Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP!!!! I'm an Idiot - Ran Combofix - Cannot open explorer, control panel ETC


  • This topic is locked This topic is locked
63 replies to this topic

#1 teamplus

teamplus

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 30 March 2016 - 04:17 PM

I ran combo fix before doing my research -   SORRY SORRY!!!!  Can anyone help me with this issue.  Now I cannot open explorer, kaspersky, control panel etc.  I am using Chrome browser on Windows 7.  When the combofix ran it did indicate that it set a restore point.

 

Prior to running Combofix the system had been ruuning slow and I had uninstalled a couple of programs that appeared to help but then ran across a posting of combofix which I thought would be another added measure of cleanup. 

 

I cannot install and run the FRST logs because after downloading the exe file the run box will not open nor am I able to open explorer to run the file.

 

Thank you,

 

Teamplus



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:53 PM

Posted 01 April 2016 - 10:28 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***



Do you have the Windows install CD for this pc?

If you start the pc in safe mode with networking, can you run the FRST logs then?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 10:59 AM

Do not know where the install cd is but will try to locate it.  re. frst -  I can boot into safe mode but explorer will not open (get "no such interface supported" message box).  Can bring a run box up using win key+r and then found c:\combofix.txt which opens notepad and shows the combofix text file.

 

Thanks for your reply!



#4 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:53 PM

Posted 01 April 2016 - 11:14 AM

Please post the Content of combofix text file, if possible.


First we could try using Last Known Good Configuration (LKGC).

Restart your computer.
As the computer is starting, press the F8 key once every second.
Choose to boot from the Last Known Good Configuration.
  • If you are booting into XP, select Last Known Good Configuration (Your Most Recent Settings That Worked).
  • If you are booting into Vista / Windows 7/8, select Last Known Good Configuration (Advanced).
  • Press the Enter key.
The computer will load the last known good configuration.

Do you see the Windows logo during boot up?
Please describe what happens during the boot process.
e.g. the computer just reboots itself without Windows animation logo,
the computer freezes etc.


How the pc is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 11:28 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by Gary (administrator) on GARY-PC (01-04-2016 11:18:42)
Running from C:\Users\Gary\Downloads
Loaded Profiles: Gary (Available Profiles: Gary & QBDataServiceUser22 & QBDataServiceUser24 & QBDataServiceUser25)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1797488 2011-01-07] (Microsoft Corporation)
HKLM\...\Run: [itype] => C:\Program Files\Microsoft IntelliType Pro\itype.exe [1778064 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [QuickTime Task] => E:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [NBAgent] => E:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe [1493288 2011-09-20] (Nero AG)
HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2011-11-02] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM\...\Run: [Adobe_ID0ENQBO] => C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe [378224 2008-08-15] (Adobe Systems Incorporated)
HKLM\...\Run: [snp2std] => C:\Windows\vsnp2std.exe [348160 2005-08-13] (Sonix)
HKLM\...\Run: [TrueImageMonitor.exe] => E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [5954016 2011-11-10] (Acronis)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [403096 2011-11-10] (Acronis)
HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [3776824 2015-03-17] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [TkBellExe] => c:\program files\real\realplayer\Update\realsched.exe [286272 2015-07-11] (RealNetworks, Inc.)
HKLM\...\Run: [FreeAgentTheaterTrayIcon] => E:\Program Files\Seagate\Seagate_Media\AgrregationStatus\StxMediaMenuMgr.exe [189480 2014-09-25] (Seagate LLC)
HKLM\...\Run: [RealDownloader] => C:\Program Files\RealNetworks\RealDownloader\downloader2.exe [720112 2016-02-24] ()
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2741616 2011-03-04] (Hewlett-Packard Company)
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\...\Run: [RemoTerm.exe] => C:\Program Files\Common Files\PCTV Systems\RemoTerm\RemoTerm.exe [226576 2010-06-10] (PCTV Systems S.à r.l.)
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\...\Run: [Pogoplug Backup] => C:\Program Files\PogoplugBackup\ppbrowser.exe [25249792 2015-01-19] (Cloud Engines, Inc.)
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\...\Run: [CCleaner Monitoring] => E:\Program Files\CCleaner\CCleaner.exe [5496600 2015-01-20] (Piriform Ltd)
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [50599552 2016-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\...\Run: [GoogleChromeAutoLaunch_D8141F93E2B8BBDF887F2C7ECBC57A85] => C:\Program Files\Google\Chrome\Application\chrome.exe [746648 2016-02-17] (Google Inc.)
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Check for Updates.lnk [2011-11-18]
ShortcutTarget: Check for Updates.lnk -> C:\Program Files\Common Files\PCTV Systems\WebUpdater\WebUpdater.exe (PCTV Systems)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-02-02]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Post-it® Digital Notes.lnk [2012-01-26]
ShortcutTarget: Post-it® Digital Notes.lnk -> E:\Program Files\3M\PDNotes\PDNotes.exe (3M)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-02-02]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk [2015-02-02]
ShortcutTarget: QuickBooks Web Connector.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe (Intuit)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-02-02]
ShortcutTarget: QuickBooks_Standard_21.lnk -> E:\Program Files\Intuit\QuickBooks Enterprise Solutions 15.0\QBW32.EXE (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealTimes.lnk [2015-07-11]
ShortcutTarget: RealTimes.lnk -> C:\Program Files\Real\RealPlayer\RPDS\Bin\rpsystray.exe (RealNetworks, Inc.)
Startup: C:\Users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2015-02-04]
ShortcutTarget: Rainmeter.lnk -> E:\Program Files\Rainmeter\Rainmeter.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{A148FD5E-63CF-43F0-860A-83EA2FAFCC53}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3826950993-1294746516-753834029-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Toolbar: HKU\S-1-5-21-3826950993-1294746516-753834029-1001 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
Handler: intu-help-qb8 - {CD17C364-2EC8-4929-91A9-C4839A20E909} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} -  No File
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} -  No File
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} -  No File
 
FireFox:
========
FF ProfilePath: C:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\ss13hu8m.default
FF Homepage: hxxp://www.google.com/
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-04-01] ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Windows\system32\C2MP\npdivx32.dll [2009-05-12] (DivX,Inc.)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Windows\system32\npdeployJava1.dll [2015-02-10] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-10] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-10] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-04-22] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> E:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> E:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin: @Nero.com/KM -> C:\PROGRA~1\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL [2011-09-23] (Nero AG)
FF Plugin: @nosltd.com/getPlus+®,version=1.6.2.100 -> C:\Program Files\NOS\bin\np_gp.dll [2011-03-01] (NOS Microsystems Ltd.)
FF Plugin: @real.com/nppl3260;version=18.0.1.9 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll [2015-07-11] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=12.0.1.669 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2011-11-18] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=12.0.1.669 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2011-11-18] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=18.0.1.9 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll [2015-07-11] (RealTimes)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> e:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin: Adobe Acrobat -> E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3826950993-1294746516-753834029-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Gary\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-03-07] (Citrix Online)
FF Plugin HKU\S-1-5-21-3826950993-1294746516-753834029-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\Gary\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3826950993-1294746516-753834029-1001: @talk.google.com/O1DPlugin -> C:\Users\Gary\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3826950993-1294746516-753834029-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3826950993-1294746516-753834029-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-04-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\Gary\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Gary\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011-11-18] [not signed]
FF HKLM\...\Firefox\Extensions: [light_plugin_D772DC8D6FAF43A29B25C4EBAA5AD1DE@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\FFExt\light_plugin_firefox
FF Extension: Kaspersky Protection - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\FFExt\light_plugin_firefox [2016-03-01]
StartMenuInternet: FIREFOX.EXE - e:\Program Files\Mozilla Firefox\firefox.exe
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.outlook.com/","hxxp://woot.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\48.0.2564.116\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll => No File
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\48.0.2564.116\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\48.0.2564.116\pdf.dll => No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman\12.0.0.374_0\plugin/npABPlugin.dll => No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.477_0\plugin/npUrlAdvisor.dll => No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh\12.0.0.477_0\plugin/npVKPlugin.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Talk Plugin) - C:\Users\Gary\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
CHR Plugin: (Google Talk Plugin Video Accelerator) - C:\Users\Gary\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - E:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - E:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - E:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - E:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - E:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - E:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - E:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Nero Kwik Media Helper) - C:\PROGRA~1\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
CHR Plugin: (getPlusPlus for Adobe 162100) - C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (RealNetworks™ Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer™ HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - c:\program files\real\realplayer\Netscape6\nprpjplug.dll => No File
CHR Plugin: (DivX Web Player) - C:\Windows\system32\C2MP\npdivx32.dll (DivX,Inc.)
CHR Plugin: (Microsoft Office 2010) - E:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - E:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (RealJukebox NS Plugin) - c:\program files\real\realplayer\Netscape6\nprjplug.dll => No File
CHR Profile: C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-01]
CHR Extension: (Google Cast) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2016-03-25]
CHR Extension: (Adblock Plus) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-12]
CHR Extension: (Google Search) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (MaskMe) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpkiidbpeijnaaacjlfnijncdlkicejg [2014-12-01]
CHR Extension: (Kaspersky Protection) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\eahebamiopdhefndnmappcihfajigkka [2015-10-14]
CHR Extension: (Blur) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\epanfjkfahimkgomnigadpkobaefekcd [2016-01-31]
CHR Extension: (Full Screen Weather) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkkaebihfmbofclegkcfkkemepfehibg [2015-05-20]
CHR Extension: (Social share 3 in 1) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdciljooegpdknfnjbeebnflbkjfcjcf [2014-02-01]
CHR Extension: (Checker Plus for Google Calendar™) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkhggnncdpfibdhinjiegagmopldibha [2016-03-22]
CHR Extension: (Slingplayer for Google Chrome™ extension) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihdceheklapbalfikfdppfpgdgabaglp [2015-06-03]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2012-11-04]
CHR Extension: (Google Hangouts) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2016-03-16]
CHR Extension: (SlingPlayer Web Plug-in) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\lidgnhlbmoakdjkfhanbhfngcadpaiac [2015-03-19]
CHR Extension: (Skype) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-12-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-24]
CHR Extension: (SpeakIt!) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgeolalilifpodheeocdmbhehgnkkbak [2016-03-22]
CHR Extension: (Evernote Web Clipper) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc [2016-03-04]
CHR Extension: (Gmail) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-03]
CHR Profile: C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-03]
CHR Extension: (Google Docs) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-03]
CHR Extension: (Google Drive) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-29]
CHR Extension: (YouTube) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-03]
CHR Extension: (Google Search) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-29]
CHR Extension: (Kaspersky URL Advisor) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dchlnpcodkpfdpacogkljefecpegganj [2015-01-29]
CHR Extension: (Google Sheets) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-03]
CHR Extension: (Safe Money) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hakdifolhalapjijoafobooafbilfakh [2015-01-29]
CHR Extension: (Content Blocker) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\hghkgaeecgjhjkannahfamoehjmkjail [2015-01-29]
CHR Extension: (Virtual Keyboard) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh [2015-01-29]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2015-01-29]
CHR Extension: (Skype Click to Call) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-01-29]
CHR Extension: (Kaspersky Protection) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lpoimibckejjdjcfbdnajaicnklhfplh [2015-01-29]
CHR Extension: (Google Wallet) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-29]
CHR Extension: (Gmail) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-29]
CHR Extension: (Anti-Banner) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjldcfjmnllhmgjclecdnfampinooman [2015-01-29]
CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka
CHR HKLM\...\Chrome\Extension: [ihdceheklapbalfikfdppfpgdgabaglp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2011-11-18]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-01-08]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [812800 2011-11-10] (Acronis)
S3 Adobe Version Cue CS4; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [288112 2011-11-02] (Adobe Systems Incorporated)
S2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3450832 2012-02-27] (Acronis)
S2 AVP16.0.0; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe [194000 2015-10-13] (Kaspersky Lab ZAO)
S2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-08] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-08] (Microsoft Corporation)
S2 DokanCEMounter; C:\Program Files\PogoplugBackup\dokanmnt.exe [108256 2015-01-19] (Cloud Engines)
S2 FreeAgentTheater Service; E:\Program Files\Seagate\Seagate_Media\Sync\MediaAggreService.exe [243752 2014-09-25] (Seagate Technology LLC)
S2 HBAdmin; C:\Program Files\Pogoplug\HBPLUG\HBADMIN.exe [738112 2012-01-30] (Cloud Engines, Inc.)
S2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2011-03-04] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; E:\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S4 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [641832 2011-09-23] (Nero AG)
S2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2015-03-17] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2014-11-07] (Intuit Inc.) [File not signed]
S2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2014-11-07] (Intuit Inc.) [File not signed]
S3 QuickBooksDB25; E:\Program Files\Intuit\QuickBooks Enterprise Solutions 15.0\QBDBMgrN.exe [827392 2014-11-07] (Intuit, Inc.) [File not signed]
S2 RealPlayerUpdateSvc; C:\Program Files\Real\UpdateService\RealPlayerUpdateSvc.exe [31856 2015-06-17] ()
S2 RealTimes Desktop Service; c:\program files\real\realplayer\RPDS\Bin\rpdsvc.exe [1115224 2015-07-11] (RealNetworks, Inc.)
S2 ss_conn_service; E:\Program Files\Samsung\Kies3\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2015-05-21] (DEVGURU Co., LTD.)
S2 syncagentsrv; C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe [5890144 2011-11-10] (Acronis)
S2 TeamViewer; e:\Program Files\TeamViewer\TeamViewer_Service.exe [6848784 2015-11-02] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 azvusb; C:\Windows\System32\DRIVERS\azvusb.sys [44544 2009-08-24] (AzureWave Technologies, Inc.)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [201912 2015-07-06] (Kaspersky Lab ZAO)
S2 DokanCEDriver; C:\Program Files\PogoplugBackup\dokance.sys [59104 2015-01-19] (Cloud Engines)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [153784 2015-06-22] (Kaspersky Lab ZAO)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [46776 2015-06-06] (Kaspersky Lab ZAO)
S1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [58224 2015-06-27] (Kaspersky Lab ZAO)
S2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [66976 2016-03-01] (AO Kaspersky Lab)
S3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [147328 2015-10-21] (AO Kaspersky Lab)
S1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [44728 2015-10-21] (AO Kaspersky Lab)
S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [776088 2016-03-01] (AO Kaspersky Lab)
S1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [33976 2015-06-11] (Kaspersky Lab ZAO)
S3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [37048 2015-06-06] (Kaspersky Lab ZAO)
S3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [38072 2015-06-07] (Kaspersky Lab ZAO)
S1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [39304 2015-10-14] (AO Kaspersky Lab)
S1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54328 2015-06-11] (Kaspersky Lab ZAO)
S1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [87736 2015-06-16] (Kaspersky Lab ZAO)
S1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [156856 2015-06-23] (Kaspersky Lab ZAO)
S3 L1E; C:\Windows\System32\DRIVERS\L1E62x86.sys [47104 2009-07-13] (Atheros Communications, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21520 2011-01-07] (Microsoft Corporation)
S3 SNP2STD; C:\Windows\System32\DRIVERS\snp2sxp.sys [12274432 2007-08-17] ()
R0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [766496 2012-02-27] (Acronis)
S3 teamviewervpn; C:\Windows\System32\DRIVERS\teamviewervpn.sys [25088 2012-11-02] (TeamViewer GmbH)
S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDA.sys [583552 2010-09-01] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEM.sys [840960 2010-09-01] (eMPIA Technology, Inc.)
R0 vididr; C:\Windows\System32\DRIVERS\vididr.sys [126144 2012-02-27] (Acronis)
R0 vidsflt61; C:\Windows\System32\DRIVERS\vsflt61.sys [84544 2012-02-27] (Acronis)
S3 xcetap0; C:\Windows\System32\DRIVERS\xcetap0.sys [34624 2011-05-27] (Cloud Engines, Inc.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Gary\AppData\Local\Temp\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-01 11:18 - 2016-04-01 11:18 - 00030324 _____ C:\Users\Gary\Downloads\FRST.txt
2016-04-01 11:18 - 2016-04-01 11:18 - 00000000 ____D C:\FRST
2016-04-01 09:50 - 2016-04-01 09:50 - 00023327 _____ C:\Windows\system32\rsslogs.20160401094933
2016-03-30 17:01 - 2016-03-30 17:01 - 00677295 _____ C:\Users\Gary\Downloads\keep.zip
2016-03-30 16:50 - 2016-03-30 16:50 - 00016342 _____ C:\Windows\system32\rsslogs.20160330164956
2016-03-30 16:02 - 2016-03-30 16:02 - 01725440 _____ (Farbar) C:\Users\Gary\Downloads\FRST (2).exe
2016-03-30 16:00 - 2016-03-30 16:00 - 01725440 _____ (Farbar) C:\Users\Gary\Downloads\FRST (1).exe
2016-03-30 15:59 - 2016-03-30 15:59 - 01725440 _____ (Farbar) C:\Users\Gary\Downloads\FRST.exe
2016-03-30 15:43 - 2016-03-30 15:43 - 00052482 _____ C:\Windows\system32\rsslogs.20160330154253
2016-03-29 17:06 - 2016-03-29 17:06 - 00012836 _____ C:\Windows\system32\rsslogs.20160329170541
2016-03-25 17:56 - 2016-03-25 17:56 - 00008167 _____ C:\Windows\system32\rsslogs.20160325175502
2016-03-23 10:14 - 2016-03-23 10:14 - 00013951 _____ C:\Windows\system32\rsslogs.20160323101329
2016-03-22 17:57 - 2016-03-22 17:57 - 00017490 _____ C:\Windows\system32\rsslogs.20160322175642
2016-03-22 14:45 - 2016-03-22 14:45 - 00016326 _____ C:\Windows\system32\rsslogs.20160322144433
2016-03-22 14:08 - 2016-03-22 14:08 - 00024478 _____ C:\Windows\system32\rsslogs.20160322140702
2016-03-18 10:42 - 2016-03-18 10:42 - 00009337 _____ C:\Windows\system32\rsslogs.20160318104200
2016-03-16 17:23 - 2016-03-18 10:42 - 00004691 _____ C:\Windows\system32\rsslogs.20160316172255
2016-03-16 17:03 - 2016-03-16 17:03 - 00019824 _____ C:\Windows\system32\rsslogs.20160316170222
2016-03-16 10:56 - 2016-03-16 17:03 - 00045424 _____ C:\Windows\system32\rsslogs.20160316105506
2016-03-16 05:43 - 2016-03-16 05:43 - 00002332 _____ C:\Windows\system32\rsslogs.20160316054236
2016-03-16 05:13 - 2016-03-16 05:13 - 00033821 _____ C:\Windows\system32\rsslogs.20160316051248
2016-03-16 05:11 - 2016-04-01 11:14 - 00979018 _____ C:\Windows\ntbtlog.txt
2016-03-16 04:52 - 2016-03-16 04:52 - 00022168 _____ C:\Windows\system32\rsslogs.20160316045136
2016-03-16 04:48 - 2016-03-16 04:48 - 00013117 _____ C:\ComboFix.txt
2016-03-16 04:34 - 2016-03-16 04:48 - 00000000 ____D C:\Qoobox
2016-03-16 04:34 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2016-03-16 04:34 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2016-03-16 04:34 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-03-16 04:34 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-03-16 04:34 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-03-16 04:34 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2016-03-16 04:34 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2016-03-16 04:34 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2016-03-16 04:33 - 2016-03-16 04:46 - 00000000 ____D C:\Windows\erdnt
2016-03-16 04:33 - 2016-03-16 04:33 - 05658423 _____ (Swearware) C:\Users\Gary\Downloads\ComboFix (1).exe
2016-03-16 04:26 - 2016-03-16 04:26 - 05658423 ____R (Swearware) C:\Users\Gary\Downloads\ComboFix.exe
2016-03-15 15:03 - 2016-03-15 15:03 - 00552962 _____ C:\Windows\system32\rsslogs.20160315150255
2016-03-15 09:16 - 2016-03-15 09:16 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-15 09:16 - 2016-03-15 09:16 - 00000664 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-15 09:16 - 2016-03-15 09:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-15 09:16 - 2016-03-15 09:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-03-15 09:16 - 2015-10-05 09:50 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-15 09:16 - 2015-10-05 09:50 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-15 09:16 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-15 09:13 - 2016-03-15 09:13 - 22908888 _____ (Malwarebytes ) C:\Users\Gary\Downloads\mbam-setup-2.2.0.1024.exe
2016-03-15 09:04 - 2016-03-15 15:03 - 00418628 _____ C:\Windows\system32\rsslogs.20160315090310
2016-03-15 08:59 - 2016-03-15 08:59 - 00003500 _____ C:\Windows\system32\rsslogs.20160315085848
2016-03-15 08:51 - 2016-03-15 08:52 - 00000000 ____D C:\KVRT_Data
2016-03-15 08:49 - 2016-03-15 08:51 - 89692744 _____ (Kaspersky Lab ZAO) C:\Users\Gary\Downloads\KVRT.exe
2016-03-11 17:08 - 2016-03-11 17:08 - 00000000 ____D C:\Users\Default\AppData\Roaming\RealNetworks
2016-03-11 17:08 - 2016-03-11 17:08 - 00000000 ____D C:\Users\Default User\AppData\Roaming\RealNetworks
2016-03-05 18:44 - 2016-03-05 18:44 - 00116402 _____ C:\Users\Gary\Downloads\Pay1040_receipt_5.3.2016.pdf
2016-03-04 14:54 - 2016-03-04 14:54 - 09121631 _____ C:\Users\Gary\Downloads\Gary Hallmark, Your Life Insurance Quote.zip
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-01 10:53 - 2013-05-03 09:48 - 00000000 ____D C:\Users\Gary\AppData\Roaming\Skype
2016-04-01 10:52 - 2015-01-26 17:08 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-04-01 10:52 - 2012-11-04 15:47 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-01 10:52 - 2012-05-09 16:23 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-04-01 10:52 - 2011-05-19 13:26 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-04-01 10:06 - 2009-07-13 23:34 - 00022256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-01 10:06 - 2009-07-13 23:34 - 00022256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-01 10:04 - 2015-01-29 15:58 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-04-01 09:58 - 2012-04-25 13:34 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3826950993-1294746516-753834029-1001UA.job
2016-04-01 09:49 - 2012-11-04 15:47 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-01 09:49 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-18 10:49 - 2012-04-25 13:34 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3826950993-1294746516-753834029-1001Core.job
2016-03-16 04:46 - 2009-07-13 21:04 - 00000215 _____ C:\Windows\system.ini
2016-03-16 04:45 - 2011-03-14 07:56 - 00000000 ____D C:\Users\Gary
2016-03-15 13:28 - 2012-11-04 15:48 - 00002154 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-15 09:46 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\inf
2016-03-15 09:45 - 2011-10-26 06:43 - 00000000 ____D C:\Users\Gary\Documents\registry bu
2016-03-15 02:10 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2016-03-11 17:08 - 2015-05-28 16:43 - 00000000 ____D C:\ProgramData\Package Cache
2016-03-04 10:38 - 2011-04-20 11:20 - 00000000 ____D C:\Users\Gary\AppData\Local\Pogoplug
 
==================== Files in the root of some directories =======
 
2011-10-03 06:09 - 2015-03-11 16:44 - 0000163 _____ () C:\Users\Gary\AppData\Roaming\default.rss
2015-02-02 16:26 - 2015-02-02 16:27 - 0055630 _____ () C:\Users\Gary\AppData\Roaming\QBFileDrTool.log
2011-12-17 07:32 - 2015-06-29 07:05 - 0004608 _____ () C:\Users\Gary\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-03-17 15:24 - 2011-03-17 15:24 - 0000017 _____ () C:\Users\Gary\AppData\Local\resmon.resmoncfg
2012-01-27 15:40 - 2012-01-27 15:40 - 0017408 _____ () C:\Users\Gary\AppData\Local\WebpageIcons.db
2008-08-14 08:14 - 2008-08-14 08:14 - 0079240 ____N (Adobe Systems Incorporated) C:\ProgramData\adobetmp00011047
2015-06-23 10:38 - 2015-10-05 09:41 - 0000451 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
 
Some files in TEMP:
====================
C:\Users\Gary\AppData\Local\Temp\SkypeSetup.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-03-11 04:15
 
==================== End of FRST.txt ============================


#6 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 11:30 AM

ComboFix 16-03-14.01 - Gary 03/16/2016   4:36.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1791.238 [GMT -5:00]
Running from: c:\users\Gary\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
FW: Kaspersky Internet Security *Disabled* {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}
SP: Kaspersky Internet Security *Disabled/Updated* {3D579475-6DDE-A186-1569-44B9F9DE8725}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Gary\AppData\Local\assembly\tmp
c:\users\Gary\g2mdlhlpx.exe
.
.
(((((((((((((((((((((((((   Files Created from 2016-02-16 to 2016-03-16  )))))))))))))))))))))))))))))))
.
.
2016-03-16 09:45 . 2016-03-16 09:45 -------- d-----w- c:\users\QBDataServiceUser25\AppData\Local\temp
2016-03-16 09:45 . 2016-03-16 09:45 -------- d-----w- c:\users\QBDataServiceUser24\AppData\Local\temp
2016-03-16 09:45 . 2016-03-16 09:45 -------- d-----w- c:\users\QBDataServiceUser22\AppData\Local\temp
2016-03-16 09:45 . 2016-03-16 09:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-03-15 14:17 . 2016-03-15 14:17 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8DA0325C-1A8B-4E52-A3CC-367110030FBC}\offreg.7816.dll
2016-03-15 14:16 . 2016-03-15 14:16 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-03-15 14:16 . 2016-03-15 14:16 -------- d-----w- c:\programdata\Malwarebytes
2016-03-15 14:16 . 2015-10-05 14:50 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-03-15 14:16 . 2015-10-05 14:50 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-03-15 14:16 . 2015-10-05 14:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-03-15 13:51 . 2016-03-15 13:52 -------- d-----w- C:\KVRT_Data
2016-03-14 17:36 . 2016-02-19 01:31 9067696 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8DA0325C-1A8B-4E52-A3CC-367110030FBC}\mpengine.dll
2016-03-11 22:08 . 2016-03-11 22:08 -------- d-----w- c:\users\Default\AppData\Roaming\RealNetworks
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-03-11 17:23 . 2012-05-09 21:23 797376 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-03-11 17:23 . 2011-05-19 18:26 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-03-01 15:11 . 2015-06-06 13:48 66976 ----a-w- c:\windows\system32\drivers\kldisk.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2015-06-16 21:31 1730264 ----a-w- e:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2015-06-16 21:31 1730264 ----a-w- e:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2015-06-16 21:31 1730264 ----a-w- e:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2741616]
"RemoTerm.exe"="c:\program files\Common Files\PCTV Systems\RemoTerm\RemoTerm.exe" [2010-06-10 226576]
"Pogoplug Backup"="c:\program files\PogoplugBackup\ppbrowser.exe" [2015-01-20 25249792]
"CCleaner Monitoring"="e:\program files\CCleaner\CCleaner.exe" [2015-01-20 5496600]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2016-02-10 50599552]
"GoogleChromeAutoLaunch_D8141F93E2B8BBDF887F2C7ECBC57A85"="c:\program files\Google\Chrome\Application\chrome.exe" [2016-02-18 746648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"NBAgent"="e:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" [2011-09-20 1493288]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-11-02 611712]
"Adobe Acrobat Speed Launcher"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]
"TrueImageMonitor.exe"="e:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-11-10 5954016]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-11-10 403096]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2015-03-17 3776824]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2015-07-11 286272]
"FreeAgentTheaterTrayIcon"="e:\program files\Seagate\Seagate_Media\AgrregationStatus\StxMediaMenuMgr.exe" [2014-09-25 189480]
"RealDownloader"="c:\program files\RealNetworks\RealDownloader\downloader2.exe" [2016-02-24 720112]
.
c:\users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - e:\program files\Rainmeter\Rainmeter.exe [2015-2-1 36032]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Check for Updates.lnk - c:\program files\Common Files\PCTV Systems\WebUpdater\WebUpdater.exe -s -c -f="UpdateTVC6.xml" -p="TVCenter" -language=en -url=http://www.pctvsystems.com/Portals/pctv/WebUpdaterFiles [2009-4-17 238864]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2014-11-7 6306104]
Post-it® Digital Notes.lnk - e:\program files\3M\PDNotes\PDNotes.exe [2011-3-16 6849248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2015-3-17 1226568]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe -keephidden [2012-3-28 2938736]
QuickBooks_Standard_21.lnk - e:\program files\Intuit\QuickBooks Enterprise Solutions 15.0\QBW32.EXE -silent [2015-3-17 1537864]
RealTimes.lnk - c:\program files\Real\RealPlayer\RPDS\Bin\rpsystray.exe [2015-7-11 1132120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 12630324
*Deregistered* - 12630324
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper
utcsvc REG_MULTI_SZ   DiagTrack
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-03-04 17:29 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-03-15 18:28 1106072 ----a-w- c:\program files\Google\Chrome\Application\49.0.2623.87\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2016-03-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 17:23]
.
2016-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-04 23:07]
.
2016-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-04 23:07]
.
2016-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3826950993-1294746516-753834029-1001Core.job
- c:\users\Gary\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-25 02:53]
.
2016-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3826950993-1294746516-753834029-1001UA.job
- c:\users\Gary\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-25 02:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Clip bookmark - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: Clip Image - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - c:\program files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office15\EXCEL.EXE/3000
IE: New Note - c:\program files\Evernote\Evernote\\EvernoteIERes\NewNote.html
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office15\ONBttnIE.dll/105
Trusted Zone: google.com
Trusted Zone: totaltraining.com\www*
Trusted Zone: yahoo.com\search
TCP: DhcpNameServer = 192.168.1.254
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
Handler: intu-help-qb8 - {CD17C364-2EC8-4929-91A9-C4839A20E909} - e:\program files\Intuit\QuickBooks Enterprise Solutions 15.0\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\ss13hu8m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers- - (no file)
ShellIconOverlayIdentifiers- - (no file)
ShellIconOverlayIdentifiers- - (no file)
HKCU-Run-AdobeBridge - (no file)
SafeBoot-53962012.sys
AddRemove-25_escape - e:\program files\Samsung\Kies3\USB Drivers\25_escape\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3826950993-1294746516-753834029-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3826950993-1294746516-753834029-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-3826950993-1294746516-753834029-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9185CF0-3505-5AF1-77A7-FBB095035905}*]
@Allowed: (Read) (RestrictedCode)
"jamnlokmghhpekkoognd"=hex:6f,61,62,66,63,67,6b,6e,6b,61,68,6f,63,6e,6e,68,66,
   62,6c,70,66,67,67,68,67,6e,64,6b,61,64,00,01
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'lsass.exe'(952)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2016-03-16  04:48:05
ComboFix-quarantined-files.txt  2016-03-16 09:48
.
Pre-Run: 4,231,471,104 bytes free
Post-Run: 4,445,356,032 bytes free
.
- - End Of File - - F240FCA7EFE027B299ED460B17C7C739
A36C5E4F47E84449FF07ED3517B43A31


#7 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 11:38 AM

I was able to run the FRST scan.  Should I still do as you described before these txt postings?

Attached Files



#8 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 11:41 AM

BTW - the computer currently is booting fully fine into win 7 not just by using safe mode.  It connects to the internet, many programs run but cannot open some dialog windows such as explorer, control panel, kaspersky to name a few.



#9 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:53 PM

Posted 01 April 2016 - 11:48 AM

The logs do not show why explorer and other things do not work...

1. Try using "Last Known Good Configuration" (LKGC) as instructed with post #4

2. Start in normal mode then and try to run FRST again.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 12:01 PM

very good - thanks - i will post following lkgc



#11 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 12:04 PM

after booting into LKGC the problems still extist.  no such interface supported

 

and tried to run frst again from the run box but get the following "windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to assess the item".


Edited by teamplus, 01 April 2016 - 12:12 PM.


#12 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:53 PM

Posted 01 April 2016 - 12:07 PM

Restart your computer.

As the computer is starting, continue tapping F8 as before and select Repair your computer option.

start the windows 7 recovery-environment and try to run system restore from there.

Choose a restore point that is more than 7 days old!

How the pc is running now?
Please try only one restore point and then post results here!

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 12:17 PM

I was just able to access the frst tool by booting to safe mode first.  Do you want me to run the frst and post before trying the recovery-environment option?



#14 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:53 PM

Posted 01 April 2016 - 12:21 PM

No, we have already a FRST log in safe mode.

Try the recovery-environment Option = try to run system restore !

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 teamplus

teamplus
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 01 April 2016 - 12:30 PM

ok will post back soon






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users