb29\ntdll.dll --a---- 1730496 bytes [13:17 09/09/2015] [00:03 23/07/2015] 4DDF9E4ECE29127A6FE95535D809ADDE
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19018_none_b700adcb12c9dd32\ntdll.dll --a---- 1730496 bytes [17:20 13/10/2015] [03:13 29/09/2015] 91DDAFAFCEC3E360881FE35AF06B9EE4
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19045_none_b6dd3d2912e4e500\ntdll.dll --a---- 1730496 bytes [17:19 11/11/2015] [01:09 20/10/2015] 6818F2C2E6656E48D38951D753097797
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19110_none_b6f8ad6112d10fa1\ntdll.dll --a---- 1730496 bytes [16:56 13/01/2016] [19:05 30/12/2015] FAF7892DD731F0649046B3AA3A5166AA
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19131_none_b6e40dd312e060da\ntdll.dll --a---- 1733592 bytes [18:00 10/02/2016] [19:06 16/01/2016] A46FB77B45C16BCD4C964D1015C235C6
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19135_none_b6e80efb12dcc636\ntdll.dll --a---- 1733592 bytes [17:58 10/02/2016] [06:24 22/01/2016] EDD3A375BAEC5B67227EF91E767D1383
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19160_none_b6c29dc512f99b56\ntdll.dll --a---- 1733592 bytes [18:05 09/03/2016] [18:52 11/02/2016] 9C3035A9AA1986DAA9A7A233724BA71B
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.22411_none_b783650a2beda96f\ntdll.dll --a---- 1737688 bytes [17:46 02/06/2014] [06:24 02/08/2013] 136A787AFFE67DB15722D2024EB0FC89
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.22436_none_b772c6a42bf96004\ntdll.dll --a---- 1737688 bytes [17:44 02/06/2014] [02:21 29/08/2013] E1BE83E136DB7EA7D340455E43357F7D
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23002_none_b78f16e02be4cbda\ntdll.dll --a---- 1727392 bytes [13:05 15/04/2015] [05:15 17/03/2015] 335B56A4F45E5F22C00CF5A24DCFA87D
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23040_none_b761d69c2c0708f0\ntdll.dll --a---- 1728960 bytes [14:55 13/05/2015] [19:20 27/04/2015] B2BA4B573D20AC0162B9305A902872C8
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23072_none_b743676c2c1d8f71\ntdll.dll --a---- 1728960 bytes [19:33 10/06/2015] [18:25 25/05/2015] 3DE8AAE72EF83BC3CF5DBCC55165A422
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23126_none_b77d7a162bf1663f\ntdll.dll --a---- 1729984 bytes [15:01 12/08/2015] [03:24 15/07/2015] DB5B3FCDFBA890BC935123D1C990CBE4
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23136_none_b772aa2a2bf98230\ntdll.dll --a---- 1729984 bytes [15:02 12/08/2015] [18:11 15/07/2015] E1EE6652F14DDD367F1C4CEDEE59608D
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23142_none_b763d9162c0538c5\ntdll.dll --a---- 1729984 bytes [13:17 09/09/2015] [22:04 22/07/2015] 4772C7F0E4C6AADD4A37B1BDB987D136
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23153_none_b75a09742c0c6e0d\ntdll.dll --a---- 1729984 bytes [13:16 09/09/2015] [18:18 04/08/2015] 2CA03EE03E9884A1027FB6B4EED97EDC
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23223_none_b77a7b1e2bf41761\ntdll.dll --a---- 1729984 bytes [17:20 13/10/2015] [18:19 28/09/2015] 02E7E4C1CA9A2EA2D49F48F24C8CACAD
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23226_none_b77d7bfc2bf16366\ntdll.dll --a---- 1729984 bytes [17:18 13/10/2015] [18:09 01/10/2015] 9B532E8B2925C7A17302DCB78F6F7B71
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23250_none_b7570a7c2c0f1f2f\ntdll.dll --a---- 1729984 bytes [17:19 11/11/2015] [01:14 20/10/2015] BFB267D4524401EB8A392F85D6B91715
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23313_none_b7854cf02bebf897\ntdll.dll --a---- 1729984 bytes [16:56 13/01/2016] [19:17 30/12/2015] 39AEFD1BD0AF3A19560F17CF1BC9B461
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23334_none_b770ad622bfb49d0\ntdll.dll --a---- 1733080 bytes [18:00 10/02/2016] [00:35 17/01/2016] 4EB1B3263FC7327992FEF6413511DEC6
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23338_none_b774ae8a2bf7af2c\ntdll.dll --a---- 1733080 bytes [17:58 10/02/2016] [06:30 22/01/2016] 070AF4074AFC02260A3AF0D2BEEB8C16
C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23349_none_b76adee82bfee474\ntdll.dll --a---- 1733080 bytes [18:05 09/03/2016] [18:59 10/02/2016] FDC9B58F82AE657B95D879CF914429F4
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17514_none_c1518e03472df852\ntdll.dll --a---- 1292096 bytes [03:24 21/11/2010] [03:24 21/11/2010] D124F55B9393C976963407DFF51FFA79
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18229_none_c14ba30f4731b522\ntdll.dll --a---- 1292192 bytes [17:46 02/06/2014] [01:51 02/08/2013] 0184CC60AB10C8124D69AFB332C6AF1C
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18247_none_c13402a34743ba56\ntdll.dll --a---- 1292192 bytes [17:44 02/06/2014] [01:50 29/08/2013] A2B0924D50F4435FD389499047CE553A
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18798_none_c0fefccf476b5125\ntdll.dll --a---- 1309696 bytes [13:05 15/04/2015] [04:59 17/03/2015] 32B9FEE479FF55234ED6BCF1D7976189
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18839_none_c140de874739bffd\ntdll.dll --a---- 1310744 bytes [14:55 13/05/2015] [19:08 27/04/2015] A44680B810977EA64E280523E96F2EA9
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18869_none_c1206ec3475213d0\ntdll.dll --a---- 1310744 bytes [19:33 10/06/2015] [18:04 25/05/2015] 8C7635292CFF4901F058269454A1D64E
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18923_none_c145ae9d47370929\ntdll.dll --a---- 1311768 bytes [15:01 12/08/2015] [02:57 15/07/2015] 5BA40064868718271F6010BE693E05EF
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18933_none_c13adeb1473f251a\ntdll.dll --a---- 1311768 bytes [15:02 12/08/2015] [17:56 15/07/2015] 5792E7C663FAA39335D4F787B9499490
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.18939_none_c140e06d4739bd24\ntdll.dll --a---- 1311768 bytes [13:17 09/09/2015] [17:54 22/07/2015] 8006BA4CA962EEE6DACE3DE36AA0D21D
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19018_none_c155581d472a9f2d\ntdll.dll --a---- 1311768 bytes [17:20 13/10/2015] [03:02 29/09/2015] 4EB6A0445891D56D56BB4580B3906BEA
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19045_none_c131e77b4745a6fb\ntdll.dll --a---- 1311768 bytes [17:19 11/11/2015] [00:48 20/10/2015] 50D21D408B0FD40019A6EACF94A62ACF
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19110_none_c14d57b34731d19c\ntdll.dll --a---- 1311768 bytes [16:56 13/01/2016] [18:44 30/12/2015] 9E02351A74A6F1FA0F46405583525959
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19131_none_c138b825474122d5\ntdll.dll --a---- 1314328 bytes [18:00 10/02/2016] [18:41 16/01/2016] 3038CC6C4E0087F401EF8399FA3E3F3C
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19135_none_c13cb94d473d8831\ntdll.dll --a---- 1314328 bytes [17:58 10/02/2016] [06:09 22/01/2016] 65FAD1A0049B6101F37BBFE7682DFE4C
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.19160_none_c1174817475a5d51\ntdll.dll --a---- 1314328 bytes [18:05 09/03/2016] [18:41 11/02/2016] B8E6C6411AAE69972DE30D2CC6ECABFD
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.22411_none_c1d80f5c604e6b6a\ntdll.dll --a---- 1296312 bytes [17:46 02/06/2014] [05:56 02/08/2013] 9789C4A05B95AC6289A213463875EC4B
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.22436_none_c1c770f6605a21ff\ntdll.dll --a---- 1296312 bytes [17:44 02/06/2014] [01:57 29/08/2013] FAC488937BCB8FBD6FCEB7E17B5D1383
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23002_none_c1e3c13260458dd5\ntdll.dll --a---- 1310200 bytes [13:05 15/04/2015] [04:47 17/03/2015] 68B12D0308311AE635DEF1965D310D45
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23040_none_c1b680ee6067caeb\ntdll.dll --a---- 1311256 bytes [14:55 13/05/2015] [18:58 27/04/2015] 857A99DBEA6F730B491BF7E02AC5FC64
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23072_none_c19811be607e516c\ntdll.dll --a---- 1311256 bytes [19:33 10/06/2015] [18:09 25/05/2015] 8CCD6590B4D00319A983F8FFFF7F36A3
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23126_none_c1d224686052283a\ntdll.dll --a---- 1311768 bytes [15:01 12/08/2015] [03:01 15/07/2015] 1365C0D5EBB63F34B15B96ADCDD3D470
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23136_none_c1c7547c605a442b\ntdll.dll --a---- 1311768 bytes [15:02 12/08/2015] [17:51 15/07/2015] B3B237BA70C1175B5A897D183F9B349C
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23142_none_c1b883686065fac0\ntdll.dll --a---- 1311768 bytes [13:17 09/09/2015] [23:57 22/07/2015] 5377AEC53312991E0C07992C0AB215C9
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23153_none_c1aeb3c6606d3008\ntdll.dll --a---- 1311768 bytes [13:16 09/09/2015] [17:55 04/08/2015] DF6419A7914BCF5576B60EB7EE8EF14C
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23223_none_c1cf25706054d95c\ntdll.dll --a---- 1311768 bytes [17:18 13/10/2015] [20:19 28/09/2015] CA5C1E09C6DA44C22501CF7232E81B0C
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23250_none_c1abb4ce606fe12a\ntdll.dll --a---- 1311768 bytes [17:19 11/11/2015] [00:50 20/10/2015] B1FD718708D8A7686FCA033D8F7FA1C9
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23313_none_c1d9f742604cba92\ntdll.dll --a---- 1311768 bytes [16:56 13/01/2016] [18:58 30/12/2015] 906BEADADF041EE4A23FBB9DBD73F0D0
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23334_none_c1c557b4605c0bcb\ntdll.dll --a---- 1314328 bytes [18:00 10/02/2016] [00:19 17/01/2016] A9E7E4C3942D256CCED711343D1B0D3C
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23338_none_c1c958dc60587127\ntdll.dll --a---- 1314328 bytes [17:58 10/02/2016] [06:09 22/01/2016] 9E2C734D24234314BE0D9633C658CB31
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.23349_none_c1bf893a605fa66f\ntdll.dll --a---- 1314328 bytes [18:05 09/03/2016] [18:32 10/02/2016] BD9C5FB1F72529EF7519E2EBE6B50E66
 
========== regfind ==========
 
Searching for "ntdll.dll"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.18766 (win7sp1_gdr.150217-1551)\ComponentFamilies\amd64_microsoft-windows-ntdll_31bf3856ad364e35_none_13be95395ddc6d7a\f256!ntdll.dll]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.18766 (win7sp1_gdr.150217-1551)\ComponentFamilies\wow64_microsoft-windows-ntdll_31bf3856ad364e35_none_1e133f8b923d2f75\f256!ntdll.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH]
"RuleList"="*;0;0;ntdll.dll;0;0;0xC0000005 *;0;0;*;0;0;0xC0000374"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\FTH]
"RuleList"="*;0;0;ntdll.dll;0;0;0xC0000005 *;0;0;*;0;0;0xC0000374"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\Application Popup]
"EventMessageFile"="%SystemRoot%\System32\ntdll.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\TermDD]
"EventMessageFile"="%SystemRoot%\system32\ntdll.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\System\Application Popup]
"EventMessageFile"="%SystemRoot%\System32\ntdll.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\System\TermDD]
"EventMessageFile"="%SystemRoot%\system32\ntdll.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Application Popup]
"EventMessageFile"="%SystemRoot%\System32\ntdll.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\TermDD]
"EventMessageFile"="%SystemRoot%\system32\ntdll.dll"
 
-= EOF =-


#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 17 March 2016 - 05:46 PM

Please try scann again with malwarebytes and delete found viruses

 

Please post Malwarebytes Log file.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 TwymonMeyers

TwymonMeyers
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 17 March 2016 - 09:51 PM

I did delete
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 3/17/2016
Scan Time: 9:24 PM
Logfile: log2.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.03.17.05
Rootkit Database: v2016.03.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: USER
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369460
Time Elapsed: 14 min, 44 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.BrowserExtensions, HKU\S-1-5-21-2142212455-911606912-4286033560-1000\SOFTWARE\APPDATALOW\SOFTWARE\BROWSER EXTENSIONS, Quarantined, [40993751fa9fcc6a1e64da244ab952ae], 
 
Registry Values: 1
PUP.Optional.BrowserExtensions, HKU\S-1-5-21-2142212455-911606912-4286033560-1000\SOFTWARE\APPDATALOW\SOFTWARE\BROWSER EXTENSIONS|SS_Ver, 2.8.8.11, Quarantined, [40993751fa9fcc6a1e64da244ab952ae]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 6
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\Button.exe, Quarantined, [cf0a01874851ef47906a50eeb55008f8], 
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\Button64.exe, Quarantined, [0bce0e7a9108300626d49aa4d82d0af6], 
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\ButtonWrap.dll, Quarantined, [0ccdaddb43563afc798196a88e77df21], 
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\ButtonWrap64.dll, Quarantined, [29b00c7c1f7a2d09f00afa44788d50b0], 
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\Coupons64.dll, Quarantined, [f1e856320e8bdb5b649661dde91ca55b], 
PUP.Optional.Spigot, C:\Users\USER\AppData\Roaming\Browser Extensions\CouponsHelper.exe, Quarantined, [6f6a9deba7f2fe38da20211d8d787888], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#13 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 19 March 2016 - 10:27 AM

Step 1:
 Emsisoft Emergency Kit Scan:

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

Step 2:

MalwareBytes Anti-Rootkit scan:

  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.

:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.

  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.

:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button

  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

Step 3:

RogueKiller scan:

  • Please download and run RogueKiller  32/64 bit to your desktop
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  • Click Scan to scan the system.
  • When the scan completes > Close out the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!
  • Post back the report which should be located on your desktop.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 TwymonMeyers

TwymonMeyers
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 19 March 2016 - 04:59 PM

RogueKiller V12.0.2.0 [Mar 14 2016] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : USER [Administrator]
Started from : C:\Users\USER\Desktop\RogueKiller.exe
Mode : Scan -- Date : 03/19/2016 16:50:06
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2142212455-911606912-4286033560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2142212455-911606912-4286033560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
 
¤¤¤ Tasks : 4 ¤¤¤
[Suspicious.Path] \ReclaimerUpdateFiles_USER -- C:\Users\USER\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\14.02\agent\rnupgagent.exe (/UpdateFiles) -> Found
[Suspicious.Path] \ReclaimerUpdateXML_USER -- C:\Users\USER\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\14.02\agent\rnupgagent.exe (/UpdateXML) -> Found
[Suspicious.Path] \RNUpgradeHelperLogonPrompt_USER -- C:\Users\USER\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\14.02\agent\rnupgagent.exe (/prompt os_boot) -> Found
[Suspicious.Path] \RNUpgradeHelperResumePrompt_USER -- C:\Users\USER\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\14.02\agent\rnupgagent.exe (/prompt os_resume) -> Found
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEKT-66PVMT0 ATA Device +++++
--- User ---
[MBR] 6f3677e8d60b58bf89a0ce549d5ddcf6
[BSP] 577f86cfd6a974c6e99804b252ae050d : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 

Attached Files



#15 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 19 March 2016 - 05:42 PM

Thank you;

 

Please follow the below steps to disable "Teredo".

 

:step1: Open an elevated "command prompt".

 

http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/

 

:step2: Type the below commands exactly and press "Enter" key.

 

      netsh interface teredo set state disabled

 

     Reboot the system when completed.

 

=======================================================================

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

PC restart.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users