Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JS/Dldr.Locky.LQ , level of damage ? , if any need seccond eyes on log/s.


  • Please log in to reply
31 replies to this topic

#1 Esrot

Esrot

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 11 April 2016 - 10:37 AM

So one in my family got hit by support scammers , sence they used Remote c software i dont know exactly what they did , but the remote session logfile was left behind

I ran Avira full scan archives and all , it found , JS/Dldr.Locky.LQ in a rarfile , and 3 suspected dll files .in some folder

Ran MBAR beta : found nothing

Ran MBAM Custom all files scan , found nothing

Ran roguekiller a few times between , runs with Junkware removal tool from MB witch found 2 entries witch it deleted , and adwcleaner found nothing.

ill attach the log of the 3 rogkiller instances 1 delete log and 2 scan logs.

Ran firewalltest on grc.com and it came out all good and comfy

except on

Solicited TCP Packets: RECEIVED (FAILED)

so i pulled the plug untill i can find some more info on that specificly

 

Now scanned it again after i had the comp runing with internet unplugged for 1h

and it came clean. noly thing is the "VT.Unknown MBR Code" im scratching my head about.

 

i dont have physical access to the laptop in question atm so my reply might take 2 days or so

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 11 April 2016 - 04:20 PM

Hello Esrot and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here
Thanks
 
Please do the following.
 
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure the following option is checked: addition.png
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Sincerely  . :hello:

Edited by olgun52, 11 April 2016 - 04:20 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 16 April 2016 - 02:22 AM

Hello thanks for the fast reply , i wont be able to post the Farbar Recovery Scan Tool logs untill Sunday.

#4 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 16 April 2016 - 04:57 PM

Okay. I am witing.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 17 April 2016 - 06:44 AM

ok ill paste the FRST and attatch the Addition as instructed:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-04-2016
Ran by Eva (administrator) on ENONE (17-04-2016 13:33:49)
Running from C:\Users\Surf\Downloads
Loaded Profiles: Eva & Surf (Available Profiles: Eva & Surf)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: Svenska (Sverige)
Internet Explorer Version 8 (Default browser: "C:\Program Files (x86)\Opera\Opera.exe" "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Acer Group) C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Windows\PLFSetI.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9913376 2009-12-29] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1890088 2009-12-10] (Synaptics Incorporated)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [206208 2010-01-13] ()
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [861216 2010-04-23] (Acer Incorporated)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1427648 2015-06-05] (COMODO)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-04-13] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-01-22] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [908368 2010-04-08] (Dritek System Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [807392 2016-03-08] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2622432 2016-02-02] (Malwarebytes Corporation)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [66328 2016-03-02] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-993487999-4082567015-2900176377-1001\...\Run: [CCleaner Monitoring] => C:\Program Files (x86)\CCleaner\CCleaner64.exe [8590760 2016-01-08] (Piriform Ltd)
HKU\S-1-5-21-993487999-4082567015-2900176377-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\eMachines.scr [453152 2009-12-24] ()
HKU\S-1-5-21-993487999-4082567015-2900176377-1005\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1D9B1F7F-BA1F-4270-BE32-0B4B82EDCB20}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-993487999-4082567015-2900176377-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-993487999-4082567015-2900176377-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://se.msn.com/?pc=UP97&ocid=UP97DHP
HKU\S-1-5-21-993487999-4082567015-2900176377-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-993487999-4082567015-2900176377-1005\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
SearchScopes: HKU\S-1-5-21-993487999-4082567015-2900176377-1001 -> DefaultScope {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-993487999-4082567015-2900176377-1001 -> 19968B7A2C7140D3B8928C91DE34D336 URL = hxxp://se.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
SearchScopes: HKU\S-1-5-21-993487999-4082567015-2900176377-1001 -> {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-09-20] (Hewlett-Packard Co.)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-09-20] (Hewlett-Packard Co.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-04-23] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-04-22] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-04-23] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-04-22] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Eva\AppData\Roaming\Mozilla\Firefox\Profiles\pgt684sg.default
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Bing
FF Homepage: about:home
FF Keyword.URL: hxxp://www.bing.com/search?FORM=SKY2DF&PC=SKY2&q=
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll [2013-06-28] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Extension: WOT - C:\Users\Eva\AppData\Roaming\Mozilla\Firefox\Profiles\pgt684sg.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-12-11]
FF Extension: uBlock Origin - C:\Users\Eva\AppData\Roaming\Mozilla\Firefox\Profiles\pgt684sg.default\Extensions\uBlock0@raymondhill.net.xpi [2016-03-06]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2012-03-27] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-03-04] [not signed]
FF HKU\S-1-5-21-993487999-4082567015-2900176377-1001\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [955736 2016-03-08] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [466504 2016-03-08] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [466504 2016-03-08] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1424880 2016-03-08] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [260456 2016-03-02] (Avira Operations GmbH & Co. KG)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [5541960 2015-06-05] (COMODO)
R3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265792 2015-06-05] (COMODO)
R2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [867360 2010-04-23] (Acer Incorporated)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [249344 2009-09-20] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-09-20] (Hewlett-Packard Co.) [File not signed]
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [740832 2016-02-02] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-25] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-25] (Malwarebytes)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [243232 2010-01-29] (Acer Group)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [154816 2016-03-08] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [133168 2016-03-08] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-03-08] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [69888 2016-03-08] (Avira Operations GmbH & Co. KG)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [20672 2015-06-05] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [797256 2015-06-05] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [45856 2015-06-05] (COMODO)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [66080 2016-02-02] ()
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [104584 2015-06-05] (COMODO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-25] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-04-07] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-25] (Malwarebytes Corporation)
R3 SjtWinIo; C:\Windows\System32\DRIVERS\SjtWinIo.sys [9216 2010-10-26] (SpeedJet Technology INC.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2014-08-15] (Apple, Inc.) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-17 13:33 - 2016-04-17 13:33 - 00016235 _____ C:\Users\Surf\Downloads\FRST.txt
2016-04-17 13:23 - 2016-04-17 13:33 - 00000000 ____D C:\FRST
2016-04-17 13:15 - 2016-04-17 13:15 - 02375168 _____ (Farbar) C:\Users\Surf\Downloads\FRST64.exe
2016-04-17 12:43 - 2016-04-17 13:10 - 00000000 ____D C:\Users\Surf\Desktop\divtxt
2016-04-13 17:12 - 2016-03-06 20:53 - 01885696 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2016-04-13 17:12 - 2016-03-06 20:53 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2016-04-13 17:12 - 2016-03-06 20:38 - 01240576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2016-04-13 17:12 - 2016-03-06 20:38 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2016-04-13 17:11 - 2016-03-29 19:53 - 03216896 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-04-13 17:11 - 2016-03-18 01:04 - 05551336 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-04-13 17:11 - 2016-03-18 01:04 - 00706280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-04-13 17:11 - 2016-03-18 01:04 - 00154344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-04-13 17:11 - 2016-03-18 01:04 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-04-13 17:11 - 2016-03-18 01:01 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-04-13 17:11 - 2016-03-18 01:01 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-04-13 17:11 - 2016-03-18 00:58 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-04-13 17:11 - 2016-03-18 00:58 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-04-13 17:11 - 2016-03-18 00:57 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-04-13 17:11 - 2016-03-18 00:57 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-04-13 17:11 - 2016-03-18 00:57 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-04-13 17:11 - 2016-03-18 00:57 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-04-13 17:11 - 2016-03-18 00:57 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-04-13 17:11 - 2016-03-18 00:56 - 02084864 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-04-13 17:11 - 2016-03-18 00:56 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-04-13 17:11 - 2016-03-18 00:54 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-04-13 17:11 - 2016-03-18 00:54 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-04-13 17:11 - 2016-03-18 00:54 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-04-13 17:11 - 2016-03-18 00:54 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-04-13 17:11 - 2016-03-18 00:53 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-04-13 17:11 - 2016-03-18 00:53 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-04-13 17:11 - 2016-03-18 00:53 - 00731136 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-04-13 17:11 - 2016-03-18 00:53 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:36 - 03998952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-04-13 17:11 - 2016-03-18 00:36 - 03943144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-04-13 17:11 - 2016-03-18 00:33 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-04-13 17:11 - 2016-03-18 00:31 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-04-13 17:11 - 2016-03-18 00:31 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-04-13 17:11 - 2016-03-18 00:31 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-04-13 17:11 - 2016-03-18 00:31 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-04-13 17:11 - 2016-03-18 00:31 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-04-13 17:11 - 2016-03-18 00:30 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-04-13 17:11 - 2016-03-18 00:30 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-04-13 17:11 - 2016-03-18 00:30 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-04-13 17:11 - 2016-03-18 00:29 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-04-13 17:11 - 2016-03-18 00:29 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-04-13 17:11 - 2016-03-18 00:29 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-04-13 17:11 - 2016-03-18 00:28 - 01414144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-04-13 17:11 - 2016-03-18 00:27 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-04-13 17:11 - 2016-03-18 00:27 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-04-13 17:11 - 2016-03-18 00:27 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-04-13 17:11 - 2016-03-18 00:27 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-04-13 17:11 - 2016-03-18 00:26 - 00553984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-04-13 17:11 - 2016-03-18 00:25 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-04-13 17:11 - 2016-03-18 00:24 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-04-13 17:11 - 2016-03-17 23:53 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-04-13 17:11 - 2016-03-17 23:52 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-04-13 17:11 - 2016-03-17 23:52 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-04-13 17:11 - 2016-03-17 23:51 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-04-13 17:11 - 2016-03-17 23:44 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-04-13 17:11 - 2016-03-17 23:43 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-04-13 17:11 - 2016-03-17 23:41 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-04-13 17:11 - 2016-03-17 23:38 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-04-13 17:11 - 2016-03-17 23:37 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-04-13 17:11 - 2016-03-17 23:37 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-04-13 17:11 - 2016-03-17 23:35 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-04-13 17:11 - 2016-03-17 23:35 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-04-13 17:11 - 2016-03-17 23:30 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-04-13 17:11 - 2016-03-17 23:30 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-04-13 17:11 - 2016-03-17 23:30 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-04-13 17:11 - 2016-03-17 23:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-04-13 17:11 - 2016-03-17 23:29 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-04-13 17:11 - 2016-03-17 23:29 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-04-13 17:11 - 2016-03-17 23:29 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-04-13 17:11 - 2016-03-17 23:29 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-04-13 17:11 - 2016-03-17 23:29 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-04-13 17:11 - 2016-03-16 02:16 - 00760320 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2016-04-13 17:11 - 2016-03-16 02:16 - 00106496 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2016-04-13 17:11 - 2016-03-16 01:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2016-04-13 17:11 - 2016-03-11 20:57 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-04-13 17:11 - 2016-03-11 20:35 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-04-10 15:04 - 2016-04-10 15:04 - 02436902 _____ C:\Users\Eva\AppData\Local[j0003]-[p01].bmp
2016-04-10 14:19 - 2016-04-10 14:19 - 00001602 _____ C:\Users\Surf\Desktop\avcenter.exe - genväg.lnk
2016-04-08 14:08 - 2016-04-08 14:08 - 00000000 ____D C:\Users\Surf\Downloads\TCPView
2016-04-08 14:07 - 2016-04-08 14:07 - 00000000 ____D C:\Users\Surf\Downloads\ProcessExplorer
2016-04-08 14:02 - 2016-04-08 14:02 - 00291606 _____ C:\Users\Surf\Downloads\TCPView.zip
2016-04-08 13:59 - 2016-04-08 13:59 - 01270466 _____ C:\Users\Surf\Downloads\ProcessExplorer.zip
2016-04-06 22:53 - 2016-04-06 22:53 - 00003952 _____ C:\Users\Eva\Desktop\rk2.txt
2016-04-06 22:27 - 2016-04-17 13:21 - 00003832 _____ C:\Windows\system32\Drivers\fvstore.dat
2016-04-06 20:06 - 2016-04-06 20:15 - 211428624 _____ C:\Users\Surf\Downloads\SF_CDA_NonNet_Full_Win_WW_130_140.exe
2016-04-06 19:25 - 2016-04-06 19:25 - 00002706 _____ C:\Users\Eva\Desktop\rkreport.txt
2016-04-06 18:50 - 2016-04-06 18:54 - 00000000 ____D C:\AdwCleaner
2016-04-06 18:44 - 2016-04-06 18:45 - 00000000 ___SD C:\ComboFix
2016-04-06 18:37 - 2016-04-06 18:37 - 00003787 _____ C:\Users\Eva\Desktop\JRT.txt
2016-04-06 18:00 - 2016-04-06 18:00 - 00024103 _____ C:\ComboFix.txt
2016-04-06 17:58 - 2016-04-08 14:39 - 00000000 ____D C:\Users\Surf\AppData\Local\CrashDumps
2016-04-06 17:43 - 2016-04-06 18:39 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-04-06 17:22 - 2016-04-06 18:44 - 00000000 ____D C:\Windows\erdnt
2016-04-06 16:46 - 2016-04-06 16:46 - 00011924 _____ C:\Users\Eva\Desktop\rogkillerexport.txt
2016-04-06 16:28 - 2016-04-13 13:48 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-04-06 16:26 - 2016-04-06 16:27 - 00000000 ____D C:\ProgramData\RogueKiller
2016-04-06 16:26 - 2016-04-06 16:26 - 00000867 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-04-06 16:26 - 2016-04-06 16:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-04-06 16:26 - 2016-04-06 16:26 - 00000000 ____D C:\Program Files\RogueKiller
2016-04-06 15:49 - 2016-04-06 16:24 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-04-06 15:47 - 2016-04-06 16:24 - 00000000 ____D C:\Users\Surf\Desktop\mbar
2016-04-06 15:20 - 2016-04-06 15:30 - 00000000 ____D C:\ProgramData\HitmanPro
2016-04-06 15:20 - 2016-04-06 15:20 - 00000000 ____D C:\Program Files\HitmanPro
2016-04-05 12:34 - 2016-04-05 12:34 - 00000000 ____D C:\ProgramData\SupremoRemoteDesktop
2016-03-25 15:51 - 2016-03-25 15:51 - 00000000 ____D C:\Users\Surf\Downloads\FW_RT-N12D1_30043789479
2016-03-25 15:50 - 2016-03-25 15:50 - 06042807 _____ C:\Users\Surf\Downloads\FW_RT-N12D1_30043789479.zip
2016-03-20 15:25 - 2016-03-20 15:25 - 00000515 _____ C:\Users\Surf\Documents\húsvét.url.htm

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-17 13:13 - 2009-07-14 06:45 - 00009920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-17 13:13 - 2009-07-14 06:45 - 00009920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-17 13:04 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-17 12:49 - 2016-01-08 19:27 - 00000000 ____D C:\Users\Surf\AppData\Roaming\Skype
2016-04-15 20:22 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2016-04-14 07:34 - 2010-06-28 17:47 - 00790006 _____ C:\Windows\system32\perfh01D.dat
2016-04-14 07:34 - 2010-06-28 17:47 - 00184234 _____ C:\Windows\system32\perfc01D.dat
2016-04-14 07:34 - 2009-07-14 07:13 - 01749404 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-14 07:34 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2016-04-14 07:24 - 2009-07-14 06:45 - 00295248 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-13 18:12 - 2013-08-14 21:46 - 00000000 ____D C:\Windows\system32\MRT
2016-04-13 18:02 - 2010-10-25 23:39 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-13 13:41 - 2010-10-26 04:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-09 15:33 - 2010-10-25 23:30 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-04-09 15:33 - 2010-10-25 23:30 - 00000000 ____D C:\ProgramData\Skype
2016-04-09 07:26 - 2009-07-14 07:08 - 00032514 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-04-08 15:31 - 2016-02-21 16:56 - 00000000 ____D C:\Users\Surf\AppData\Roaming\vlc
2016-04-08 13:31 - 2011-04-11 12:21 - 00000000 ____D C:\ProgramData\Sun
2016-04-07 17:16 - 2015-07-29 12:07 - 00000000 ____D C:\Windows\Minidump
2016-04-07 17:15 - 2016-03-06 20:36 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-07 15:34 - 2016-01-14 20:15 - 00000000 ____D C:\Users\Surf\AppData\Local\Adobe
2016-04-07 15:33 - 2014-09-09 15:57 - 00000000 ____D C:\Users\Eva\AppData\Local\Adobe
2016-04-06 18:49 - 2010-10-26 03:56 - 00000000 ____D C:\Users\Eva
2016-04-06 17:56 - 2009-07-14 04:34 - 00000215 _____ C:\Windows\system.ini
2016-04-06 15:47 - 2016-03-06 20:35 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-06 14:45 - 2011-04-11 12:22 - 00000000 ____D C:\Program Files (x86)\OpenOffice.org 3
2016-04-06 14:40 - 2010-05-06 09:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eMachines
2016-04-06 14:40 - 2010-05-06 09:11 - 00000000 ____D C:\Program Files (x86)\eMachines
2016-04-05 07:31 - 2015-07-15 16:36 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2016-03-25 15:44 - 2016-03-06 20:35 - 00001071 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-25 15:44 - 2016-03-06 20:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-25 15:44 - 2016-03-06 20:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-03-25 15:43 - 2016-03-06 20:35 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-25 15:43 - 2016-03-06 20:35 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-19 10:56 - 2011-09-06 16:24 - 00000000 ____D C:\Gábor

==================== Files in the root of some directories =======

2011-12-12 09:24 - 2013-01-04 09:10 - 0005120 _____ () C:\Users\Eva\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-12-20 22:27 - 2015-12-20 22:27 - 0001246 _____ () C:\Users\Eva\AppData\Local\recently-used.xbel
2010-10-28 19:27 - 2010-10-28 19:27 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2011-03-04 18:52 - 2011-03-04 18:58 - 0000844 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\Eva\AppData\Local\temp\avgnt.exe
C:\Users\Eva\AppData\Local\temp\dllnt_dump.dll
C:\Users\Surf\AppData\Local\temp\avgnt.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-09 08:55

==================== End of FRST.txt ============================

 

 



#6 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 17 April 2016 - 06:49 AM

and the addition log , forgot to press "attach this file" button >_<

 

i´ll be on during 12:00 - 14:30 CET the following days next week.

Attached Files


Edited by Esrot, 17 April 2016 - 07:18 AM.


#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 18 April 2016 - 04:53 PM

Hi Esrot,
Sorry for the delay in posting back

 

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program .
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Scan type > Smart scan (Default)
  • Close all open files, folders and browsers
  • Click scan now ''Run as Administrator'' and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.
  • Please PC restart now.

Does the issue still presist? Are there still  its symptoms ?

 

Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 19 April 2016 - 01:07 PM

ok thanks , dont worry about late replys sence i have limited acess to laptop at the moment :). ill try to post report as fast as possible , but it might take untill Friday.

#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 19 April 2016 - 03:14 PM

Thank you.

Okay. I am waiting.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 20 April 2016 - 05:47 AM

Heres the log

the hostfile in question was changed by Spybot - Search & Destroy.

 

Everything else seems fine.

Attached Files



#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 22 April 2016 - 06:15 PM

Hi Esrot,
Sorry for the delay, I'm a bit ill. I have the flu.
============================================================

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

start
Task: {1898F65B-F474-459B-B9C5-92B4CF906BDD} - System32\Tasks\{99D8FC5F-E9F5-49CC-B0D1-26EB8D7D8F54} => Firefox.exe hxxp://ui.skype.com/ui/0/5.1.0.112/en/abandoninstall?page=tsMain&amp;installinfo=google-toolbar:notoffered;ienotdefaultbrowser2,google-chrome:notoffered;alreadyoffered
Task: {DB9C0005-47D4-4FED-9581-066E448E5D53} - System32\Tasks\{9163687C-7C4B-4309-9471-2704A839B4B2} => Firefox.exe hxxp://ui.skype.com/ui/0/5.3.0.120/hu/abandoninstall?page=tsDownload&amp;installinfo=google-toolbar:notoffered;ienotdefaultbrowser2,google-chrome:offered-notinstalled
Task: {E2EC46C2-E774-4645-8BB0-AD3251C95C93} - System32\Tasks\{AC63B6C6-5DF2-4484-9B51-DE8D431764B3} => Firefox.exe hxxp://ui.skype.com/ui/0/5.0.0.152/sv/abandoninstall?source=lightinstaller&amp;page=tsProblems&amp;LastError=12007&amp;installinfo=google-toolbar:notoffered;ienotdefaultbrowser2,google-chrome:offered-notinstalled
AlternateDataStreams: C:\Windows\NIRCMD.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\notepad.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\aepic.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\asycfilt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\atmfd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\atmlib.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\basesrv.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\bcryptprimitives.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\catsrvut.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\COLORCNV.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\comsvcs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\CPFilters.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\d3d10warp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\davclnt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\dciman32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\devenum.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\DWrite.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\els.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\EncDec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\evr.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ExplorerFrame.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\FntCache.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\fontsub.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\gdi32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\InkEd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\jnwmon.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ksproxy.ax:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ksuser.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\lpk.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mf.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfds.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mferror.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfplat.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfpmp.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfps.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfvdsp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MFWMAAEC.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MP3DMOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MP43DECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MP4SDECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MPG4DECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msmmsp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msmpeg2adec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MSMPEG2ENC.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msmpeg2vdec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mstscax.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msxml6.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msxml6r.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mtxoci.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\notepad.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\oleaut32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\qasf.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\qdvd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\qedit.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\quartz.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\rdvidcrl.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\RESAMPLEDMO.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\rrinstaller.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\schedsvc.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\seclogon.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\shell32.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\SysFxUI.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\sysmain.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\tsgqec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\user32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\usp10.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\VIDRESZR.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WebClnt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\winload.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WinSetupUI.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wksprt.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMADMOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMADMOE.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMALFXGFXDSP.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMSPDMOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMSPDMOE.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMVDECOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMVENCOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMVSDECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMVSENCD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WMVXENCD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wshrm.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wu.upgrade.ps.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wuapi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wuapp.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wuauclt.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wuaueng.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wucltux.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wudriver.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wups.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wups2.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wuwebv.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\asycfilt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\atmfd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\atmlib.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\bcryptprimitives.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\catsrvut.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\COLORCNV.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\comsvcs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\CPFilters.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\d3d10warp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\davclnt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\dciman32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\devenum.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\DWrite.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\els.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\EncDec.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\evr.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\ExplorerFrame.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\fontsub.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\gdi32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\InkEd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\ksproxy.ax:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\ksuser.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\lpk.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mf.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfds.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mferror.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfplat.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfpmp.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfps.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfvdsp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MFWMAAEC.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MP3DMOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MP43DECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MP4SDECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MPG4DECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msmpeg2adec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MSMPEG2ENC.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msmpeg2vdec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msorcl32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mstscax.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msxml6.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msxml6r.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mtxoci.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\notepad.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\oleaut32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\qasf.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\qdvd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\qedit.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\quartz.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\rdvidcrl.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\RESAMPLEDMO.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\rrinstaller.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\shell32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\tsgqec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\user32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\usp10.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\VIDRESZR.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WebClnt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMADMOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMADMOE.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMSPDMOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMSPDMOE.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMVDECOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMVENCOD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMVSDECD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMVSENCD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\WMVXENCD.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\wshrm.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\wuapi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\wuapp.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\wudriver.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\wups.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\wuwebv.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\afd.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\avgntflt.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\avipbb.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\avkmgr.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\avnetflt.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\cng.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\drmk.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\drmkaud.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\mbam.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\mountmgr.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\mrxdav.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\mwac.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\ndis.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\portcls.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\rmcast.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\tdx.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\USBSTOR.SYS:$CmdTcID [64]
AlternateDataStreams: C:\Users\Eva\Downloads\11815922_10153515791993584_1107006122_n.jpg:$CmdZnID [26]
AlternateDataStreams: C:\Users\Eva\Downloads\200306700523(1).pdf:$CmdTcID [64]
AlternateDataStreams: C:\Users\Eva\Downloads\200306700523(1).pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Eva\Downloads\200306700523.pdf:$CmdTcID [64]
AlternateDataStreams: C:\Users\Eva\Downloads\200306700523.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Eva\Downloads\generációk harca.jpg:$CmdTcID [64]
AlternateDataStreams: C:\Users\Eva\Downloads\generációk harca.jpg:$CmdZnID [26]
AlternateDataStreams: C:\Users\Eva\Downloads\IMG_1648.JPG:$CmdZnID [26]
AlternateDataStreams: C:\Users\Eva\Downloads\map98bis-2.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Surf\Downloads\FW_RT-N12D1_30043789479.zip:$CmdTcID [64]
AlternateDataStreams: C:\Users\Surf\Downloads\FW_RT-N12D1_30043789479.zip:$CmdZnID [26]
AlternateDataStreams: C:\Users\Surf\Downloads\SF_CDA_NonNet_Full_Win_WW_130_140.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Surf\Downloads\SF_CDA_NonNet_Full_Win_WW_130_140.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Surf\Downloads\vlc-2.2.2-win32.exe:$CmdTcID [64]
AlternateDataStreams: C:\Users\Surf\Downloads\vlc-2.2.2-win32.exe:$CmdZnID [26]
AlternateDataStreams: C:\Users\Surf\Documents\húsvét.png:$CmdZnID [26]
AlternateDataStreams: C:\Users\Surf\Documents\húsvét.url.htm:$CmdTcID [64]
AlternateDataStreams: C:\Users\Surf\Documents\húsvét.url.htm:$CmdZnID [26]
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-993487999-4082567015-2900176377-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
SearchScopes: HKU\S-1-5-21-993487999-4082567015-2900176377-1001 -> DefaultScope {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-993487999-4082567015-2900176377-1001 -> 19968B7A2C7140D3B8928C91DE34D336 URL = hxxp://se.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
SearchScopes: HKU\S-1-5-21-993487999-4082567015-2900176377-1001 -> {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
FF ProfilePath: C:\Users\Eva\AppData\Roaming\Mozilla\Firefox\Profiles\pgt684sg.default
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Bing
FF Homepage: about:home
FF Keyword.URL: hxxp://www.bing.com/search?FORM=SKY2DF&PC=SKY2&q=
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
C:\Users\Eva\AppData\Local[j0003]-[p01].bmp
C:\Users\Eva\AppData\Local\temp\avgnt.exe
C:\Users\Eva\AppData\Local\temp\dllnt_dump.dll
C:\Users\Surf\AppData\Local\temp\avgnt.exe
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh int ip reset
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: netsh winsock reset
EmptyTemp:
Reboot:

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
=============================================================================================

 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

=============================================================================================

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 23 April 2016 - 01:13 AM

OK , thanks ill do that

Ill reply with logs on on Sunday or Monday afternoom :)

 

(corrected a typo)


Edited by Esrot, 23 April 2016 - 01:14 AM.


#13 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 25 April 2016 - 09:07 AM

I had to run Farbar and the fixscript twice sence it didnt create a fixlog.txt at the desctop location where i ran it the first time , so i ran it again at the default download folder and ill attatch that log.

 

# AdwCleaner v5.113 - Logfile created 25/04/2016 at 15:38:18
# Updated 24/04/2016 by Xplode
# Database : 2016-04-24.3 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Eva - ENONE
# Running from : C:\Users\Surf\Downloads\adwcleaner_5.113.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

\AdwCleaner\AdwCleaner[S1].txt - [614 bytes] - [25/04/2016 15:38:18]

########## EOF - \AdwCleaner\AdwCleaner[S1].txt - [684 bytes] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.5 (04.20.2016)
Operating System: Windows 7 Home Premium x64
Ran by Eva (Limited) on 2016-04-25 at 15:44:42,92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 14

Successfully deleted: C:\Users\Eva\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C92GDA7 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Eva\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8E5UAN0P (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Eva\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IPSTE5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Eva\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O50Q5CXA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Eva\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5O83QW2 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Eva\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WI4KHZQS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Eva\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9R8F0R3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C92GDA7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8E5UAN0P (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IPSTE5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O50Q5CXA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5O83QW2 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WI4KHZQS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9R8F0R3 (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016-04-25 at 15:53:42,02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Attached Files



#14 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 PM

Posted 25 April 2016 - 01:23 PM

Hello,

 

Step 1:

MalwareBytes Anti-Rootkit scan:

  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.

:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.

  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.

:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button

  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

Step 2:

RogueKiller scan:

  • Please download and run RogueKiller  32/64 bit to your desktop
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  • Click Scan to scan the system.
  • When the scan completes > Close out the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!
  • Post back the report which should be located on your desktop.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 Esrot

Esrot
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 April 2016 - 09:31 AM

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Eva [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/26/2016 16:18:01

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545050B9A300 +++++
--- User ---
[MBR] 22cae692bd5beecb4cd344eafe3f52f3
[BSP] 3d9e4c72c33297d12ad538e2a0ef745f : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 29362176 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 29566976 | Size: 462502 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users