Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible TDL4 rootkit - error code 0x8000704ec - cant install programs.


  • This topic is locked This topic is locked
3 replies to this topic

#1 gizzgog

gizzgog

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 PM

Posted 04 April 2016 - 04:48 PM

chrome was uninstalled without my permission. couldn't say if it was done by someone else but I turned it one and it was gone. links didn't work.

 

when I try to install chrome I get an error as soon as it starts to install.

 

I cant update my computer. I get the error: C1900101-30017. also 80080005 when I try manually.

I want to install windows 10 but that fails too.

 

when I try to start windows defender ( because it is turned off) I get the error code: 0x800704ec

 

Ie also crashes a lot

so does maxthon

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by Kevin (administrator) on KEVIN-PC (04-04-2016 22:34:31)
Running from C:\Users\Kevin\Desktop
Loaded Profiles: Kevin & postgres (Available Profiles: Kevin & postgres)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe" "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(IObit) C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
(                                                                                                    ) C:\Windows\Temp\mrt623B.tmp\stdrt.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Akamai Technologies, Inc.) C:\Users\Kevin\AppData\Local\Akamai\netsession_win.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe
(Akamai Technologies, Inc.) C:\Users\Kevin\AppData\Local\Akamai\netsession_win.exe
(Alienware) C:\Program Files\Alienware\Command Center\AWCCServiceController.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Alienware) C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Motorola, Inc.) C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Alienware) C:\Program Files\Alienware\Command Center\ThermalController.exe
(Motorola, Inc.) C:\Program Files\Motorola\Bluetooth\obexsrv.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\Monitor.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Flexera Software LLC) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
(AVG Secure Search) C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Alienware) C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe
(Alienware) C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher64.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
(Joyent, Inc) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe
(IObit) C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\CCLibrary.exe
(Joyent, Inc) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\libs\node.exe
(Microsoft Corporation) C:\Windows\ehome\mcupdate.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
(Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
(Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\ehome\ehsched.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Windows\ehome\ehrec.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\schtasks.exe
(Microsoft Corporation) C:\Windows\SysWOW64\schtasks.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASC.exe
(Microsoft Corporation) C:\Windows\ehome\mcupdate.exe
(Microsoft Corporation) C:\Windows\SysWOW64\schtasks.exe
(Microsoft Corporation) C:\Windows\SysWOW64\schtasks.exe
(Maxthon International ltd.) C:\Users\Kevin\AppData\Roaming\Maxthon3\Public\MxUp\MxUp.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Speedbit Ltd.) C:\Program Files (x86)\DAP\DAP.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16407296 2015-12-20] (Realtek Semiconductor)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Command Center Controllers] => C:\Program Files\Alienware\Command Center\AWCCStartupOrchestrator.exe [12656 2012-06-18] (Alienware)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-01-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-07-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [3175312 2015-07-27] ()
HKLM-x32\...\Run: [IObit Malware Fighter] => C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe [5889824 2015-07-28] (IObit)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-08-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2312896 2016-02-12] (Adobe Systems Incorporated)
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3077712 2016-03-31] (Valve Corporation)
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Run: [Xvid] => C:\Program Files (x86)\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Kevin\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Run: [Advanced SystemCare 9] => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe [2019616 2016-01-11] (IObit)
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Run: [tsiVideo] => C:\Windows\SysWOW64\rundll32.exe C:\Users\Kevin\AppData\Local\Temp\mdi164.dll,quardin <===== ATTENTION
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Run: [BitTorrent] => C:\Users\Kevin\AppData\Roaming\BitTorrent\BitTorrent.exe [1930760 2016-03-05] (BitTorrent Inc.)
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Policies\Explorer: [NoSaveSettings] 1
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [2015-08-19]
ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk [2015-08-19]
ShortcutTarget: Adobe Reader Synchronizer.lnk -> C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{284FB47B-F6BA-4F20-8185-057CF4D3C919}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4178244223-4248397489-11300439-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/
SearchScopes: HKU\S-1-5-21-4178244223-4248397489-11300439-1000 -> DefaultScope {CD5C9A55-006B-4551-B562-09768149AB5F} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-4178244223-4248397489-11300439-1000 -> {5B30812C-0454-4F1C-9EA0-7D4E9DAAA532} URL = hxxps://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=502468&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4178244223-4248397489-11300439-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={BBE531C9-F81D-4C1A-A5E4-43E650447E05}&mid=9e822614378947cda9e82104e4394825-81de85a1ebc2ec2c0e86800161eb65acb73fa9ee&lang=en&ds=AVG&coid=avgtbavg&cmpid=0215pit&pr=fr&d=2015-05-23 19:54:32&v=4.1.0.411&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4178244223-4248397489-11300439-1000 -> {CD5C9A55-006B-4551-B562-09768149AB5F} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2015-11-12] (IObit)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22] (Adobe Systems Incorporated)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Web TuneUp\4.1.5.143\AVG Web TuneUp.dll [2015-07-27] (AVG)
BHO-x32: Advanced SystemCare Surfing Protection -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll [2015-07-09] (IObit)
BHO-x32: SpeedBit Link Verification Helper -> {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} -> C:\Program Files (x86)\DAP\LinkVerifier.dll [2016-01-17] (Speedbit Ltd.)
IE Session Restore: HKU\S-1-5-21-4178244223-4248397489-11300439-1000 -> is enabled.

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_197.dll [2016-03-26] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-03-26] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF HKLM\...\Firefox\Extensions: [{0FD73C37-BFEC-4F71-9758-96116C7B4DBE}] - C:\Program Files\groover050220161742\Firefox\{0FD73C37-BFEC-4F71-9758-96116C7B4DBE}.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [daplinkchecker@speedbit.com] - C:\Program Files (x86)\DAP\daplinkchecker
FF Extension: DAP Link Checker - C:\Program Files (x86)\DAP\daplinkchecker [2016-01-17] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{0FD73C37-BFEC-4F71-9758-96116C7B4DBE}] - C:\Program Files\groover050220161742\Firefox\{0FD73C37-BFEC-4F71-9758-96116C7B4DBE}.xpi => not found

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-05]
CHR Extension: (Google Drive) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-23]
CHR Extension: (YouTube) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Download Accelerator Plus (DAP)) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffdcfjdljhbehggjdkdioajnknjcpbjb [2016-01-17]
CHR Extension: (Google Docs Offline) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-27]
CHR Extension: (Pin It Button) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2016-01-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-14]
CHR Extension: (Gmail) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-05]
CHR HKLM-x32\...\Chrome\Extension: [ffdcfjdljhbehggjdkdioajnknjcpbjb] - C:\Program Files (x86)\DAP\DAPChrome\DAPChrome6.crx [2016-01-17]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AdAppMgrSvc; C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe [1139744 2015-11-17] (Autodesk Inc.)
S2 Adobe Licensing Console; C:\Windows\SysWOW64\lnsecsl.exe [1203587 2016-03-14] (                                                                                                    ) [File not signed] <==== ATTENTION
R2 AdvancedSystemCareService9; C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe [446240 2016-01-05] (IObit)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2020056 2016-02-09] (Adobe Systems, Incorporated)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [647680 2015-05-23] (Macrovision Europe Ltd.) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [882464 2015-07-17] (IObit)
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2945312 2016-01-14] (IObit)
S3 mi-raysat_3dsmax2016_64; C:\Program Files\Autodesk\3ds Max 2016\NVIDIA\Satellite\raysat_3dsmax2016_64server.exe [86016 2011-09-15] () [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2016-02-11] ()
S3 SysSecure; C:\Windows\SysSecure1.0.0.4\SysSecure.exe [7168 2016-03-06] () [File not signed]
S3 vToolbarUpdater18.8.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.8.0\ToolbarUpdater.exe [1874320 2015-07-27] (AVG Secure Search)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [1195920 2015-07-27] ()

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [162784 2015-03-11] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [256992 2015-04-15] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [378336 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [224224 2015-05-12] (AVG Technologies CZ, s.r.o.)
R1 bsdriver; C:\Windows\system32\drivers\bsdriver.sys [34712 2016-02-05] ()
S3 cpuz137; no ImagePath
S3 cpuz138; C:\Users\Kevin\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [27320 2016-03-12] (CPUID)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S4 FileMonitor; C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [23048 2015-03-25] (IObit)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2015-06-19] (REALiX™)
S3 PSSDKLBF; C:\Windows\system32\Drivers\pssdklbf.sys [65600 2015-08-18] (microOLAP Technologies LTD)
S3 RecFltr; C:\Windows\System32\drivers\RecFltr.sys [44800 2015-06-19] (Razer USA Ltd.)
R3 RegFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [34848 2015-03-25] (IObit.com)
S3 RTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [926824 2014-04-08] (Realtek Semiconductor Corporation                           )
R3 RtlWlanu; C:\Windows\System32\DRIVERS\RTWlanU.sys [2990808 2015-08-30] (Realtek Semiconductor Corporation                           )
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [21184 2014-06-04] (IObit)
S3 UrlFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [23016 2015-03-25] (IObit.com)
S4 AVGIDSDriver; system32\DRIVERS\avgidsdrivera.sys [X]
S4 AVGIDSHA; system32\DRIVERS\avgidsha.sys [X]
S4 Avgrkx64; system32\DRIVERS\avgrkx64.sys [X]
S4 Avgtdia; system32\DRIVERS\avgtdia.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-04 22:34 - 2016-04-04 22:34 - 00018811 _____ C:\Users\Kevin\Desktop\FRST.txt
2016-04-04 22:34 - 2016-04-04 22:34 - 00000000 ____D C:\FRST
2016-04-04 22:30 - 2016-04-04 22:31 - 02374144 _____ (Farbar) C:\Users\Kevin\Desktop\FRST64.exe
2016-04-04 22:30 - 2016-04-04 22:30 - 00000000 ____D C:\Users\Kevin\Desktop\Plugins
2016-04-04 17:51 - 2016-04-04 22:26 - 00001083 _____ C:\Users\Public\Desktop\Maxthon Cloud Browser.lnk
2016-04-04 17:51 - 2016-04-04 17:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maxthon Cloud Browser
2016-04-04 17:50 - 2016-04-04 22:26 - 00000000 ____D C:\Program Files (x86)\Maxthon
2016-04-04 17:10 - 2016-04-04 17:13 - 46798944 _____ (Maxthon International ltd.) C:\Users\Kevin\Desktop\mx4.9.1.1000.exe
2016-03-31 14:09 - 2016-03-31 14:10 - 00086154 _____ C:\Windows\ntbtlog.txt
2016-03-31 13:45 - 2015-01-10 15:32 - 00128288 _____ (IObit) C:\Windows\SysWOW64\IObitSmartDefragExtension.dll
2016-03-31 13:43 - 2016-03-31 13:44 - 00000000 ____D C:\Program Files\Reimage
2016-03-31 13:43 - 2016-03-31 13:43 - 00000000 ____D C:\rei
2016-03-31 13:43 - 2016-03-31 13:43 - 00000000 ____D C:\ProgramData\Reimage Protector
2016-03-31 13:43 - 2016-03-31 13:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
2016-03-31 13:42 - 2016-03-31 13:59 - 00000099 _____ C:\Windows\Reimage.ini
2016-03-31 13:36 - 2016-03-31 13:36 - 00000000 ____D C:\Users\Kevin\AppData\Local\Apps\2.0
2016-03-31 13:35 - 2016-03-31 18:41 - 00000000 ____D C:\Users\Kevin\AppData\Local\Deployment
2016-03-26 20:42 - 2016-03-26 20:42 - 05306560 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2016-03-26 11:45 - 2016-03-26 11:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2016-03-25 18:28 - 2016-03-25 18:28 - 00000000 _____ C:\Windows\SysWOW64\x64.txt
2016-03-19 12:50 - 2016-03-19 12:50 - 00000000 ____D C:\Windows\SysSecure1.0.0.4
2016-03-19 12:47 - 2016-03-19 12:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID
2016-03-19 12:47 - 2016-03-19 12:47 - 00000000 ____D C:\Program Files\CPUID
2016-03-19 12:46 - 2016-03-19 12:47 - 00000000 ____D C:\Program Files (x86)\WindowPolicies
2016-03-14 15:27 - 2016-03-19 15:41 - 00000000 ____D C:\Users\Kevin\Documents\OpenRCT2
2016-03-14 15:27 - 2016-03-14 15:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenRCT2
2016-03-14 15:27 - 2016-03-14 15:27 - 00000000 ____D C:\Program Files (x86)\OpenRCT2
2016-03-14 14:45 - 2016-03-14 14:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-03-14 14:45 - 2016-03-14 14:45 - 00000000 ____D C:\GOG Games
2016-03-14 14:44 - 2016-03-14 14:44 - 07033952 _____ (OpenRCT2 Developers) C:\Users\Kevin\Downloads\OpenRCT2-0.0.4.0-develop-a3efbad-windows.exe
2016-03-14 11:19 - 2016-03-14 12:33 - 00000000 ____D C:\Program Files (x86)\QuickSearch
2016-03-14 11:16 - 2016-03-14 11:16 - 00000000 ____D C:\Windows\SysWOW64\Policies2022
2016-03-14 11:13 - 2016-03-14 11:15 - 00000000 ____D C:\Users\Kevin\Downloads\rollercoaster_tycoon_2
2016-03-14 11:13 - 2016-03-14 11:13 - 01203587 _____ ( ) C:\Windows\SysWOW64\lnsecsl.exe
2016-03-14 11:12 - 2016-03-14 11:12 - 00000000 ____D C:\Windows\SysWOW64\Policies2021
2016-03-13 15:11 - 2016-03-13 15:11 - 00000672 _____ C:\Windows\system32\https--www.google.co.uk-urlsa=i&rct=j&q=&esrc=s&source=images&cd=&ved=&url=https%3A%2F%2Fupload.wikimedia.org%2Fwikipedia%2Fcommons%2F6.jpg&psig=AFQjCNFoWQJv_fxBfAL8eobQMv_cVx4bMQ&ust=1457964633719912.lnk
2016-03-11 14:52 - 2016-03-13 23:25 - 00001131 _____ C:\Windows\SysWOW64\nativelog.txt
2016-03-08 12:51 - 2016-03-08 12:51 - 00000000 _____ C:\Windows\ViewNX2.INI
2016-03-08 09:57 - 2016-03-08 10:10 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\WindSolutions
2016-03-08 09:57 - 2016-03-08 10:10 - 00000000 ____D C:\ProgramData\WindSolutions
2016-03-08 09:57 - 2016-03-08 09:57 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CopyTrans Control Center

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-04 22:31 - 2016-03-04 23:31 - 00000000 ____D C:\Users\Kevin\Desktop\fbx
2016-04-04 22:30 - 2015-08-20 09:54 - 00000000 ____D C:\ProgramData\TEMP
2016-04-04 21:42 - 2015-05-28 18:06 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-04-04 21:34 - 2009-07-14 05:45 - 00021296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-04 21:34 - 2009-07-14 05:45 - 00021296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-04 18:39 - 2015-08-19 12:21 - 00000000 ____D C:\Program Files (x86)\Steam
2016-04-04 17:51 - 2015-05-23 19:28 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\Maxthon3
2016-04-04 17:09 - 2016-03-03 21:55 - 00000000 ____D C:\Users\Kevin\AppData\Local\CrashDumps
2016-04-04 12:41 - 2015-11-07 13:36 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\BitTorrent
2016-04-04 12:38 - 2009-07-14 06:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-04 12:38 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-04-04 12:35 - 2015-05-28 18:04 - 00000000 ____D C:\Users\Kevin\AppData\Local\Adobe
2016-04-04 12:33 - 2015-06-19 06:45 - 00000000 ____D C:\ProgramData\ProductData
2016-04-04 12:32 - 2015-08-20 03:19 - 00000351 _____ C:\prefs.js
2016-04-04 12:31 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-01 15:56 - 2015-06-27 10:48 - 00000000 ____D C:\Program Files (x86)\Google
2016-03-31 13:45 - 2015-06-19 08:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Defrag 4
2016-03-31 13:39 - 2015-05-23 17:13 - 00000000 ____D C:\Users\Kevin\AppData\Local\ElevatedDiagnostics
2016-03-29 12:05 - 2009-07-14 06:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-26 20:42 - 2015-05-28 18:06 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-03-26 20:42 - 2015-05-28 18:06 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-03-26 11:45 - 2015-11-20 13:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare
2016-03-26 11:45 - 2015-10-22 13:52 - 00001368 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller.lnk
2016-03-26 11:45 - 2015-06-19 06:42 - 00000000 ____D C:\Program Files (x86)\IObit
2016-03-14 14:45 - 2009-07-14 06:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-03-14 11:13 - 2016-03-03 13:02 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-03-12 23:18 - 2015-09-01 13:27 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2016-03-11 14:52 - 2016-02-20 22:32 - 00000000 ____D C:\Program Files (x86)\Minecraft
2016-03-08 13:16 - 2015-07-05 13:51 - 00000000 ____D C:\ProgramData\Apple
2016-03-08 12:49 - 2015-07-05 13:52 - 00000020 ____H C:\ProgramData\PKP_DLev.DAT
2016-03-08 12:48 - 2015-07-05 13:52 - 00000020 ____H C:\ProgramData\PKP_DLet.DAT
2016-03-08 10:00 - 2016-01-17 00:37 - 00000000 ____D C:\Users\Kevin\Documents\My DAP Downloads
2016-03-07 23:55 - 2015-12-30 02:39 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\vlc
2016-03-07 23:41 - 2015-09-04 23:18 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\OBS
2016-03-07 23:30 - 2016-01-15 23:36 - 00000000 ____D C:\Users\Kevin\Documents\stuff
2016-03-06 23:33 - 2015-08-20 14:34 - 00000000 ____D C:\Users\Kevin\AppData\Roaming\TS3Client

==================== Files in the root of some directories =======

2016-02-02 16:36 - 2016-02-02 16:36 - 6871040 _____ () C:\Program Files (x86)\GUTC5B5.tmp
2015-07-05 13:52 - 2015-07-05 13:52 - 0000268 ___RH () C:\Users\Kevin\AppData\Roaming\Plug-In Settings
2015-07-05 13:52 - 2015-07-05 13:52 - 0000268 ___RH () C:\Users\Kevin\AppData\Roaming\Plug-Ins
2015-07-05 13:52 - 2015-07-05 13:52 - 0000268 ___RH () C:\Users\Kevin\AppData\Roaming\Plugins
2015-12-23 23:38 - 2015-12-23 23:38 - 0969851 _____ () C:\Users\Kevin\AppData\Local\MKV-Player_394.rar
2015-12-30 02:35 - 2015-12-23 23:38 - 1021272 _____ (Installer                                                   ) C:\Users\Kevin\AppData\Local\mkvplayer_setup.exe
2015-08-19 10:47 - 2015-08-19 10:47 - 0000017 _____ () C:\Users\Kevin\AppData\Local\resmon.resmoncfg
2010-12-26 02:12 - 2010-12-26 03:21 - 0025788 _____ () C:\Users\Kevin\AppData\Local\TempAbe.jpg
2010-12-27 00:01 - 2010-12-27 00:08 - 0012908 _____ () C:\Users\Kevin\AppData\Local\TempExob2.bmp
2010-12-26 03:04 - 2010-12-26 03:04 - 0002814 _____ () C:\Users\Kevin\AppData\Local\TempHelp.bmp
2010-12-26 02:05 - 2010-12-26 03:21 - 0008945 _____ () C:\Users\Kevin\AppData\Local\TempMunch.jpg
2010-12-26 23:00 - 2010-12-27 00:12 - 0012272 _____ () C:\Users\Kevin\AppData\Local\TempMunch2.jpg
2010-12-26 02:46 - 2010-12-26 02:46 - 0012906 _____ () C:\Users\Kevin\AppData\Local\TempPlay.bmp
2015-11-09 12:32 - 2015-11-09 12:32 - 0000000 ___SH () C:\ProgramData\.rdata
2015-06-19 08:11 - 2015-06-19 08:11 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-05-23 18:09 - 2015-05-23 18:09 - 0018514 _____ () C:\ProgramData\dxdiag.txt
2015-07-05 13:52 - 2015-07-30 13:10 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2015-07-05 13:52 - 2016-03-08 12:48 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2015-07-05 13:52 - 2016-03-08 12:49 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
2015-07-05 13:52 - 2015-07-05 13:52 - 0000268 ___RH () C:\ProgramData\Pop Flute
2015-07-05 13:52 - 2015-07-05 13:52 - 0000268 ___RH () C:\ProgramData\Pop Kit
2015-07-05 13:52 - 2015-07-05 13:52 - 0000268 ___RH () C:\ProgramData\PreferencePane
2015-07-05 13:52 - 2015-07-05 13:52 - 0000012 ___RH () C:\ProgramData\Resources
2015-07-05 13:52 - 2015-07-05 13:52 - 0000012 ___RH () C:\ProgramData\Robot
2015-07-05 13:52 - 2015-07-05 13:52 - 0000012 ___RH () C:\ProgramData\Rock Kit

Some files in TEMP:
====================
C:\Users\Kevin\AppData\Local\Temp\CopyTransPhotoMDHelper.exe
C:\Users\Kevin\AppData\Local\Temp\InstallCharityEngine.2015-S12-05-WW.exe
C:\Users\Kevin\AppData\Local\Temp\offer_cns.exe
C:\Users\Kevin\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Kevin\AppData\Local\Temp\RollerCoaster Tycoon 2 Triple  Downloader__3687_i1895765374_il123858.exe
C:\Users\Kevin\AppData\Local\Temp\setupfa_4435.exe
C:\Users\Kevin\AppData\Local\Temp\soft.exe
C:\Users\Kevin\AppData\Local\Temp\sqlite3.exe
C:\Users\Kevin\AppData\Local\Temp\TrailerWatch.6.1.0amt.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-03-29 14:38

==================== End of FRST.txt ============================

 

 

 

bonus: my computer will not shut off. I've tried every software solution. stuck on shutting down screen

Attached Files


Edited by gizzgog, 04 April 2016 - 04:50 PM.


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 04 April 2016 - 07:32 PM

Hello gizzgog and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
  
 
 For PC Shut Down Windows:
 
Open notepad and copy/paste the text in the box below into it:

@shutdown -a

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: bat_icon.gif

Each time your machine threatens to shutdown, double click on fix.bat & it shall abort the shutdown procedure. That should ease some of your current difficulties.
============
Refer to the following methods also
http://www.sevenforums.com/tutorials/16801-shut-down-windows-shortcut.html
=======================================================================

I will to write again you


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 04 April 2016 - 08:47 PM

Hi again,
 

FW: AVG Internet Security 2015 (Disabled)
Windows Firewall is enabled.

Multiple Firewall Programs installed!
 
AVG Internet Security 2015 and Windows Firewall is enabled.

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause.  Firewall programs take up an enormous amount of your computer's resources when they are actively scanning your computer.  Having two     Firewall programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
========================================================================================
uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove
 
İOBit  (Malware Fighter,Driver Boster, Advanced SystemCare+Obit Uninstaller+Surfing Protection+LiveUpdate+SmartDefragDriver.sys)
AVG Secure Search
AVG TuneUp
WindowPolicies
Reimage
SysSecure
Adobe Reader
QuickSearch

Setup

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish

=================================================================================
Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

Have a nice day.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 14 April 2016 - 06:31 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users