Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Ransomer.KZY per AVG


  • This topic is locked This topic is locked
10 replies to this topic

#1 Harsco

Harsco

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 02 April 2016 - 05:25 PM

AVG has detected the Trojan Horse Ransomer.KZY  showing the path as C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.29.5\GoogleCrashHandler.exe (3964)  Submitting GoogleCrashHandler.exe to VirusTotal results in 1 of 55 AV programs finding a problem.

This is a Older Gateway Laptop running XP Pro.  AVG heals the infection but it returns.  Malwarebytes Pro does not find it. TDSSKiller finds nothing.

I need help removing the infection.  Thanks


Edited by Harsco, 02 April 2016 - 05:48 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 PM

Posted 03 April 2016 - 07:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Let me know what problems persists.
===

#3 Harsco

Harsco
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 April 2016 - 09:15 AM

# AdwCleaner v5.108 - Logfile created 03/04/2016 at 09:46:14
# Updated 30/03/2016 by Xplode
# Database : 2016-03-30.1 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Administrator - YOUR-D514E9A1A9
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner_5.108.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\WordLayers
[-] Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh
[-] Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
[-] Folder Deleted : C:\Documents and Settings\All Users\Application Data\Avg_Update_1015av
[-] Folder Deleted : C:\WINDOWS\system32\ARFC
[-] Folder Deleted : C:\WINDOWS\system32\WNLT

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\Documents and Settings\Administrator\AppData\LocalLow\SkwConfig.bin
[-] File Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ndibdjnfmopecpmkdieinmbadjfpblof_0.localstorage
[x] File Not Deleted : C:\WINDOWS\system32\ImhxxpComm.dll
***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
[-] Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\IM
[-] Key Deleted : HKCU\Software\ImInstaller
[-] Key Deleted : HKCU\Software\AVG Web TuneUp
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Viewpoint
[-] Key Deleted : HKLM\SOFTWARE\WNLT
[-] Key Deleted : HKU\.DEFAULT\Software\AVG Secure Search
[-] Key Deleted : HKU\.DEFAULT\Software\WNLT
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\dmwu.exe]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\ARFC\wrtc.exe]

***** [ Web browsers ] *****

[-] [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : banjjklfojcdbofbhbgiedekefohoaff
[-] [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : booedmolknjekdopkepjjeckmjkdpfgl
[-] [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : flpcjncodpafbgdpnkljologafpionhb
[-] [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : gjkpcnacdgdlpfejlgflolpaigoicibh
[-] [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : ndibdjnfmopecpmkdieinmbadjfpblof

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [5455 bytes] - [03/04/2016 09:46:14]
C:\AdwCleaner\AdwCleaner[S1].txt - [5659 bytes] - [03/04/2016 09:29:07]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [5601 bytes] ##########

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by Administrator (administrator) on YOUR-D514E9A1A9 (03-04-2016 10:00:23)
Running from C:\Documents and Settings\Administrator\Desktop\FARBAR Scan Tool
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Sygate Technologies, Inc.) C:\Program Files\Sygate\SPF\Smc.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
() C:\WINDOWS\system32\WLTRYSVC.EXE
(Broadcom Corporation) C:\WINDOWS\system32\BCMWLTRY.EXE
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehSched.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(New Boundary Technologies, Inc.) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
(Microsoft Corporation) C:\WINDOWS\ehome\mcrdsvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(SigmaTel, Inc.) C:\WINDOWS\stsystra.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe
(Broadcom Corporation) C:\WINDOWS\system32\WLTRAY.EXE
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Google Inc.) C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.29.5\GoogleCrashHandler.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ehTray] => C:\WINDOWS\ehome\ehtray.exe [64512 2005-08-05] (Microsoft Corporation)
HKLM\...\Run: [Recguard] => C:\WINDOWS\SMINST\RECGUARD.EXE [212992 2002-09-14] ()
HKLM\...\Run: [ATICCC] => C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [45056 2006-01-02] (ATI Technologies Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] => C:\WINDOWS\stsystra.exe [413696 2005-12-27] (SigmaTel, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [1236992 2005-11-12] (Broadcom Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SmcService] => C:\Program Files\Sygate\SPF\Smc.exe [2577632 2004-10-15] (Sygate Technologies, Inc.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3795880 2016-02-04] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SynTPLpr] => C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [98394 2004-10-08] (Synaptics, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [688218 2004-10-08] (Synaptics, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [595480 2016-03-20] (Oracle Corporation)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2006-04-05] (ATI Technologies Inc.)
HKU\S-1-5-21-2501097327-1473050566-2286137979-500\...\Run: [Google Update] => C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [144200 2015-09-02] (Google Inc.)
HKU\S-1-5-21-2501097327-1473050566-2286137979-500\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\gtw_logo.scr [1239209 2006-02-06] ()
HKU\S-1-5-18\...\RunOnce: [SpUninstallDeleteDir] => rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect"
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
AppInit_DLLs: ʨƫ 鷈ခ => No File
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2015\avgrsx.exe /sync /restart
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 167.88.120.47 8.8.8.8
Tcpip\..\Interfaces\{00994B1D-9782-4416-9537-E21E7E89C70D}: [DhcpNameServer] 167.88.120.47 8.8.8.8

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6439
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6439
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKU\S-1-5-21-2501097327-1473050566-2286137979-500\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKU\S-1-5-21-2501097327-1473050566-2286137979-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://news.google.com/nwshp?hl=en&tab=wn
SearchScopes: HKLM -> DefaultScope {45A74088-C57D-4454-B815-951D188550AC} URL =
SearchScopes: HKU\S-1-5-21-2501097327-1473050566-2286137979-500 -> Google URL = hxxp://www.google.com/search?sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&q=%s
BHO: HelperObject Class -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [2005-10-14] (TechSmith Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_77\bin\ssv.dll [2016-04-02] (Oracle Corporation)
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> c:\windows\system32\BAE.dll [2006-01-31] (Gateway Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-04-02] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2013-10-08] (Adblock Plus)
Toolbar: HKLM - SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-10-14] (TechSmith Corporation)
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-2501097327-1473050566-2286137979-500 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL [2001-01-21] (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2001-06-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-04-01] ()
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2014-02-17] (Tracker Software Products (Canada) Ltd.)
FF Plugin: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [No File]
FF Plugin: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-04-02] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2014-02-17] (Tracker Software Products (Canada) Ltd.)
FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-01-20] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2501097327-1473050566-2286137979-500: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2014-02-17] (Tracker Software Products (Canada) Ltd.)
FF Plugin HKU\S-1-5-21-2501097327-1473050566-2286137979-500: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin HKU\S-1-5-21-2501097327-1473050566-2286137979-500: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll [2014-02-17] (Tracker Software Products (Canada) Ltd.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2015-01-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2015-01-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2015-01-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2015-01-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2015-01-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2015-01-23] (Apple Inc.)
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\duckduckgo.xml [2014-02-02]
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\ixquick.xml [2014-02-02]
FF Extension: BetterPrivacy - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2015-12-07]
FF Extension: WOT - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-12-10]
FF Extension: All-in-One Sidebar - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi [2016-01-10]
FF Extension: NoScript - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-04-01]
FF Extension: Ghostery - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\Extensions\firefox@ghostery.com.xpi [2016-04-01]
FF Extension: Adblock Plus - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-01]
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-04-01] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-12-23] [not signed]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://google.com/"
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.60\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\gcswf32.dll => No File
CHR Plugin: (Native Client) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\pdf.dll => No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0\plugins/avgnpss.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\\npsitesafety.dll => No File
CHR Plugin: (Java™ Platform SE 6 U33) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.330.3) - C:\WINDOWS\system32\npdeployJava1.dll => No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll => No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-16]
CHR Extension: (Adblock Plus) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-07-09]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-16]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-28]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-16]
StartMenuInternet: Google Chrome.VJ4XP7FDMPNJLPXQ47YFOAQ3G4 - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-11-17] (SUPERAntiSpyware.com)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3646888 2016-02-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [335656 2016-02-04] (AVG Technologies CZ, s.r.o.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S3 MHN; C:\WINDOWS\System32\mhn.dll [85504 2004-08-10] (Microsoft Corporation) [File not signed]
R2 PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [172032 2011-12-23] (New Boundary Technologies, Inc.) [File not signed]
R2 SmcService; C:\Program Files\Sygate\SPF\smc.exe [2577632 2004-10-15] (Sygate Technologies, Inc.)
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [1093632 2005-11-12] (Broadcom Corporation) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2004-08-10] (Microsoft Corporation)
R1 AmdK8; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [36864 2006-06-19] (Advanced Micro Devices)
R2 ASCTRM; C:\WINDOWS\system32\Drivers\ASCTRM.sys [8552 2011-12-23] (Windows ® 2000 DDK provider) [File not signed]
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [132576 2015-03-11] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [240048 2015-12-16] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [223152 2016-01-13] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-25] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [234416 2015-12-16] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [193456 2016-01-22] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [230832 2015-08-04] (AVG Technologies CZ, s.r.o.)
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [424320 2005-11-02] (Broadcom Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2016-04-03] (Malwarebytes)
S3 MHNDRV; C:\WINDOWS\System32\DRIVERS\mhndrv.sys [11008 2004-08-10] (Microsoft Corporation) [File not signed]
S3 mxnic; C:\WINDOWS\System32\DRIVERS\mxnic.sys [19968 2001-08-17] (Macronix International Co., Ltd.                                               )
S1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 StarOpen; C:\WINDOWS\system32\Drivers\StarOpen.sys [13120 2013-08-25] ()
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1179784 2006-06-15] (SigmaTel, Inc.)
R0 Teefer; C:\WINDOWS\System32\Drivers\Teefer.sys [60496 2004-10-15] (Sygate Technologies, Inc.) [File not signed]
S3 wanatw; C:\WINDOWS\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
R2 wg3n; C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [14568 2004-10-15] (Sygate Technologies, Inc.)
R2 wg4n; C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [14568 2004-10-15] (Sygate Technologies, Inc.)
R2 wg5n; C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [14568 2004-10-15] (Sygate Technologies, Inc.)
R2 wg6n; C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [14568 2004-10-15] (Sygate Technologies, Inc.)
R1 wpsdrvnt; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [21075 2004-10-15] (Sygate Technologies, Inc.) [File not signed]
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [245248 2006-05-23] (Marvell)
U4 intelppm; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S4 vsdatant;  [X]
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-03 09:59 - 2016-04-03 10:00 - 00000000 ____D C:\FRST
2016-04-03 09:58 - 2016-04-03 10:00 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\FARBAR Scan Tool
2016-04-03 09:27 - 2016-04-03 09:46 - 00000000 ____D C:\AdwCleaner
2016-04-03 09:13 - 2016-04-03 09:14 - 03102720 _____ C:\Documents and Settings\Administrator\Desktop\adwcleaner_5.108.exe
2016-04-02 18:41 - 2016-04-02 18:51 - 00419450 _____ C:\TDSSKiller.3.1.0.9_02.04.2016_18.41.12_log.txt
2016-04-02 18:37 - 2016-04-02 18:39 - 00147458 _____ C:\TDSSKiller.3.1.0.9_02.04.2016_18.37.15_log.txt
2016-04-02 12:57 - 2016-04-02 12:56 - 00000744 _____ C:\Documents and Settings\Administrator\Desktop\javatmp.lnk
2016-04-02 12:55 - 2016-04-02 12:55 - 00000000 ____D C:\Program Files\Common Files\Java
2016-04-01 23:55 - 2016-04-01 23:55 - 00000719 _____ C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
2016-04-01 23:55 - 2016-04-01 23:55 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
2016-04-01 23:37 - 2016-03-31 00:51 - 253872593 _____ C:\Documents and Settings\Administrator\Desktop\Watch One Little Pill Online Vimeo On Demand on Vimeo.mp4
2016-04-01 21:56 - 2016-04-01 21:58 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-04-01 19:44 - 2016-04-01 19:48 - 00419894 _____ C:\TDSSKiller.3.1.0.9_01.04.2016_19.44.12_log.txt
2016-04-01 19:36 - 2016-04-01 19:41 - 00288326 _____ C:\TDSSKiller.3.1.0.9_01.04.2016_19.36.22_log.txt
2016-04-01 19:30 - 2016-04-01 19:31 - 00004198 _____ C:\TDSSKiller.3.0.0.41_01.04.2016_19.30.16_log.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-03 10:01 - 2004-10-27 21:26 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2016-04-03 09:50 - 2011-12-23 02:46 - 00003896 _____ C:\WINDOWS\ModemLog_Motorola SM56 Data Fax Modem.txt
2016-04-03 09:49 - 2014-07-24 19:30 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-04-03 09:49 - 2004-10-27 21:14 - 00000000 ____D C:\WINDOWS\Registration
2016-04-03 09:48 - 2015-11-01 15:51 - 00000618 _____ C:\WINDOWS\Tasks\AVG_SYS_TASK_1015av.job
2016-04-03 09:48 - 2015-11-01 15:51 - 00000590 _____ C:\WINDOWS\Tasks\AVG_SYS_TASK_1015av_VALID.job
2016-04-03 09:48 - 2015-11-01 15:51 - 00000502 _____ C:\WINDOWS\Tasks\AVG_SYS_TASK_1015av_DELETE.job
2016-04-03 09:48 - 2004-10-27 21:26 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-04-03 09:47 - 2004-10-27 21:26 - 00032498 _____ C:\WINDOWS\SchedLgU.Txt
2016-04-03 09:47 - 2004-10-27 21:26 - 00000278 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2016-04-03 09:31 - 2012-08-01 14:49 - 00001010 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2501097327-1473050566-2286137979-500UA.job
2016-04-03 08:48 - 2014-02-02 19:44 - 00000000 ____D C:\Utilities
2016-04-03 08:38 - 2011-12-23 09:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2016-04-02 23:31 - 2012-08-01 14:49 - 00000958 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2501097327-1473050566-2286137979-500Core.job
2016-04-02 18:39 - 2011-12-23 13:21 - 00065536 _____ C:\WINDOWS\system32\config\ACEEvent.evt
2016-04-02 18:39 - 2004-10-27 21:26 - 00000000 ____D C:\Documents and Settings\Administrator
2016-04-02 13:02 - 2013-09-28 22:20 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\vlc
2016-04-02 12:56 - 2015-03-21 11:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Oracle
2016-04-02 12:56 - 2014-10-30 20:03 - 00000000 ____D C:\Program Files\Java
2016-04-02 12:56 - 2014-10-30 20:03 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2016-04-02 12:55 - 2015-09-02 21:18 - 00000000 ____D C:\Documents and Settings\Administrator\.oracle_jre_usage
2016-04-02 12:54 - 2014-10-30 20:04 - 00153088 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2016-04-02 12:54 - 2014-10-30 20:03 - 00095808 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2016-04-02 09:01 - 2015-03-28 09:46 - 00000702 _____ C:\Documents and Settings\All Users\Desktop\AVG 2015.lnk
2016-04-02 09:00 - 2004-10-27 13:54 - 00000000 ___HD C:\WINDOWS\inf
2016-04-01 23:53 - 2013-09-28 22:07 - 00000000 ____D C:\Program Files\VideoLAN
2016-04-01 23:28 - 2014-02-02 16:59 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-04-01 23:28 - 2014-02-02 12:06 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-04-01 23:15 - 2014-02-01 13:56 - 00000000 ____D C:\Program Files\MyDefrag v4.3.1
2016-04-01 22:09 - 2012-05-07 07:11 - 00797376 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-04-01 22:09 - 2011-12-23 10:18 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-04-01 22:03 - 2014-09-11 15:07 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2016-04-01 21:38 - 2015-07-31 13:35 - 00040924 __RSH C:\Documents and Settings\All Users\ntuser.pol
2016-04-01 21:38 - 2014-02-02 16:47 - 00000000 ____D C:\Program Files\SpywareBlaster
2016-04-01 21:38 - 2013-09-28 22:03 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\TEMP
2016-04-01 21:38 - 2004-10-27 14:06 - 00000000 ____D C:\Documents and Settings\All Users
2016-04-01 20:08 - 2013-10-31 10:08 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-04-01 19:57 - 2011-12-23 02:24 - 141270216 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-04-01 19:49 - 2004-10-27 14:07 - 00522918 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-04-01 19:35 - 2014-11-17 22:48 - 04727984 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
2016-04-01 17:57 - 2011-12-23 02:09 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB972270_0$
2016-04-01 17:30 - 2012-08-01 14:51 - 00002350 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Google Chrome.lnk
2016-04-01 17:30 - 2012-08-01 14:51 - 00002344 _____ C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
2016-04-01 17:15 - 2014-07-24 19:29 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-01 17:15 - 2014-07-24 19:29 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-04-01 17:15 - 2014-07-24 19:29 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-01 17:03 - 2004-10-27 20:52 - 00001170 _____ C:\WINDOWS\system32\wpa.dbl
2016-03-10 14:09 - 2014-07-24 19:29 - 00123264 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-03-10 14:08 - 2014-07-24 19:29 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys

==================== Files in the root of some directories =======

2004-10-27 21:26 - 2014-02-01 20:32 - 0001489 _____ () C:\Program Files\Windows Explorer.lnk
2011-12-23 08:54 - 2013-04-09 15:03 - 0009728 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-11 23:33 - 2012-08-11 23:33 - 0027520 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\dt.dat
2012-05-29 21:24 - 2012-05-29 21:24 - 0000136 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat

Some files in TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\libeay32.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\msvcr120.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================
 

Attached Files


Edited by Harsco, 03 April 2016 - 10:36 AM.


#4 Harsco

Harsco
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 April 2016 - 09:16 AM

Not sure why the formatting was lost !



#5 Harsco

Harsco
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 April 2016 - 09:20 AM

Content deleted via Edit


Edited by Harsco, 03 April 2016 - 09:24 AM.


#6 Harsco

Harsco
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 April 2016 - 09:29 AM

Files are Attached

Attached Files



#7 Harsco

Harsco
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 April 2016 - 10:32 AM

I did a cold reboot and immediately ran AVG...   Nothing found.   At this point it looks like the problem has been solved.  Many thanks for your quick response and excellent help.

 

Do you recommend any additional clean up ? 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 PM

Posted 03 April 2016 - 10:48 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\RunOnce: [SpUninstallDeleteDir] => rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect"
AppInit_DLLs: ?t ?? => No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-2501097327-1473050566-2286137979-500 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\duckduckgo.xml [2014-02-02]
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\ixquick.xml [2014-02-02]
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.60\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\gcswf32.dll => No File
CHR Plugin: (Native Client) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\pdf.dll => No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0\plugins/avgnpss.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\\npsitesafety.dll => No File
CHR Plugin: (Java Platform SE 6 U33) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.330.3) - C:\WINDOWS\system32\npdeployJava1.dll => No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll => No File
CHR Extension: (Google Wallet) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-28]
U4 intelppm; no ImagePath
S4 vsdatant;  [X]
U1 WS2IFSL; no ImagePath
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:373E1720 [120]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 [134]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

How is the computer running now?

#9 Harsco

Harsco
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 April 2016 - 11:09 AM

The computer rebooted and seems to be running normally with no problems.

 

Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by Administrator (2016-04-03 11:58:49) Run:1
Running from C:\Documents and Settings\Administrator\Desktop\FARBAR Scan Tool
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\RunOnce: [SpUninstallDeleteDir] => rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect"
AppInit_DLLs: ?t ?? => No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-2501097327-1473050566-2286137979-500 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\duckduckgo.xml [2014-02-02]
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\ixquick.xml [2014-02-02]
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.60\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\gcswf32.dll => No File
CHR Plugin: (Native Client) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\pdf.dll => No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0\plugins/avgnpss.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\\npsitesafety.dll => No File
CHR Plugin: (Java Platform SE 6 U33) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.330.3) - C:\WINDOWS\system32\npdeployJava1.dll => No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll => No File
CHR Extension: (Google Wallet) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-28]
U4 intelppm; no ImagePath
S4 vsdatant;  [X]
U1 WS2IFSL; no ImagePath
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:373E1720 [120]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 [134]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SpUninstallDeleteDir => value removed successfully.
"?t ??" => Value data not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKU\S-1-5-21-2501097327-1473050566-2286137979-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
"HKCR\PROTOCOLS\Handler\linkscanner" => key removed successfully.
HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => key not found.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\duckduckgo.xml => moved successfully
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0ouuud2y.default\searchplugins\ixquick.xml => moved successfully
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.60\PepperFlash\pepflashplayer.dll => not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\gcswf32.dll => not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\ppGoogleNaClPluginChrome.dll => not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\49.0.2623.110\pdf.dll => not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0\plugins/avgnpss.dll => not found.
C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll => not found.
C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\\npsitesafety.dll => not found.
C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll => not found.
C:\WINDOWS\system32\npdeployJava1.dll => not found.
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll => not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
intelppm => service removed successfully.
vsdatant => service removed successfully.
WS2IFSL => service removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":373E1720" ADS removed successfully..
C:\Documents and Settings\All Users\Application Data\TEMP => ":5C321E34" ADS removed successfully..
EmptyTemp: => 66.6 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 11:59:26 ====


Edited by Harsco, 03 April 2016 - 11:21 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 PM

Posted 03 April 2016 - 12:29 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 PM

Posted 09 April 2016 - 08:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users