Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

noticed some strange activity, gmer said I have a rootkit,


  • This topic is locked This topic is locked
11 replies to this topic

#1 wardr

wardr

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 04 June 2016 - 06:43 PM

Noticed some unusual network activity on my desktop computer, downloaded a few anti-malware apps and all came back clean except gmer.  I am including farbar scan and attaching the gmer log because that is what prompted this request for help.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:03-06-2016
Ran by Ryan (administrator) on DADDYSPC (04-06-2016 18:31:27)
Running from C:\Users\Ryan\Desktop
Loaded Profiles: Ryan & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS (Available Profiles: Ryan & Administrator & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Privacyware/PWI, Inc.) C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
() C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSRS12.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
() C:\Program Files (x86)\Subsonic\subsonic-service.exe
() C:\Program Files (x86)\Subsonic\subsonic-service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Privacyware/PWI, Inc.) C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Internet Download Manager, Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\Everything\Everything.exe
() C:\Program Files\Everything\Everything.exe
() A:\PFFQXV1M.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Ryan\Desktop\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Everything] => C:\Program Files\Everything\Everything.exe [1441792 2014-08-05] ()
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161728 2015-11-13] (IvoSoft)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8067616 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-05-11] (Apple Inc.)
HKLM\...\Run: [BoxSync] => C:\Program Files\Box\Box Sync\BoxSync.exe [6193416 2016-04-26] (Box, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-05] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-10-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [821144 2010-10-25] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [23972712 2016-05-31] (Dropbox, Inc.)
HKLM-x32\...\Run: [Privatefirewall] => C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe [3048480 2013-12-17] (Privacyware/PWI, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [6597768 2015-12-22] (Plex, Inc.)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3941584 2016-04-27] (Tonec Inc.)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [Spotify Web Helper] => C:\Users\Ryan\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1525360 2016-05-23] (Spotify Ltd)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [10571776 2016-01-27] (SecureMix LLC)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2016-04-22] (Apple Inc.)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [LAN Messenger] => C:\Program Files (x86)\LAN Messenger\lmc.exe [1721344 2012-07-24] (LAN Messenger)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1216416 2010-10-25] (Adobe Systems Incorporated)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [BitTorrent Sync] => C:\Users\Ryan\AppData\Roaming\BitTorrent Sync\BTSync.exe [8957432 2016-05-09] (BitTorrent, Inc.)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53123712 2016-05-17] (Skype Technologies S.A.)
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [11776 2014-11-21] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncFileLocked] -> {07b40172-9807-3c1c-ba59-6079a4aac108} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncFileLockedByOther] -> {04594f02-32ea-3587-9086-f41d8e0913ce} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncNotSynced] -> {89dd0924-32ad-3eef-af9e-47999ec8e5ea} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncProblem] -> {6186e773-c867-3e53-bafc-97618c51f764} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncSynced] -> {cb7cb4c9-490e-3599-b355-e16ba7b83aa6} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    YndCase0Sync] -> {63D48440-63AB-44D0-B323-4731DFCDE9E9} => C:\Program Files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll [2016-02-10] (Yandex)
ShellIconOverlayIdentifiers: [    YndCase1Modified] -> {7E7DC279-E6BE-4D57-9DEC-14FA0339DBC0} => C:\Program Files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll [2016-02-10] (Yandex)
ShellIconOverlayIdentifiers: [    YndCase2Error] -> {FB2FE984-05F5-4512-9D9B-69D3DE61F6D9} => C:\Program Files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll [2016-02-10] (Yandex)
ShellIconOverlayIdentifiers: [    YndCase3Shared] -> {AF8D197E-7022-4c3d-BD88-68AD35C9C169} => C:\Program Files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll [2016-02-10] (Yandex)
ShellIconOverlayIdentifiers: [   IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2015-08-14] (Tonec Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [!BTSync2.3.7Done] -> {581FFA04-FC33-0007-0302-95003A5CDE89} => C:\ProgramData\BitTorrent Sync\ShellExtensionOverlay64_1C3.dll [2016-05-09] ()
ShellIconOverlayIdentifiers: [!BTSync2.3.7RO] -> {581FFA03-FC33-0007-0302-95003A5CDE89} => C:\ProgramData\BitTorrent Sync\ShellExtensionOverlay64_1C3.dll [2016-05-09] ()
ShellIconOverlayIdentifiers: [!BTSync2.3.7RW] -> {581FFA02-FC33-0007-0302-95003A5CDE89} => C:\ProgramData\BitTorrent Sync\ShellExtensionOverlay64_1C3.dll [2016-05-09] ()
ShellIconOverlayIdentifiers-x32: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-31] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-03-15] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-03-15] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-03-15] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [!BTSync2.3.7Done] -> {581FFA04-FC33-0007-0302-95003A5CDE89} => C:\ProgramData\BitTorrent Sync\ShellExtensionOverlay86_1C3.dll [2016-05-09] ()
ShellIconOverlayIdentifiers-x32: [!BTSync2.3.7RO] -> {581FFA03-FC33-0007-0302-95003A5CDE89} => C:\ProgramData\BitTorrent Sync\ShellExtensionOverlay86_1C3.dll [2016-05-09] ()
ShellIconOverlayIdentifiers-x32: [!BTSync2.3.7RW] -> {581FFA02-FC33-0007-0302-95003A5CDE89} => C:\ProgramData\BitTorrent Sync\ShellExtensionOverlay86_1C3.dll [2016-05-09] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2016-02-27] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Subsonic.lnk [2016-05-23]
ShortcutTarget: Subsonic.lnk -> C:\Program Files (x86)\Subsonic\subsonic-agent.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.11.1
Tcpip\..\Interfaces\{394F7085-5C09-4181-99E5-FBF6214C57F6}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{BB3C93D3-89CD-4A49-BA89-580965FFFED8}: [DhcpNameServer] 192.168.11.1
 
Internet Explorer:
==================
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
URLSearchHook: [S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-425977601-1203083412-1631309457-2457533047-3321749933] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-997390408-2153310517-3119169589-2253446180-2226563786] ATTENTION => Default URLSearchHook is missing
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2015-12-08] (Internet Download Manager, Tonec Inc.)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-03-12] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-03-15] (Microsoft Corporation)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2015-12-08] (Internet Download Manager, Tonec Inc.)
BHO-x32: ContributeBHO Class -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll [2011-03-19] (Adobe Systems, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-10-25] (Adobe Systems Incorporated)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-03-12] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2016-05-23] (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-03-15] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2016-05-23] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll [2011-03-19] (Adobe Systems, Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-02-13] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\7og14rox.default
FF DefaultSearchEngine.US: DuckDuckGo
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-05] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32.dll [2015-12-25] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2016-05-23] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2016-05-23] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-02-13] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-05] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2016-02-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-01-20] (VideoLAN)
FF Extension: JavaScript on-off applet - C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\7og14rox.default\extensions\{54e46280-0211-11e3-b778-0800200c9a66}.xpi [2016-05-05]
FF Extension: IDM integration - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2016-04-26]
FF Extension: Disable CSS - C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\7og14rox.default\Extensions\jid0-1VwU0d7h7azvou6XbFWe9tmQyoQ@jetpack.xpi [2016-04-27]
FF Extension: JavaScript Toggle On and Off - C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\7og14rox.default\Extensions\jid1-EbhJmw1yu6Juy@jetpack.xpi [2016-05-04]
FF HKLM-x32\...\Firefox\Extensions: [{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}] - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF Extension: Adobe Contribute Toolbar - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2015-12-25] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2015-12-25] [not signed]
FF HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Firefox\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Ryan\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\Ryan\AppData\Roaming\IDM\idmmzcc5 [2016-06-04] [not signed]
FF HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://startpage.com/do/mypage.pl?prf=e2b7629e1b7621b081186651680bef3d%20in%20the%20%22Add%20a%20new%20page%22%20text%20field.
CHR StartupUrls: Default -> "hxxps://startpage.com/do/mypage.pl?prf=53ef2b241b727485d0f025cc3ef67d93","hxxps://startpage.com/do/mypage.pl?prf=76ff7e8dcc82d78d6bfcce131eb1c2b6"
CHR DefaultSearchURL: Default -> hxxps://startpage.com/do/search?query={searchTerms}&cat=web&pl=chrome&language=english&prfh=design_typeEEE1N1Nlang_homepageEEEs/night/eng/N1Nresults_countEEE1N1Nlanguage_uiEEEenglishN1Ndisable_open_in_new_windowEEE0N1Nunderline_titleEEE1N1NlanguageEEEenglishN1NsslEEE1N1Ndisable_family_filterEEE1N1Nnum_of_resultsEEE100N1Ndisable_video_family_filterEEE1N1NsuggestionsEEE1N1Ngeo_mapEEE1N1N
CHR DefaultSearchKeyword: Default -> startpage.com
CHR Profile: C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-25]
CHR Extension: (YouTube) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-25]
CHR Extension: (Advanced Font Settings) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\caclkomlalccbpcdllchkeecicepbmbm [2016-04-16]
CHR Extension: (Adblock Plus) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-06-04]
CHR Extension: (Google Search) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-25]
CHR Extension: (Pandora) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbangkleohkafngihneedemihgfeikcl [2015-12-25]
CHR Extension: (Full Page Screen Capture) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdpohaocaechififmbbbbbknoalclacl [2016-05-15]
CHR Extension: (iCloud Bookmarks) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkepacicchenbjecpbpbclokcabebhah [2015-12-25]
CHR Extension: (Plex) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpniocchabmgenibceglhnfeimmdhdfm [2016-04-15]
CHR Extension: (HTTPS Everywhere) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2016-05-12]
CHR Extension: (Pin It Button) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2015-12-25]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2016-05-23]
CHR Extension: (Live HTTP Headers) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaiioopjkcekapmldfgbebdclcnpgnlo [2016-05-05]
CHR Extension: (Dropbox) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioekoebejdcmnlefjiknokhhafglcjdl [2015-12-25]
CHR Extension: (Clearly) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\iooicodkiihhpojmmeghjclgihfjdjhj [2015-12-25]
CHR Extension: (Cisco WebEx Extension) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2016-05-18]
CHR Extension: (Night Time In New York City) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnimonidkipnhnpgkhgliocfnnpgkhek [2016-05-28]
CHR Extension: (Google Voice (by Google)) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo [2015-12-25]
CHR Extension: (Mohiomap) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kikkonmkmijjlbenemmnoakjmniihppj [2016-02-20]
CHR Extension: (disable-HTML) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfhjgihpknekohffabeddfkmoiklonhm [2015-12-25]
CHR Extension: (Linkclump) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfpjkncokllnfokkgpkobnkbkmelfefj [2016-06-04]
CHR Extension: (Ghostery) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-02-20]
CHR Extension: (Page Archive) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nboajopncigfmjdnjcgkefdpijgjegjg [2015-12-25]
CHR Extension: (IDM Integration Module) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2016-04-15]
CHR Extension: (Autofill) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlmmgnhgdeffjkdckmikfpnddkbbfkkk [2016-05-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (WayBack Chrome) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\phabfadigilgfagiclfpjnjljedbjclf [2016-04-16]
CHR Extension: (Evernote Web Clipper) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc [2016-05-13]
CHR Extension: (Gmail) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-12-25]
CHR Extension: (SMS Text Message Scheduler for Google Voice™) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\podfahadlppahcknimehicajmjdcfieb [2015-12-25]
CHR Extension: (Web Archive for WayBack Machine) - C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppokigfjbmhncgkabghdgpiafjdpllke [2016-04-16]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2016-04-27]
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2016-04-27]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AcrylicServiceController; C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicService.exe [519168 2016-04-13] () [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [36752 2016-04-26] (Box, Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-12] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-12] (Dropbox, Inc.)
R2 Everything; C:\Program Files\everything\everything.exe [1441792 2014-08-05] () [File not signed]
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [8915968 2016-01-27] (SecureMix LLC)
R2 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [370368 2014-02-21] (Microsoft Corporation)
R3 MSSQLFDLauncher$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [50880 2014-02-21] (Microsoft Corporation)
R2 PFNet; C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [374600 2013-12-17] (Privacyware/PWI, Inc.)
R2 ReportServer$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSRS12.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2450112 2014-02-21] (Microsoft Corporation)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [613056 2014-02-21] (Microsoft Corporation)
R2 Subsonic; C:\Program Files (x86)\Subsonic\subsonic-service.exe [259584 2016-04-30] () [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7032080 2016-05-12] (TeamViewer GmbH)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3880448 2013-11-13] (Qualcomm Atheros Communications, Inc.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R1 gwdrv; C:\Windows\system32\DRIVERS\gwdrv.sys [33152 2015-05-28] (SecureMix LLC)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R1 RAMDiskVE; C:\Windows\System32\Drivers\RAMDiskVE.sys [86744 2016-05-12] (Dataram, Inc.)
S4 RsFx0300; C:\Windows\System32\DRIVERS\RsFx0300.sys [247488 2014-02-21] (Microsoft Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
U3 aswMBR; \??\a:\userTEMP\aswMBR.sys [X]
U3 aswVmm; \??\a:\userTEMP\aswVmm.sys [X]
U3 kwlcapob; \??\a:\userTEMP\kwlcapob.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-04 18:31 - 2016-06-04 18:31 - 00034373 _____ C:\Users\Ryan\Desktop\FRST.txt
2016-06-04 18:30 - 2016-06-04 18:31 - 00000000 ____D C:\FRST
2016-06-04 18:30 - 2016-06-04 18:30 - 02384384 _____ (Farbar) C:\Users\Ryan\Desktop\FRST64 (1).exe
2016-06-04 16:10 - 2016-06-04 16:10 - 00000826 _____ C:\Users\Ryan\Documents\hosts.txt
2016-06-04 15:56 - 2016-06-04 15:56 - 00002476 _____ C:\Users\Ryan\Desktop\Rkill.txt
2016-06-04 15:56 - 2016-06-04 15:56 - 00001826 _____ C:\Users\Ryan\Desktop\sc-cleaner.txt
2016-06-04 15:55 - 2016-06-04 15:55 - 00051428 _____ C:\TDSSKiller.3.1.0.9_04.06.2016_15.55.28_log.txt
2016-06-04 15:54 - 2016-06-04 15:55 - 00229696 _____ C:\TDSSKiller.3.1.0.9_04.06.2016_15.54.18_log.txt
2016-06-04 15:47 - 2016-06-04 15:47 - 00001242 _____ C:\Users\Ryan\Desktop\JRT.txt
2016-06-04 15:45 - 2016-06-04 15:45 - 00000000 ____D C:\AdwCleaner
2016-06-03 14:06 - 2016-06-03 14:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-06-03 08:01 - 2016-06-03 08:01 - 00000000 ____D C:\ProgramData\Backblaze
2016-06-03 08:01 - 2016-06-03 08:01 - 00000000 ____D C:\Program Files (x86)\Backblaze
2016-06-03 04:12 - 2016-06-03 04:20 - 00000000 ___RD C:\Users\Ryan\Box Sync
2016-06-03 04:10 - 2016-06-03 04:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync
2016-06-03 04:10 - 2016-06-03 04:10 - 00000000 ____D C:\Program Files\Box
2016-06-02 14:26 - 2016-06-03 14:44 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\HandBrake
2016-06-02 14:26 - 2016-06-02 14:26 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\HandBrake Team
2016-06-02 14:25 - 2016-06-02 14:25 - 00000838 _____ C:\Users\Administrator\Desktop\Handbrake.lnk
2016-06-02 14:25 - 2016-06-02 14:25 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Handbrake
2016-06-02 14:25 - 2016-06-02 14:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Handbrake
2016-06-02 14:25 - 2016-06-02 14:25 - 00000000 ____D C:\Program Files\Handbrake
2016-05-29 21:18 - 2016-05-29 21:18 - 00000000 ____D C:\Users\Ryan\Tracing
2016-05-29 20:52 - 2016-06-02 19:20 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Skype
2016-05-29 20:52 - 2016-05-29 20:52 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-05-29 20:52 - 2016-05-29 20:52 - 00000000 ____D C:\ProgramData\Skype
2016-05-29 20:52 - 2016-05-29 20:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-05-29 19:51 - 2016-06-03 08:08 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\MediaMonkey
2016-05-27 02:18 - 2016-05-27 02:18 - 00000020 ___SH C:\Users\ReportServer$SQLEXPRESS\ntuser.ini
2016-05-27 02:18 - 2016-05-27 02:18 - 00000000 _SHDL C:\Users\ReportServer$SQLEXPRESS\My Documents
2016-05-27 02:18 - 2016-05-27 02:18 - 00000000 _SHDL C:\Users\ReportServer$SQLEXPRESS\Documents\My Videos
2016-05-27 02:18 - 2016-05-27 02:18 - 00000000 _SHDL C:\Users\ReportServer$SQLEXPRESS\Documents\My Pictures
2016-05-27 02:18 - 2016-05-27 02:18 - 00000000 _SHDL C:\Users\ReportServer$SQLEXPRESS\Documents\My Music
2016-05-27 02:18 - 2016-05-27 02:18 - 00000000 ____D C:\Users\ReportServer$SQLEXPRESS
2016-05-27 02:18 - 2015-12-25 11:54 - 00000000 ____D C:\Users\ReportServer$SQLEXPRESS\AppData\Roaming\Macromedia
2016-05-27 02:18 - 2014-11-21 03:53 - 00000369 _____ C:\Users\ReportServer$SQLEXPRESS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2016-05-27 02:18 - 2014-11-21 03:53 - 00000369 _____ C:\Users\ReportServer$SQLEXPRESS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2016-05-27 02:17 - 2016-05-29 19:17 - 00000000 ____D C:\Users\Ryan\Documents\SQL Server Management Studio
2016-05-27 02:17 - 2016-05-27 02:17 - 00000020 ___SH C:\Users\MSSQLFDLauncher$SQLEXPRESS\ntuser.ini
2016-05-27 02:17 - 2016-05-27 02:17 - 00000020 ___SH C:\Users\MSSQL$SQLEXPRESS\ntuser.ini
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQLFDLauncher$SQLEXPRESS\My Documents
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQLFDLauncher$SQLEXPRESS\Documents\My Videos
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQLFDLauncher$SQLEXPRESS\Documents\My Pictures
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQLFDLauncher$SQLEXPRESS\Documents\My Music
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQL$SQLEXPRESS\My Documents
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQL$SQLEXPRESS\Documents\My Videos
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQL$SQLEXPRESS\Documents\My Pictures
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 _SHDL C:\Users\MSSQL$SQLEXPRESS\Documents\My Music
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 ____D C:\Users\MSSQLFDLauncher$SQLEXPRESS
2016-05-27 02:17 - 2016-05-27 02:17 - 00000000 ____D C:\Users\MSSQL$SQLEXPRESS
2016-05-27 02:17 - 2015-12-25 11:54 - 00000000 ____D C:\Users\MSSQLFDLauncher$SQLEXPRESS\AppData\Roaming\Macromedia
2016-05-27 02:17 - 2015-12-25 11:54 - 00000000 ____D C:\Users\MSSQL$SQLEXPRESS\AppData\Roaming\Macromedia
2016-05-27 02:17 - 2014-11-21 03:53 - 00000369 _____ C:\Users\MSSQLFDLauncher$SQLEXPRESS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2016-05-27 02:17 - 2014-11-21 03:53 - 00000369 _____ C:\Users\MSSQLFDLauncher$SQLEXPRESS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2016-05-27 02:17 - 2014-11-21 03:53 - 00000369 _____ C:\Users\MSSQL$SQLEXPRESS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2016-05-27 02:17 - 2014-11-21 03:53 - 00000369 _____ C:\Users\MSSQL$SQLEXPRESS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2016-05-27 02:14 - 2014-02-21 05:20 - 00056000 _____ (Microsoft Corporation) C:\WINDOWS\system32\perf-MSSQL12.SQLEXPRESS-sqlagtctr.dll
2016-05-27 02:14 - 2014-02-21 05:20 - 00052416 _____ (Microsoft Corporation) C:\WINDOWS\system32\perf-ReportServer$SQLEXPRESS-rsctr12.0.2000.8.dll
2016-05-27 02:14 - 2014-02-21 05:20 - 00046784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\perf-MSSQL12.SQLEXPRESS-sqlagtctr.dll
2016-05-27 02:14 - 2014-02-21 05:20 - 00045760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\perf-ReportServer$SQLEXPRESS-rsctr12.0.2000.8.dll
2016-05-27 02:13 - 2014-02-21 05:27 - 00172224 _____ (Microsoft Corporation) C:\WINDOWS\system32\hadrres.dll
2016-05-27 02:13 - 2014-02-21 05:27 - 00081088 _____ (Microsoft Corporation) C:\WINDOWS\system32\fssres.dll
2016-05-27 02:13 - 2014-02-21 05:20 - 00103104 _____ (Microsoft Corporation) C:\WINDOWS\system32\perf-MSSQL$SQLEXPRESS-sqlctr12.0.2000.8.dll
2016-05-27 02:13 - 2014-02-21 05:20 - 00088768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\perf-MSSQL$SQLEXPRESS-sqlctr12.0.2000.8.dll
2016-05-27 02:12 - 2016-05-27 02:12 - 00000000 ____D C:\Program Files\Microsoft Analysis Services
2016-05-27 02:12 - 2016-05-27 02:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2016-05-27 02:11 - 2016-05-27 02:11 - 00000000 ____D C:\WINDOWS\system32\RsFx
2016-05-27 02:10 - 2016-05-27 02:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft SQL Server 2008
2016-05-27 02:09 - 2016-05-27 02:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft SQL Server 2014
2016-05-27 02:09 - 2016-05-27 02:09 - 00000000 ____D C:\Users\Ryan\Documents\Visual Studio 2010
2016-05-27 02:08 - 2016-05-27 02:10 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server
2016-05-27 02:08 - 2016-05-27 02:09 - 00000000 ____D C:\WINDOWS\SysWOW64\1033
2016-05-27 02:08 - 2016-05-27 02:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 10.0
2016-05-27 02:07 - 2016-05-27 02:09 - 00000000 ____D C:\WINDOWS\system32\1033
2016-05-27 02:07 - 2016-05-27 02:07 - 00000000 ____D C:\WINDOWS\symbols
2016-05-27 02:07 - 2016-05-27 02:07 - 00000000 ____D C:\WINDOWS\PCHEALTH
2016-05-27 02:07 - 2016-05-27 02:07 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 10.0
2016-05-27 02:07 - 2016-05-27 02:07 - 00000000 ____D C:\Program Files\Microsoft Help Viewer
2016-05-27 02:07 - 2016-05-27 02:07 - 00000000 ____D C:\Program Files (x86)\Microsoft SDKs
2016-05-27 01:52 - 2016-05-27 02:12 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2016-05-27 01:50 - 2016-05-27 01:50 - 00000000 ___DL C:\gisclass
2016-05-27 01:49 - 2016-05-27 01:49 - 00000000 ___DL C:\workspace
2016-05-27 01:49 - 2016-05-27 01:49 - 00000000 ___DL C:\a
2016-05-26 13:11 - 2016-05-26 13:11 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Evernote
2016-05-26 13:11 - 2016-05-26 13:11 - 00000000 ____D C:\Users\Ryan\AppData\Local\Apps\Evernote
2016-05-25 04:35 - 2016-05-25 04:35 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MakeMKV
2016-05-25 04:35 - 2016-05-25 04:35 - 00000000 ____D C:\Users\Ryan\.MakeMKV
2016-05-25 04:35 - 2016-05-25 04:35 - 00000000 ____D C:\Program Files (x86)\MakeMKV
2016-05-24 19:35 - 2016-05-24 19:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-05-24 19:35 - 2016-05-24 19:35 - 00000000 ____D C:\Program Files\iTunes
2016-05-24 19:35 - 2016-05-24 19:35 - 00000000 ____D C:\Program Files\iPod
2016-05-24 19:35 - 2016-05-24 19:35 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-05-24 19:33 - 2016-05-24 19:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2016-05-23 14:44 - 2016-05-27 12:12 - 00000000 ____D C:\subsonic
2016-05-23 14:44 - 2016-05-23 14:44 - 00098216 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-05-23 14:44 - 2016-05-23 14:44 - 00000000 ____D C:\ProgramData\Sun
2016-05-23 14:44 - 2016-05-23 14:44 - 00000000 ____D C:\ProgramData\Oracle
2016-05-23 14:44 - 2016-05-23 14:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Subsonic
2016-05-23 14:44 - 2016-05-23 14:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-05-23 14:44 - 2016-05-23 14:44 - 00000000 ____D C:\Program Files (x86)\Subsonic
2016-05-23 14:44 - 2016-05-23 14:44 - 00000000 ____D C:\Program Files (x86)\Java
2016-05-23 14:41 - 2016-05-23 14:41 - 00000000 ____D C:\Users\Ryan\AppData\LocalLow\Sun
2016-05-12 13:24 - 2016-05-12 13:24 - 00000000 ___DL C:\delete
2016-05-12 13:01 - 2016-05-12 13:01 - 00086744 _____ (Dataram, Inc.) C:\WINDOWS\system32\Drivers\RAMDiskVE.sys
2016-05-12 13:01 - 2016-05-12 13:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAMDisk
2016-05-12 13:01 - 2016-05-12 13:01 - 00000000 ____D C:\Program Files (x86)\RAMDisk
2016-05-10 20:57 - 2016-05-11 13:54 - 00000132 _____ C:\Users\Ryan\AppData\Roaming\Adobe PNG Format CS5 Prefs
2016-05-09 16:04 - 2016-05-09 16:05 - 00000000 ____D C:\bittorrentsync
2016-05-09 16:02 - 2016-05-09 16:02 - 00000899 _____ C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent Sync.lnk
2016-05-09 16:02 - 2016-05-09 16:02 - 00000000 ____D C:\ProgramData\BitTorrent Sync
2016-05-07 13:25 - 2016-05-07 13:25 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Greenshot
2016-05-07 13:25 - 2016-05-07 13:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Greenshot
2016-05-07 13:24 - 2016-05-07 13:24 - 00000000 ____D C:\Program Files\Greenshot
2016-05-05 15:57 - 2016-05-12 12:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-04 18:17 - 2016-02-12 23:12 - 00000922 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2016-06-04 17:49 - 2015-12-25 10:40 - 00000924 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-04 16:49 - 2015-12-25 10:40 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-04 16:24 - 2016-02-12 22:08 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\DMCache
2016-06-04 16:13 - 2015-12-25 10:43 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Everything
2016-06-04 16:11 - 2016-02-13 04:06 - 00000000 ____D C:\Users\Ryan\Documents\Outlook Files
2016-06-04 15:50 - 2016-02-23 20:43 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-04 05:31 - 2015-12-19 09:32 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1125547639-1294637962-2935245663-1001
2016-06-04 05:20 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-04 05:20 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-03 22:17 - 2016-02-12 23:12 - 00000918 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2016-06-03 14:06 - 2016-02-12 23:12 - 00000000 ____D C:\Program Files (x86)\Dropbox
2016-06-03 10:52 - 2015-12-19 09:35 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-06-03 07:41 - 2016-02-14 10:09 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\vlc
2016-06-03 04:12 - 2015-12-24 09:49 - 00000000 ____D C:\Users\Ryan
2016-06-03 04:10 - 2015-12-24 10:03 - 00000000 ____D C:\ProgramData\Package Cache
2016-06-03 04:03 - 2014-11-21 03:43 - 01018136 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-03 04:03 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\Inf
2016-06-02 14:51 - 2016-02-17 22:13 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Mozilla
2016-05-29 22:06 - 2016-04-17 21:04 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\OBS
2016-05-27 11:18 - 2015-12-24 10:04 - 00000000 ____D C:\Users\Ryan\OneDrive
2016-05-27 11:02 - 2016-02-13 05:21 - 00000501 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
2016-05-27 11:02 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-05-27 11:02 - 2013-08-22 09:44 - 16182888 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-05-27 11:02 - 2013-08-22 08:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-05-27 08:03 - 2012-07-26 02:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-05-27 05:30 - 2016-02-21 00:39 - 00000000 ____D C:\Users\Ryan\Downloads\Compressed
2016-05-27 04:04 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-05-27 02:12 - 2016-02-13 00:49 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-05-27 02:11 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-05-27 01:52 - 2016-02-12 22:08 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\IDM
2016-05-25 04:34 - 2016-02-21 00:35 - 00000000 ____D C:\Users\Ryan\YandexDisk
2016-05-24 20:54 - 2015-12-25 11:13 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Apple Computer
2016-05-24 19:35 - 2015-12-25 11:13 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-05-24 05:09 - 2016-04-16 05:31 - 00000000 ____D C:\nirscreenshots
2016-05-24 05:07 - 2016-04-19 20:40 - 00000000 ____D C:\Program Files\QGIS Essen
2016-05-24 04:28 - 2016-02-25 22:47 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Spotify
2016-05-14 13:30 - 2015-12-19 09:35 - 00000983 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk
2016-05-12 18:50 - 2015-12-25 10:40 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-12 12:24 - 2016-02-12 22:08 - 00000000 ____D C:\Program Files (x86)\Internet Download Manager
2016-05-12 12:24 - 2015-12-25 10:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-05-12 12:23 - 2015-12-25 10:44 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\BitTorrent Sync
2016-05-10 16:44 - 2015-12-25 10:40 - 00003896 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-10 16:44 - 2015-12-25 10:40 - 00003660 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-10 15:53 - 2015-12-19 09:25 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Adobe
2016-05-09 14:59 - 2016-04-19 21:07 - 00000000 ____D C:\WINDOWS\Minidump
2016-05-09 14:59 - 2016-03-17 21:16 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\MPC-HC
2016-05-08 02:16 - 2015-12-25 10:43 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Notepad++
 
==================== Files in the root of some directories =======
 
2016-05-10 20:57 - 2016-05-11 13:54 - 0000132 _____ () C:\Users\Ryan\AppData\Roaming\Adobe PNG Format CS5 Prefs
2016-05-10 15:51 - 2016-05-10 15:51 - 0001456 _____ () C:\Users\Ryan\AppData\Local\Adobe Save for Web 12.0 Prefs
2016-02-12 22:46 - 2016-05-30 18:49 - 0007663 _____ () C:\Users\Ryan\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-02 04:10
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:41 AM

Posted 08 June 2016 - 06:44 AM

wardr:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil and I am a trainee in the Bleeping Computer Malware Removal Study Hall. I would like to address you by your first name, if that is alright with you since we will be working together.

I will be assisting you with your computer issues. All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Instructor. This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs and consult with the Malware Response Instructor (MRI) who will be assigned to supervise this topic. That could take a few days. Once I have reviewed my proposed response with the assigned MRI, I will reply to you with initial instructions.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#3 wardr

wardr
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 08 June 2016 - 02:16 PM

okay, my situation has moved from suspicion to certainty about the malware in my computer. I'm 90% sure it is a trojan.  I believe it is the same one I had a year ago or so and it was laying dormant on my storage drive the whole time. I may have executed that same file the other day and this thing then started spreading throughout my computer again.  I have very strange network activity too, it seems to hook on to other processes like winlogon. Browser (chrome) will jump around too.



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:41 AM

Posted 09 June 2016 - 01:09 PM

wardr:

Thank you for the logs and also for your patience while I analyzed your logs and consulted with the Malware Response Instructor assigned to supervise me while I am dealing with your topic.

I see some vulnerabilities in the security profile of your computer, programs that need updating or that should be uninstalled, but we will do that in a later post. In the meantime, be very cautious where you surf and what you click! :)

I noticed that TeamViewer is installed in your computer. Did you install it? There are recent reports that TeamViewer accounts have been hacked.

I also notice Bittorrent Sync is installed in your computer. Again, did you install it and do you use it? The use of P2P software is a security vulnerability.


:step1: Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only that tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

 

OK, let's get started ...


:step2: I am seeing a file: A:\PFFQXV1M.EXE, which is located on a small (1.99 GB) FAT32 partitioned drive (Disk: 3), listed as Drive A:. Do you know what this file is because it is loaded in memory and I could not find any information about it? What is the purpose of this drive?


:step3: FRST is reporting that your Windows Defender anti-virus and anti-spyware definitions are out of date. This creates a big security vulnerability. Please update your Windows Defender definitions and then keep them updated to provide optimal protection for your computer.


:step4: Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.
 

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [AdobeBridge] => [X]
URLSearchHook: [S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-425977601-1203083412-1631309457-2457533047-3321749933] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-997390408-2153310517-3119169589-2253446180-2226563786] ATTENTION => Default URLSearchHook is missing
U3 aswMBR; \??\a:\userTEMP\aswMBR.sys [X]
U3 aswVmm; \??\a:\userTEMP\aswVmm.sys [X]
U3 kwlcapob; \??\a:\userTEMP\kwlcapob.sys [X]

File: C:\Program Files\Everything\Everything.exe
File: A:\PFFQXV1M.EXE

:step5: Please reboot your computer.
ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK
  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply

Don't forget to re-enable your antivirus when finished!


:step6: Malwarebytes Anti-Malware Free and Malwarebytes Chameleon Including External Drives

----------

  • Download Malwarebytes Anti-Malware Free and save it to your desktop
  • Double click the desktop icon, click Run, then Yes
  • Click OK for English, then click Next
  • Select I accept the agreement then continue to click Next then finally click Install
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
  • If you are notified the Database is out of date click Update Now
  • Attach any external drives you want to scan if not already attached
  • Click the Scan button near the top
  • Select Custom Scan then click Configure Scan
  • Place a check mark in any additonal drives you would like to scan
  • Click Scan now

----------
Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
Click Start (Start, Search, All files and folders for Windows XP) then type mbam
Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open. Follow those instructions until the Malwarebytes program starts the scan

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com

----------

  • When completed click the down arrow on Export Log and select Text file (*.txt)
  • Save the file to your desktop as MBAM
  • Click Apply Actions then restart your computer if requested
  • Copy and paste the contents of MBAM.txt in your reply

 

:step7: Please copy and paste the fixlog.txt file, as well as the ESET and MBAM logs into your next reply and any information you have about that file on Drive A: and the purpose of the drive itself.

I would also like to know why you think that your computer is infected? You mentioned unusual network activity ... ? I did see an unusual number of Google Chrome plugins and extensions running, none of which were nefarious, and they might explain some of the network traffic when Chrome is running. Can you provide more information ... ?

The file that GMER flagged is most likely a "false positive." The file appears to be the executable for the "Everything" Search Engine, which I have installed on both of my computers. The file location is correct. See here for more information about "Everything." According to the FRST logs, it is installed in your computer


Everything 1.3.4.686 (x64) (HKLM\...\Everything) (Version: - )

 

Personally, I think that this is false positive, and since we both have the latest version of "Everything" installed, it won't be an issue to verify that it is the genuine copy. As a part of the fixlist.txt, I have requested FRST to take a closer look at that file.

So far, I have not seen anything that is causing me concern, other than the vulnerabilities that I have brought to your attention, and that strange file: A:\PFFQXV1M.EXE. The computer seems pretty clean, but you seem have reason to believe otherwise, so I will need more details as to why you think your computer is infected, so that I can dig deeper.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 wardr

wardr
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 09 June 2016 - 02:24 PM

 

 

I noticed that TeamViewer is installed in your computer. Did you install it? There are recent reports that TeamViewer accounts have been hacked.

Yes I use teamviewer quite often.  Do I need to uninstall it?

 

 

 

 

 also notice Bittorrent Sync is installed in your computer. Again, did you install it and do you use it? The use of P2P software is a security vulnerability.

I did install it but I rarely use it, almost never do. Should I uninstall it?

 

 

 

 

 I am seeing a file: A:\PFFQXV1M.EXE, which is located on a small (1.99 GB) FAT32 partitioned drive (Disk: 3), listed as Drive A:. Do you know what this file is because it is loaded in memory and I could not find any information about it? What is the purpose of this drive?

That is a RAM disk drive that I use to store all my temporary files in.  The name of the company that I use this for is called Dataram, www.dataram.com. I'm not sure what that file is though, maybe something to do with Dataram's RAMDisk program?

 

 

 

 

FRST is reporting that your Windows Defender anti-virus and anti-spyware definitions are out of date. This creates a big security vulnerability. Please update your Windows Defender definitions and then keep them updated to provide optimal protection for your computer.

Okay I manually updated, why doesn't this just automatically update?

 

 

 

 

Please copy and paste the fixlog.txt file, as well as the ESET and MBAM logs into your next reply and any information you have about that file on Drive A: and the purpose of the drive itself.

OK I will send over logs shortly in next reply.

 

 

 

 

I would also like to know why you think that your computer is infected? You mentioned unusual network activity ... ? I did see an unusual number of Google Chrome plugins and extensions running, none of which were nefarious, and they might explain some of the network traffic when Chrome is running. Can you provide more information ... ?

Well like I said originally this is I am almost positive the same trojan i had a couple years ago. It may have laid dormant somewhere in my 2 TB storage drive.  I may have accessed it unknowingly thr other day and it started to spread.  I use a much smaller SSD drive for windows and applications only.  

 

How does this trojan act? Well for one I can Process Explorer and half of my running processed are unsigned.  That's a big clue-in right there, windows processes as well as 3rd party processes.  

 

Also when I look at files located on my computer within Windows Explorer, they sometimes will simply disappear.  Literally no trace of them.  I use "everything" search (my favorite tool) and it will locate it somewhere else on my computer.  Other times it just disappears entirely from windows.  But to investigate I will open up an admin command prompt, and look at the file listings using "dir" command, and there it is, right where it should be.  

 

Also while looking at network activity, I have applications such as dropbox, Foxit Reader, plex media server, subsonsic server, svchost, dashost, and explorer (and a few others) opened up under the same PID, but seemingly connected to 20 to 30 unique remote IP addresses.  Looking up the IP's and they don't have much info on them, and they certainly aren't owned by those respective companies.  Closing the program itself sometimes doesn't seem to even close the connection to the rogue network.  I'm pretty good with computers but I am not an expert, so I don't know much more than what I am telling you.

 

All I know is that I am 100% sure I am infected, no doubt, and it will get worse unless something is done about it.

 

 

 

The file that GMER flagged is most likely a "false positive." The file appears to be the executable for the "Everything" Search Engine, which I have installed on both of my computers. The file location is correct. See here for more information about "Everything." According to the FRST logs, it is installed in your computer

Yes that one is a false positive.

 

 

 

 



#6 wardr

wardr
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 09 June 2016 - 10:07 PM

  • fixlog.txt
Fix result of Farbar Recovery Scan Tool (x64) Version:09-06-2016
Ran by Ryan (2016-06-09 14:27:52) Run:1
Running from C:\Users\Ryan\Desktop
Loaded Profiles: Ryan & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS (Available Profiles: Ryan & Administrator & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
*****************
 
 
==== End of Fixlog 14:27:52 ====
 
 
 
 
 
 
 
  • eset.txt
E:\apps\NirLauncher\NirSoft\astlog.exe Win32/PSWTool.AsteriskLogger.104 potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\awatch.exe a variant of Win32/AdapterWatch.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\browsinghistoryview.exe a variant of Win32/BrowsingHistoryView.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\bulletspassview.exe a variant of Win32/PSWTool.BulletsPassView.C potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\chromepass.exe Win32/PSWTool.ChromePass.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\dialupass.exe a variant of Win32/PSWTool.Dialupass.F potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\iepv.exe Win32/PSWTool.IEPassView.NAE potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\lsasecretsdump.exe Win32/PSWTool.LsaSecretsDump.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\lsasecretsview.exe Win32/PSWTool.LsasView potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\outlookaddressbookview.exe a variant of Win32/OutlookAddressBookView.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\passwordscan.exe Win32/PSWTool.WebBrowserPassView.C potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\pcanypass.exe a variant of Win32/PSWTool.PCAnyPass.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\routerpassview.exe a variant of Win32/PSWTool.RouterPassView.B potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\skypelogview.exe a variant of Win32/SkypeLogView.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\smsniff.exe a variant of Win32/Sniffer.SniffPass.B potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\sniffpass.exe a variant of Win32/Sniffer.SniffPass.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\vncpassview.exe Win32/PSWTool.VNCPassView.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\wirelesskeyview.exe a variant of Win32/WirelessKeyView.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\wirelessnetview.exe a variant of Win32/PSWTool.WirelessNetView.A potentially unsafe application cleaned by deleting
E:\apps\NirLauncher\NirSoft\x64\wirelesskeyview.exe a variant of Win64/WirelessKeyView.B potentially unsafe application cleaned by deleting
E:\backups\clouds\Dropbox\Share with Ron\Downloads\ccsetup320.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application deleted
E:\Downloads\Programs\ccsetup516.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted
E:\Downloads\Programs\Radiohead A Moon Shaped Pool [2016] 320.exe a variant of Win32/Techsnab.AB potentially unwanted application deleted
E:\_Files\Data\Backups\iTunes Device Backups\a5677fd2e6482e6213d80d660323cb56c83d38c8\be0d234c36d3cefeb6d064168ce8c5381a3f8433 Win32/Adware.1ClickDownload.AE application cleaned by deleting
E:\_Files\Data\Backups\iTunes Device Backups\fb3c7057852530e17842cf3b3681f0a45fa0072d-20150504-080325\d773b3c099e56da1ebeee531bf1c7014a8763d12 a variant of Win32/InstallCore.D potentially unwanted application cleaned by deleting
E:\_Files\Data\Setups\Windows\7zip_bimo.exe a variant of Win32/InstallIQ.A potentially unwanted application cleaned by deleting
E:\_Files\Data\Setups\Windows\nirsoft_package_1.18.64.zip Win32/PSWTool.AsteriskLogger.104 potentially unsafe application deleted
E:\_Files\Data\Setups\Windows\SyMenu.NirSoft.zip Win32/PSWTool.AsteriskLogger.104 potentially unsafe application deleted

 

 
 
 
 
  • mbam-log-2016-06-09 (21-45-46).xml
<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/06/09 21:45:50 -0500</date>
<logfile>mbam-log-2016-06-09 (21-45-46).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.06.09.06</malware-database>
<rootkit-database>v2016.05.27.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>SERVER</hostname>
<ip>192.168.11.35</ip>
<osversion>Windows 8.1</osversion>
<arch>x64</arch>
<username>Ryan</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>498288</objects>
<time>726</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>0</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
</items>
</mbam-log>
 
 
 
  • COMMENTS

The nirsoft stuff eset found I personally had on my backup storage drive and downloaded that stuff years ago, but I never use it anymore.  The radiohead file I am shocked it has malware because I purchased it from Amazon?!?! Very weird.  Or actually I may have tried to download it from another server because purchasing it, and this may be that download "attempt".  Interesting. Farbar and malwarebytes found nothing.

 

 

 



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:41 AM

Posted 10 June 2016 - 01:21 PM

wardr:
 
Thank you for the logs.  It appears that you did not successfully execute my fixlist.txt, most likely because FRST could not locate it, or couldn't read it.  The fixlog.txt file is empty.
 
When you originally ran your FRST logs, FRST was located in this folder: C:\Users\Ryan\Desktop

Hence, I asked you to copy the fixlist.txt content from my second response to you, step  :step4:, and paste that into a Notepad file that was saved to your Desktop folder as "fixlist.txt".

 

So there are a few possibilities as to what went wrong.  You might have saved the fixlist.txt contents using a word processing app, which adds formatting characters that FRST would not understand.  It is important that the fixlist content be saved in standard ASCII text, using Notepad, not WordPad or Word, etc.

 

It is also essential that the fixlist.txt file be in the EXACT same folder as the FRST64.EXE file is located.  Then press the "FIX" button once and wait.

 

Would you please try running the fixlist.txt file again using FRST?  If there is some error or issue, please let me know.  We have other options if something is interfering with FRST running successfully.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 wardr

wardr
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 11 June 2016 - 02:57 AM

Couple things:
1. my computer (explorer.exe) crashed after the completion of this program.
2. The A: drive, seeing in that it is a RAM disk, completely refreshes itself on every fresh boot, because the drive itself located in my memory. This is why nothing on A: drive was found. It actually loads an *.img on every re-boot.
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version:10-06-2016
Ran by Ryan (2016-06-11 02:51:16) Run:2
Running from C:\Users\Ryan\Desktop
Loaded Profiles: Ryan & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS (Available Profiles: Ryan & Administrator & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\...\Run: [AdobeBridge] => [X]
URLSearchHook: [S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-425977601-1203083412-1631309457-2457533047-3321749933] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-997390408-2153310517-3119169589-2253446180-2226563786] ATTENTION => Default URLSearchHook is missing
U3 aswMBR; \??\a:\userTEMP\aswMBR.sys [X]
U3 aswVmm; \??\a:\userTEMP\aswVmm.sys [X]
U3 kwlcapob; \??\a:\userTEMP\kwlcapob.sys [X]
 
File: C:\Program Files\Everything\Everything.exe
File: A:\PFFQXV1M.EXE
*****************
 
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-1125547639-1294637962-2935245663-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
Could not restore Default URLSearchHook.
Could not restore Default URLSearchHook.
Could not restore Default URLSearchHook.
aswMBR => service not found.
aswVmm => service not found.
kwlcapob => service not found.
 
========================= File: C:\Program Files\Everything\Everything.exe ========================
 
File not signed
MD5: FE18DDEA98D90DBF850AFCA0158ABEC8
Creation and modification date: 2015-12-25 10:43 - 2014-08-05 20:04
Size: 1441792
Attributes: ----A
Company Name: 
Internal Name: Everything
Original Name: Everything.exe
Product: Everything
Description: Everything
File Version: 1.3.4.686
Product Version: 1.3.4.686
Copyright: Copyright © 2014 David Carpenter
 
====== End of File: ======
 
 
 
========================= File: A:\PFFQXV1M.EXE ========================
 
"A:\PFFQXV1M.EXE" => not found.
====== End of File: ======
 
 
 
The system needed a reboot.
 
==== End of Fixlog 02:51:17 ====

Edited by wardr, 11 June 2016 - 02:59 AM.


#9 wardr

wardr
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 11 June 2016 - 04:12 PM

Yesterday June 10 @ 10:23 AM, Glassdoor indicated 3 events that I've never seen before, these are the last 5 items in my network alerts from Glassdoor, note items in Red, ignore items grayed out.

 

 

 

 

June 9 16:41:17 Application Info Changed

The application version changed from "50.0.2661.102" to "51.0.2704.84".

Google Chrome

 

June 10 10:23:21 Application Info Changed

Application publisher name changed from "Microsoft Windows" to empty value.

Host Process for Windows Services

 

June 10 10:23:21 Application Info Changed

The application is no longer signed.

Host Process for Windows Services

 

June 10 10:23:21 Application Info Changed

Application publisher name changed from empty value to "Microsoft Windows".

Host Process for Windows Services
 
June 10 10:25:55 First Network activity
First network connection initiated
Microsoft Help and Support
134.170.119.140
 
 
Glassdoor has never reported a file changing publisher name or reported a file no longer being signed.  Do you know what this means?

Edited by wardr, 11 June 2016 - 04:13 PM.


#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:41 AM

Posted 12 June 2016 - 12:25 PM

wardr:
 
Thank you for the fixlog.txt.  I think that FRST probably crashed your explorer.exe, looking for that ramdisk file, which it couldn't find.  Sorry about that.
 
I am not seeing any indications of malware, so far, so for our next step, we should address some of your questions and security vulnerabilities.
 
The "everything.exe" file detected by GMER is a false positive.  The file size and MD5 hash are correct.  Here is the Virustotal link for that MD5.
 
You do not need to uninstall TeamViewer or BitTorrent Sync, although if you are not using the latter, I would uninstall it, if it was my computer.  P2P programs are inherently vulnerable to malware.
 
Windows Defender updates are delivered via Windows Updates, so Windows Updates have to be set to automatic, if you want Windows to look after updating Windows Defender.  I suspect that you do not have Windows Updates set to automatic, which means that you have to manually check to update the Windows Defender definitions.  See this link for more information.  You can find instructions to turn on automatic Windows Updates, here.
 

:step1: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to update Java and remove any existing older versions:

  • Click here to evaluate your current version of Java
  • Click Free Java Download
  • Click the Agree and Start Free Download
  • Save jxpiinstall.exe to your desktop
  • Double click the icon then click Run
  • Click Install
  • Uncheck any Ask Toolbar offers
  • Click Next
  • You should be notified You have successfully installed Java
  • If Java notifies you older versions of the program need to be removed allow the program to complete that
  • Reboot your computer once all Java components are removed.

 

 

:step2: You have Apple QuickTime installed. Apple has ceased support for that product, thereby resulting in unpatched security vulnerabilities. You might want to "google" this issue, but two authoritative references can be found here and here. I recommend that you uninstall this program using the Control Panel, Add/Remove Programs.
 
 
 
I am not familiar with GlassWire, which is what I presume you are referring to when you mention "Glassdoor".  According to FRST, GlassWire is installed in your computer and it is a free network monitoring application.  If I were you, I would post on the GlassWire Forums, here about those entries you have reported. They could be legitimate and not be indicative of malware or a system issue.
 
Please let me know when you have updated Java, set Windows Updates to automatic, and uninstalled QuickTime.  I would also appreciate an update on the status of your computer.

 

I am not seeing any evidence of active malware, so I do need to understand why you think that the computer is infected, and what you think the computer is infected with.
 
Thank you and have a great day.
 
Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:41 AM

Posted 15 June 2016 - 10:59 AM

wardr:

 

Do you still require assistance?  I have not heard from you in three days.

 

If you have not replied in the next two days, Forum policy requires that the topic be concluded.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,049 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:41 PM

Posted 17 June 2016 - 10:27 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users