Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Present - Gained Control of My System Files


  • This topic is locked This topic is locked
20 replies to this topic

#1 trumpt

trumpt

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 19 June 2016 - 02:04 PM

Hello,

 

I have an Acer Aspire V3-731 laptop running Windows 7 Home Premium that has been increasingly taken over by malware. I am able to get on the internet and use my email, but that’s about it. In Windows Task Manager, I’m getting large file sizes for some of the ieplore.exe and svchost.exe files.

 

I downloaded the Farbar Recovery Scan Tool and placed it on my desktop, but it froze my laptop when I tried to run it (the same thing happens for other downloads when I try to execute them). I did manage to get a FRST log in safe mode (shown below), but I’m not sure how useful the information in it will be. Same for the attached Addition.txt file.

 

Any guidance or suggestions to help improve my situation would be much appreciated.

 

Thanks in advance,

Marvin

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-06-2016
Ran by user (administrator) on USER-PC (19-06-2016 12:23:11)
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> csrss.exe
Failed to access process -> csrss.exe
(Privacyware/PWI, Inc.) C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [InstantUpdate] => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuDaemon.exe [124520 2012-04-06] ()
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12448872 2012-02-14] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1158248 2012-02-07] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2821936 2012-03-07] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1021056 2012-03-08] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800896 2012-03-08] (Atheros Commnucations)
HKLM\...\Run: [Power Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1829768 2012-02-07] (Acer Incorporated)
HKLM-x32\...\Run: [SuiteTray] => C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [341360 2011-09-20] (Egis Technology Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe [296984 2012-01-05] (NTI Corporation)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Dolby PCEE4\pcee4.exe [506712 2011-06-01] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1105488 2012-03-23] (Dritek System Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-26] (Intel Corporation)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [67840 2016-05-19] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [814608 2016-04-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [Privatefirewall] => C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe [3048480 2013-12-17] (Privacyware/PWI, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-537413098-2744756720-3065880487-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8722136 2016-06-01] (Piriform Ltd)
HKU\S-1-5-21-537413098-2744756720-3065880487-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-537413098-2744756720-3065880487-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Acer.scr [450048 2011-09-12] ()
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP DeskJet 2130 series.lnk [2016-06-19]
ShortcutTarget: Monitor Ink Alerts - HP DeskJet 2130 series.lnk -> C:\Program Files\HP\HP DeskJet 2130 series\Bin\HPStatusBL.dll (Hewlett-Packard Development Company, LP)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{EE2AAC7F-25F4-4F30-97AB-612FECCAE734}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-537413098-2744756720-3065880487-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
HKU\S-1-5-21-537413098-2744756720-3065880487-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-537413098-2744756720-3065880487-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-21] (Siber Systems Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-21] (Siber Systems Inc.)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-03-08] (Atheros Commnucations)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)
BHO-x32: AviraBrowserSafety.BrowserSafety -> {c3c77255-42c0-499f-b664-6e981a0b1647} -> C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-21] (Siber Systems Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-21] (Siber Systems Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)
Toolbar: HKU\S-1-5-21-537413098-2744756720-3065880487-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
Toolbar: HKU\S-1-5-21-537413098-2744756720-3065880487-1000 -> &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-21] (Siber Systems Inc.)
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: HKLM-x32 {FB54FA27-96CF-4C62-80DC-DA7616EBD326} hxxp://downloads.bullguard.com/VirusScan/bgvax.cab
Handler-x32: abs - {E00957BD-D0E1-4eb9-A025-7743FDC8B27B} - C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Gq1lfAa5.default
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2011-12-01] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2011-12-01] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Extension: Avira Browser Safety - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Gq1lfAa5.default\Extensions\abs@avira.com [2016-06-13]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [970656 2016-04-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [467016 2016-04-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [467016 2016-04-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1435704 2016-04-04] (Avira Operations GmbH & Co. KG)
S2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [107648 2012-03-08] (Atheros Commnucations) [File not signed]
S2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [285176 2016-05-19] (Avira Operations GmbH & Co. KG)
S2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [226064 2016-05-31] (Avira Operations GmbH & Co. KG)
S3 DCDhcpService; C:\Program Files (x86)\Acer\WDAgent\DCDhcpService.exe [111776 2012-02-10] (Atheros Communication Inc.) [File not signed]
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2011-12-15] (Intel Corporation)
S2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [256536 2012-01-05] (NTI Corporation)
R2 PFNet; C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [374600 2013-12-17] (Privacyware/PWI, Inc.)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
U2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 ZAtheros Wlan Agent; C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe [72864 2012-02-19] (Atheros) [File not signed]
S2 McAfee SiteAdvisor Service; "c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe" [X]
S2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [154816 2016-04-04] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [141920 2016-04-04] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-04-04] (Avira Operations GmbH & Co. KG)
S2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-04-04] (Avira Operations GmbH & Co. KG)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-19 12:23 - 2016-06-19 12:23 - 00014578 _____ C:\Users\user\Desktop\FRST.txt
2016-06-19 12:21 - 2016-06-19 12:23 - 00000000 ____D C:\FRST
2016-06-19 12:21 - 2016-06-19 12:21 - 00068332 _____ C:\Windows\ntbtlog.txt
2016-06-19 11:11 - 2016-06-19 11:12 - 02387456 _____ (Farbar) C:\Users\user\Desktop\FRST64.exe
2016-06-18 16:36 - 2016-06-18 16:36 - 00000000 ____D C:\Users\user\AppData\Roaming\Virus Scan
2016-06-18 16:31 - 2016-06-18 16:32 - 02527376 _____ (Trend Micro Inc.) C:\Users\user\Downloads\HousecallLauncher64.exe
2016-06-18 16:29 - 2016-06-18 16:29 - 00000036 _____ C:\Users\user\AppData\Local\housecall.guid.cache
2016-06-18 16:24 - 2016-06-18 16:24 - 00000000 ____D C:\Users\user\AppData\Local\ESET
2016-06-18 16:16 - 2016-06-18 16:16 - 00000000 ____D C:\Users\user\AppData\Local\F-Secure
2016-06-18 16:16 - 2016-06-18 16:16 - 00000000 ____D C:\ProgramData\F-Secure
2016-06-18 16:14 - 2016-06-18 16:14 - 00000000 ____D C:\Users\user\AppData\Roaming\QuickScan
2016-06-18 16:06 - 2016-06-18 16:06 - 00004839 _____ C:\Users\user\Desktop\JRT.txt
2016-06-15 08:22 - 2016-05-23 18:37 - 00394960 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-06-15 08:22 - 2016-05-23 17:54 - 00346312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-06-15 08:22 - 2016-05-21 12:28 - 25802752 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-06-15 08:22 - 2016-05-21 11:57 - 20341248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-06-15 08:22 - 2016-05-20 17:27 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-06-15 08:22 - 2016-05-20 17:27 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-06-15 08:22 - 2016-05-20 17:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-06-15 08:22 - 2016-05-20 17:10 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-06-15 08:22 - 2016-05-20 17:09 - 00572416 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-06-15 08:22 - 2016-05-20 17:09 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-06-15 08:22 - 2016-05-20 17:09 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-06-15 08:22 - 2016-05-20 17:08 - 02895360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-06-15 08:22 - 2016-05-20 17:08 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-06-15 08:22 - 2016-05-20 17:02 - 06051328 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-06-15 08:22 - 2016-05-20 17:00 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-06-15 08:22 - 2016-05-20 16:59 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-06-15 08:22 - 2016-05-20 16:57 - 00497664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-06-15 08:22 - 2016-05-20 16:57 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-06-15 08:22 - 2016-05-20 16:57 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-06-15 08:22 - 2016-05-20 16:56 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-06-15 08:22 - 2016-05-20 16:56 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-06-15 08:22 - 2016-05-20 16:55 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-06-15 08:22 - 2016-05-20 16:54 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-06-15 08:22 - 2016-05-20 16:54 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-06-15 08:22 - 2016-05-20 16:54 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-06-15 08:22 - 2016-05-20 16:54 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-06-15 08:22 - 2016-05-20 16:50 - 02287104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-06-15 08:22 - 2016-05-20 16:49 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-06-15 08:22 - 2016-05-20 16:48 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-06-15 08:22 - 2016-05-20 16:45 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-06-15 08:22 - 2016-05-20 16:45 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-06-15 08:22 - 2016-05-20 16:44 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-06-15 08:22 - 2016-05-20 16:44 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-06-15 08:22 - 2016-05-20 16:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-06-15 08:22 - 2016-05-20 16:41 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-06-15 08:22 - 2016-05-20 16:33 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-06-15 08:22 - 2016-05-20 16:33 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-06-15 08:22 - 2016-05-20 16:32 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-06-15 08:22 - 2016-05-20 16:29 - 13815808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-06-15 08:22 - 2016-05-20 16:28 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-06-15 08:22 - 2016-05-20 16:27 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-06-15 08:22 - 2016-05-20 16:27 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-06-15 08:22 - 2016-05-20 16:26 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-06-15 08:22 - 2016-05-20 16:25 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-06-15 08:22 - 2016-05-20 16:23 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-06-15 08:22 - 2016-05-20 16:23 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-06-15 08:22 - 2016-05-20 16:22 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-06-15 08:22 - 2016-05-20 16:21 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-06-15 08:22 - 2016-05-20 16:19 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-06-15 08:22 - 2016-05-20 16:14 - 04610048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-06-15 08:22 - 2016-05-20 16:12 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-06-15 08:22 - 2016-05-20 16:11 - 15420928 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-06-15 08:22 - 2016-05-20 16:11 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-06-15 08:22 - 2016-05-20 16:09 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-06-15 08:22 - 2016-05-20 16:09 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-06-15 08:22 - 2016-05-20 16:08 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-06-15 08:22 - 2016-05-20 16:08 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-06-15 08:22 - 2016-05-20 16:07 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-06-15 08:22 - 2016-05-20 16:07 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-06-15 08:22 - 2016-05-20 16:06 - 02131968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-06-15 08:22 - 2016-05-20 15:46 - 02597888 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-06-15 08:22 - 2016-05-20 15:42 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-06-15 08:22 - 2016-05-20 15:38 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-06-15 08:22 - 2016-05-20 15:38 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-06-15 08:22 - 2016-05-20 15:34 - 01544192 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-06-15 08:22 - 2016-05-20 15:23 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-06-15 08:20 - 2016-06-06 11:58 - 00041704 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-06-15 08:20 - 2016-06-06 11:50 - 01204224 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-06-15 08:20 - 2016-06-03 08:05 - 01413120 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-06-15 08:20 - 2016-05-27 08:06 - 00569856 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-06-15 08:20 - 2016-05-27 08:06 - 00544256 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-06-15 08:20 - 2016-05-27 08:06 - 00276480 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-06-15 08:20 - 2016-05-27 08:06 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2016-06-15 08:20 - 2016-05-22 08:06 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-06-15 08:20 - 2016-05-18 11:10 - 00312832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-06-15 08:20 - 2016-05-18 11:09 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-06-15 08:20 - 2016-05-13 17:15 - 00382184 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-06-15 08:20 - 2016-05-13 17:09 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2016-06-15 08:20 - 2016-05-13 17:09 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-06-15 08:20 - 2016-05-13 17:09 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2016-06-15 08:20 - 2016-05-13 17:09 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2016-06-15 08:20 - 2016-05-13 16:54 - 00308456 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-06-15 08:20 - 2016-05-13 16:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2016-06-15 08:20 - 2016-05-13 16:49 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2016-06-15 08:20 - 2016-05-13 16:49 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2016-06-15 08:20 - 2016-05-13 16:27 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-06-15 08:20 - 2016-05-12 12:20 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-06-15 08:20 - 2016-05-12 12:20 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-06-15 08:20 - 2016-05-12 12:15 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-06-15 08:20 - 2016-05-12 12:15 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-06-15 08:20 - 2016-05-12 12:15 - 00105472 _____ (Microsoft Corporation) C:\Windows\system32\winipsec.dll
2016-06-15 08:20 - 2016-05-12 12:15 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-06-15 08:20 - 2016-05-12 12:15 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-06-15 08:20 - 2016-05-12 12:15 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00794624 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00502272 _____ (Microsoft Corporation) C:\Windows\system32\IPSECSVC.DLL
2016-06-15 08:20 - 2016-05-12 12:14 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00373760 _____ (Microsoft Corporation) C:\Windows\system32\polstore.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00096256 _____ (Microsoft Corporation) C:\Windows\system32\gpapi.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00075776 _____ (Microsoft Corporation) C:\Windows\system32\FwRemoteSvr.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-06-15 08:20 - 2016-05-12 12:14 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\polstore.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00079360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00070144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winipsec.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FwRemoteSvr.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-06-15 08:20 - 2016-05-12 10:18 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-06-15 08:20 - 2016-05-12 10:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-06-15 08:20 - 2016-05-12 10:03 - 03217408 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-06-15 08:20 - 2016-05-12 09:58 - 00464896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-06-15 08:20 - 2016-05-12 09:58 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2016-06-15 08:20 - 2016-05-12 09:58 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-06-15 08:20 - 2016-05-12 09:58 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-06-15 08:20 - 2016-05-12 09:58 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-06-15 08:20 - 2016-05-12 09:58 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-06-15 08:20 - 2016-05-12 09:57 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-06-15 08:20 - 2016-05-12 09:56 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-06-15 08:20 - 2016-05-12 09:51 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-06-15 08:20 - 2016-05-12 08:05 - 00459640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2016-06-15 08:20 - 2016-05-12 08:05 - 00297984 _____ (Microsoft Corporation) C:\Windows\system32\bcryptprimitives.dll
2016-06-15 08:20 - 2016-05-12 08:04 - 00249352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcryptprimitives.dll
2016-06-15 08:20 - 2016-05-11 12:02 - 00483840 _____ (Microsoft Corporation) C:\Windows\system32\StructuredQuery.dll
2016-06-15 08:20 - 2016-05-11 12:02 - 00444928 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2016-06-15 08:20 - 2016-05-11 12:02 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
2016-06-15 08:20 - 2016-05-11 12:02 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\ws2_32.dll
2016-06-15 08:20 - 2016-05-11 10:19 - 00363520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\StructuredQuery.dll
2016-06-15 08:20 - 2016-05-11 10:19 - 00351744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2016-06-15 08:20 - 2016-05-11 10:19 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2016-06-15 08:20 - 2016-05-11 10:19 - 00206336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ws2_32.dll
2016-06-15 08:20 - 2016-05-11 10:11 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\netbtugc.exe
2016-06-15 08:20 - 2016-05-11 10:01 - 00026624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netbtugc.exe
2016-06-15 08:20 - 2016-05-11 09:58 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netbt.sys
2016-06-15 08:20 - 2016-04-09 01:58 - 14186496 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-06-15 08:20 - 2016-04-09 01:57 - 01867776 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2016-06-15 08:20 - 2016-04-09 01:54 - 12881408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2016-06-15 08:20 - 2016-04-09 01:54 - 01499648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2016-06-15 08:20 - 2016-04-09 00:53 - 03231232 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2016-06-15 08:20 - 2016-04-09 00:44 - 02973184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2016-06-15 08:20 - 2016-03-09 14:00 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\webio.dll
2016-06-15 08:20 - 2016-03-09 13:40 - 00316416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webio.dll
2016-06-15 08:19 - 2016-04-14 11:46 - 00114408 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2016-06-15 08:19 - 2016-04-14 11:42 - 03243520 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2016-06-15 08:19 - 2016-04-14 11:42 - 01941504 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2016-06-15 08:19 - 2016-04-14 11:42 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2016-06-15 08:19 - 2016-04-14 11:42 - 00070144 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2016-06-15 08:19 - 2016-04-14 11:42 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\msimsg.dll
2016-06-15 08:19 - 2016-04-14 10:33 - 02365440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2016-06-15 08:19 - 2016-04-14 10:33 - 01806848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2016-06-15 08:19 - 2016-04-14 10:33 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2016-06-15 08:19 - 2016-04-14 10:33 - 00025088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msimsg.dll
2016-06-15 08:19 - 2016-04-14 10:19 - 00128000 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe
2016-06-15 08:19 - 2016-04-14 10:11 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
2016-06-13 20:47 - 2016-06-13 20:47 - 01610816 _____ (Malwarebytes) C:\Users\user\Desktop\JRT.exe
2016-06-13 20:28 - 2016-06-13 20:28 - 00000000 ____D C:\Program Files (x86)\ESET
2016-06-13 20:17 - 2016-06-13 20:17 - 02870984 _____ (ESET) C:\Users\user\Desktop\esetsmartinstaller_enu.exe
2016-06-13 20:08 - 2016-06-13 20:08 - 03677248 _____ C:\Users\user\Desktop\AdwCleaner.exe
2016-06-13 19:17 - 2016-06-13 19:17 - 00000000 ____D C:\Users\user\Documents\ProcAlyzer Dumps
2016-06-13 18:46 - 2016-06-18 15:58 - 00031292 _____ C:\Users\user\Desktop\MTB.txt
2016-06-13 18:41 - 2016-06-13 18:41 - 00891392 _____ (Farbar) C:\Users\user\Desktop\MiniToolBox.exe
2016-06-13 17:01 - 2016-06-13 17:01 - 00000000 ____D C:\Users\user\AppData\Local\Privatefirewall
2016-06-13 16:03 - 2013-09-29 21:24 - 00133152 _____ (Privacyware/PWI, Inc.) C:\Windows\system32\Drivers\pwipf6.sys
2016-06-13 16:02 - 2016-06-13 16:02 - 00000146 _____ C:\Windows\ODBC.INI
2016-06-13 16:02 - 2016-06-13 16:02 - 00000000 ____D C:\ProgramData\Privacyware
2016-06-13 16:02 - 2016-06-13 16:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privatefirewall 7.0
2016-06-13 16:02 - 2016-06-13 16:02 - 00000000 ____D C:\Program Files (x86)\Privacyware
2016-06-13 15:52 - 2016-06-13 15:52 - 00000000 ____D C:\Users\user\AppData\LocalLow\Avira
2016-06-13 15:31 - 2016-06-18 15:55 - 00000000 ____D C:\AdwCleaner
2016-06-13 15:09 - 2016-06-13 15:09 - 00000000 ____D C:\Program Files\Common Files\AV
2016-06-13 15:08 - 2016-06-13 15:13 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-06-13 15:05 - 2016-06-18 16:26 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-06-13 15:05 - 2016-06-13 15:05 - 00001337 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-06-13 15:05 - 2016-06-13 15:05 - 00001325 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2016-06-13 15:05 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2016-06-13 15:04 - 2016-06-13 15:13 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2016-06-13 14:25 - 2016-06-13 14:25 - 00001016 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira Phantom VPN.lnk
2016-06-13 14:25 - 2016-06-13 14:25 - 00001004 _____ C:\Users\Public\Desktop\Avira Phantom VPN.lnk
2016-06-13 14:25 - 2016-06-13 14:25 - 00000000 ____D C:\Users\user\AppData\Roaming\Avira
2016-06-13 14:24 - 2016-06-13 14:24 - 00003432 _____ C:\Windows\System32\Tasks\Avira Browser Safety Updater Task
2016-06-13 14:23 - 2016-06-13 14:23 - 00000000 ____D C:\Users\user\AppData\Roaming\Mozilla
2016-06-13 14:21 - 2016-04-04 17:07 - 00154816 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-06-13 14:21 - 2016-04-04 17:07 - 00141920 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-06-13 14:21 - 2016-04-04 17:07 - 00079696 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2016-06-13 14:21 - 2016-04-04 17:07 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2016-06-13 14:02 - 2016-06-13 14:25 - 00000000 ____D C:\ProgramData\Avira
2016-06-13 14:02 - 2016-06-13 14:25 - 00000000 ____D C:\Program Files (x86)\Avira
2016-06-13 14:02 - 2016-06-13 14:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-06-13 14:02 - 2016-06-13 14:02 - 00001170 _____ C:\Users\Public\Desktop\Avira Launcher.lnk
2016-06-13 14:02 - 2016-06-13 14:02 - 00000000 ____D C:\ProgramData\Package Cache
2016-06-04 14:39 - 2016-06-04 14:40 - 06893008 _____ (Piriform Ltd) C:\Users\user\Downloads\ccsetup518.exe
2016-06-03 14:22 - 2016-06-03 14:22 - 00000000 ____D C:\Users\user\AppData\Local\Microsoft Help
2016-05-30 14:29 - 2016-05-30 14:29 - 00532739 _____ C:\Users\user\Downloads\Attachments_2016530.zip
2016-05-29 12:38 - 2016-05-29 12:38 - 00002216 _____ C:\Users\Public\Desktop\HP DeskJet 2130 series.lnk
2016-05-29 12:38 - 2016-05-29 12:38 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2016-05-29 12:37 - 2016-05-29 12:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2016-05-29 12:36 - 2016-05-29 12:37 - 00000000 ____D C:\ProgramData\HP
2016-05-29 12:36 - 2016-05-29 12:36 - 00000057 _____ C:\ProgramData\Ament.ini
2016-05-29 12:36 - 2016-05-29 12:36 - 00000000 ____D C:\Program Files\HP
2016-05-29 12:36 - 2016-05-29 12:36 - 00000000 ____D C:\Program Files (x86)\HP
2016-05-29 12:14 - 2016-05-29 12:38 - 00000000 ____D C:\Users\user\AppData\Local\HP
2016-05-26 08:07 - 2016-05-26 08:08 - 00000000 ____D C:\Users\user\Downloads\Attachments_2016526

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-19 12:18 - 2016-02-24 21:15 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-19 12:18 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-19 11:27 - 2016-02-24 21:15 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-19 11:23 - 2009-07-14 00:13 - 00782164 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-19 11:23 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-06-19 11:09 - 2009-07-13 23:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-19 11:09 - 2009-07-13 23:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-18 16:36 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2016-06-18 16:02 - 2016-05-09 18:57 - 00000000 ____D C:\Users\user\AppData\Local\ElevatedDiagnostics
2016-06-18 08:52 - 2016-04-19 21:34 - 00000000 ____D C:\Users\user\Documents\Microsoft Excel
2016-06-18 06:35 - 2016-02-24 21:04 - 00000000 ____D C:\Users\user\AppData\Local\Adobe
2016-06-17 09:28 - 2016-04-19 21:34 - 00000000 ____D C:\Users\user\Documents\Microsoft Word
2016-06-16 21:02 - 2016-03-13 17:35 - 00000000 ____D C:\Users\user\AppData\Roaming\SoftGrid Client
2016-06-16 18:11 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2016-06-15 21:22 - 2009-07-13 23:45 - 00275800 _____ C:\Windows\system32\FNTCACHE.DAT
2016-06-15 21:19 - 2016-04-30 06:55 - 00000000 ____D C:\Windows\system32\appraiser
2016-06-13 20:28 - 2016-04-30 16:23 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
2016-06-13 19:31 - 2010-11-20 22:27 - 00484008 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-06-13 18:14 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Public\Libraries
2016-06-13 18:10 - 2009-07-14 00:08 - 00032540 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-06-04 14:41 - 2016-04-19 20:58 - 00000826 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-06-02 10:32 - 2015-11-20 18:26 - 00061560 _____ C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2016-05-25 21:32 - 2016-04-30 06:54 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2016-05-25 21:32 - 2016-04-30 06:54 - 00000000 ___SD C:\Windows\system32\GWX
2016-05-22 09:53 - 2016-03-13 17:33 - 00774870 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-05-22 08:29 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF

==================== Files in the root of some directories =======

2016-06-18 16:29 - 2016-06-18 16:29 - 0000036 _____ () C:\Users\user\AppData\Local\housecall.guid.cache
2016-05-29 12:36 - 2016-05-29 12:36 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-11-20 20:06 - 2015-11-20 20:08 - 0002454 _____ () C:\ProgramData\clear.fiSDK20.log
2015-11-20 20:07 - 2015-11-20 20:07 - 0000032 _____ () C:\ProgramData\PS.log

Some files in TEMP:
====================
C:\Users\user\AppData\Local\Temp\avgnt.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-06-17 03:02

==================== End of FRST.txt ============================

 

 

 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:28 PM

Posted 23 June 2016 - 06:56 AM

trumpt:
 
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and I am a trainee in the Bleeping Computer Malware Removal Study Hall.  I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal  Instructor.  This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I will need some time to review your FRST logs and consult with the Malware Response Instructor (MRI) who will be assigned to supervise this topic.  That could take a few days.  Once I have reviewed my proposed response with the assigned MRI, I will reply to you with initial instructions.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#3 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 23 June 2016 - 10:00 AM

Thanks Phil, I look forward to working with you. Best wishes, Marvin



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:28 PM

Posted 24 June 2016 - 10:42 AM

Marvin:

Thank you for your patience while I reviewed your FRST logs and consulted with the Malware Response Instructor assigned to supervise me while I am assisting you with your issues.

Your FRST logs are showing some issues, and there could be more issues that are hidden because you were not able to run the FRST scan and Addition.txt logs in Normal Mode. We will have to deal with your issues in stages to avoid further compromising your computer. It is unwise to do too much at once.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only that tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...


:step1: Please download Rkill by Grinler from one of the 3 links below (if one of them does not work, try another...) and save it to your desktop:

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista or above, please right-click on it and select Run As Administrator.)
  • Note: You may have to run Rkill a few times before it is successful. As a reminder, you may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (the file is also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

 

 

:step2: Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop: C:\Users\user\Desktop
 

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Run FRST64.exe and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.
 


:step3: After the computer has rebooted, please run RKILL again, as in step :step1:
Next, please re-run the FRST scan, if it will run in Normal Mode. Please ensure that the "Addition.txt" box is checked. It is only checked for the first run, by default.

If you can not run FRST in Normal Mode, please report back to me. There is no need to run it again in "Safe Mode With Networking," so you can skip running FRST again if you cannot run it from Normal Mode. We will go from there to determine how to "persuade" FRST to run in Normal Mode.
 


:step4: I see evidence in the FRST scan logs that you have run multiple security products: Spybot Search & Destroy, Trend Micro, Avira, F-Secure, ESET, JRT, AdwCleaner, and remnants of McAfee. Please list any additional anti-malware utilities/scanners that you have run in the last month or so.
 


:step5: Please run RKILL yet again and then we will run a Farbar Service Scan. Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure all checkboxes are checked!
  • Press the "Scan" button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.

.

 

So what I would like you to do is to provide me with:

  • the RKILL log;
  • the fixlog.txt, if FRST ran successfully in Normal Mode;
  • a fresh set of FRST logs, including an Addition.txt file, if FRST ran successfully in Normal Mode;,
  • an FSS scan log; and,
  • information as to whether your computer is working fine in "Safe Mode With Networking"? If there are any issues, what are they, and would you please describe them in detail?

.

 

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 24 June 2016 - 03:20 PM

Phil,

 

Below please find the results of the Rkill log and the FRST Fixlog file as requested in steps 1 and 2. The FRST 'fix' command did successfully execute the notepad text file that was created. One thing I forgot to mention that is shown at the end of the Fixlog is that I am getting an extreme amount of temporary files (between 2000 and 7000) that are flooding into my computer on a daily basis. Could be one of my ports is open.

 

The only other anti-virus/malware software I can remember running in recent months is MalwareBytes and ComboFix. Proceeding on to step 3.

 

Marvin

 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2016 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

                               

Program started at: 06/24/2016 01:29:27 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * No malware processes found to kill.

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * Windows Defender Disabled

 

   [HKLM\SOFTWARE\Microsoft\Windows Defender]

   "DisableAntiSpyware" = dword:00000001

 

 * Windows Firewall Disabled

 

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

   "EnableFirewall" = dword:00000000

 

Checking Windows Service Integrity:

 

 * Windows Defender (WinDefend) is not Running.

   Startup Type set to: Manual

 

 * TBS [Missing Service]

 

Searching for Missing Digital Signatures:

 

 * No issues found.

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01

Ran by user (2016-06-24 13:39:31) Run:1

Running from C:\Users\user\Desktop

Loaded Profiles: user (Available Profiles: user)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

CreateRestorePoint:

EmptyTemp:

CloseProcesses:

 

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not

found

*****************

 

Restore point was successfully created.

Processes closed successfully.

"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully

HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value removed successfully

found => Error: No automatic fix found for this entry.

 

=========== EmptyTemp: ==========

 

BITS transfer queue => 8388608 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14655921 B

Java, Flash, Steam htmlcache => 2839 B

Windows/system/drivers => 4647911 B

Edge => 0 B

Chrome => 0 B

Firefox => 0 B

Opera => 0 B

 

Temp, IE cache, history, cookies, recent:

Default => 0 B

Public => 0 B

ProgramData => 0 B

systemprofile => 100191 B

systemprofile32 => 98856 B

LocalService => 0 B

NetworkService => 13860 B

user => 422723156 B

 

RecycleBin => 947425 B

EmptyTemp: => 430.7 MB temporary data Removed.

 

================================

 

 

The system needed a reboot.

 

==== End of Fixlog 13:41:14 ====



#6 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 24 June 2016 - 03:45 PM

Posting 2nd Rkill log per step 3:

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2016 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

 

Program started at: 06/24/2016 02:22:36 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * No malware processes found to kill.

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * Windows Defender Disabled

 

   [HKLM\SOFTWARE\Microsoft\Windows Defender]

   "DisableAntiSpyware" = dword:00000001

 

 * Windows Firewall Disabled

 

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

   "EnableFirewall" = dword:00000000

 

Checking Windows Service Integrity:

 

 * Windows Defender (WinDefend) is not Running.

   Startup Type set to: Manual

 

 * TBS [Missing Service]

 

Searching for Missing Digital Signatures:

 

 * No issues found.

 

Checking HOSTS File:

 

 * Cannot edit the HOSTS file.

 * Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

 

Program finished at: 06/24/2016 02:24:28 PM

Execution time: 0 hours(s), 1 minute(s), and 51 seconds(s)

 

 

 

 

Posting new FRST log (run in normal mode), and also attached the Addition.txt log per step 3. Proceeding to step 5.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01

Ran by user (administrator) on USER-PC (24-06-2016 14:25:10)

Running from C:\Users\user\Desktop

Loaded Profiles: user (Available Profiles: user)

Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)

Internet Explorer Version 11 (Default browser: IE)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Privacyware/PWI, Inc.) C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe

(Microsoft Corporation) C:\Windows\System32\wlanext.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe

(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe

(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe

(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe

(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe

(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe

(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe

(Acer Incorporated) C:\Program Files\Acer\Acer Updater\UpdaterService.exe

(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDFSSvc.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdSvc.exe

(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

(Atheros) C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe

(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWSCSvc.exe

(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe

(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe

(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe

(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe

(Dolby Laboratories Inc.) C:\Dolby PCEE4\pcee4.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDTray.exe

(Privacyware/PWI, Inc.) C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe

(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe

(Intel Corporation) C:\Windows\System32\igfxext.exe

(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe

(CyberLink) C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_21_0_0_242_ActiveX.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe

() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe

(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Egis Technology Inc.) C:\Program Files\EgisTec IPS\PmmUpdate.exe

(Egis Technology Inc.) C:\Program Files\EgisTec IPS\EgisUpdate.exe

(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE

() C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE

(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

(Microsoft Corporation) C:\Windows\splwow64.exe

() Q:\140066.enu\Office14\WINWORDC.EXE

() Q:\140066.ENU\OFFICE14\OffSpon.EXE

 

 

==================== Registry (Whitelisted) ===========================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [InstantUpdate] => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuDaemon.exe [124520 2012-04-06] ()

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12448872 2012-02-14] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1158248 2012-02-07] (Realtek Semiconductor)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2821936 2012-03-07] (ELAN Microelectronics Corp.)

HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1021056 2012-03-08] (Atheros Commnucations)

HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800896 2012-03-08] (Atheros Commnucations)

HKLM\...\Run: [Power Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1829768 2012-02-07] (Acer Incorporated)

HKLM-x32\...\Run: [SuiteTray] => C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [341360 2011-09-20] (Egis Technology Inc.)

HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe [296984 2012-01-05] (NTI Corporation)

HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Dolby PCEE4\pcee4.exe [506712 2011-06-01] (Dolby Laboratories Inc.)

HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1105488 2012-03-23] (Dritek System Inc.)

HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-26] (Intel Corporation)

HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [67840 2016-05-19] (Avira Operations GmbH & Co. KG)

HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [814608 2016-04-04] (Avira Operations GmbH & Co. KG)

HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [Privatefirewall] => C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe [3048480 2013-12-17] (Privacyware/PWI, Inc.)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}

HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}

HKU\S-1-5-21-537413098-2744756720-3065880487-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8722136 2016-06-01] (Piriform Ltd)

HKU\S-1-5-21-537413098-2744756720-3065880487-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)

HKU\S-1-5-21-537413098-2744756720-3065880487-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Acer.scr [450048 2011-09-12] ()

HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}

Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP DeskJet 2130 series.lnk [2016-06-24]

ShortcutTarget: Monitor Ink Alerts - HP DeskJet 2130 series.lnk -> C:\Program Files\HP\HP DeskJet 2130 series\Bin\HPStatusBL.dll (Hewlett-Packard Development Company, LP)

BootExecute: autocheck autochk * sdnclean64.exe

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Tcpip\..\Interfaces\{EE2AAC7F-25F4-4F30-97AB-612FECCAE734}: [DhcpNameServer] 192.168.1.1

 

Internet Explorer:

==================

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =

HKU\S-1-5-21-537413098-2744756720-3065880487-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/

HKU\S-1-5-21-537413098-2744756720-3065880487-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com

SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox

SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox

SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox

SearchScopes: HKU\S-1-5-21-537413098-2744756720-3065880487-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-21] (Siber Systems Inc.)

BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)

BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)

BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-21] (Siber Systems Inc.)

BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-03-08] (Atheros Commnucations)

BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)

BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)

BHO-x32: AviraBrowserSafety.BrowserSafety -> {c3c77255-42c0-499f-b664-6e981a0b1647} -> C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)

Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-21] (Siber Systems Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)

Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-21] (Siber Systems Inc.)

Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)

Toolbar: HKU\S-1-5-21-537413098-2744756720-3065880487-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)

Toolbar: HKU\S-1-5-21-537413098-2744756720-3065880487-1000 -> &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-21] (Siber Systems Inc.)

DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab

DPF: HKLM-x32 {FB54FA27-96CF-4C62-80DC-DA7616EBD326} hxxp://downloads.bullguard.com/VirusScan/bgvax.cab

Handler-x32: abs - {E00957BD-D0E1-4eb9-A025-7743FDC8B27B} - C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)

 

FireFox:

========

FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Gq1lfAa5.default

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)

FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2011-12-01] (Intel Corporation)

FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2011-12-01] (Intel Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)

FF Extension: Avira Browser Safety - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Gq1lfAa5.default\Extensions\abs@avira.com [2016-06-13]

 

Chrome:

=======

CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

 

==================== Services (Whitelisted) ========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [970656 2016-04-04] (Avira Operations GmbH & Co. KG)

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [467016 2016-04-04] (Avira Operations GmbH & Co. KG)

R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [467016 2016-04-04] (Avira Operations GmbH & Co. KG)

S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1435704 2016-04-04] (Avira Operations GmbH & Co. KG)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [107648 2012-03-08] (Atheros Commnucations) [File not signed]

R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [285176 2016-05-19] (Avira Operations GmbH & Co. KG)

R2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [230744 2016-06-14] (Avira Operations GmbH & Co. KG)

S3 DCDhcpService; C:\Program Files (x86)\Acer\WDAgent\DCDhcpService.exe [111776 2012-02-10] (Atheros Communication Inc.) [File not signed]

R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2011-12-15] (Intel Corporation)

R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [256536 2012-01-05] (NTI Corporation)

R2 PFNet; C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [374600 2013-12-17] (Privacyware/PWI, Inc.)

R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)

R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)

R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe [72864 2012-02-19] (Atheros) [File not signed]

S2 McAfee SiteAdvisor Service; "c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe" [X]

S2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]

 

===================== Drivers (Whitelisted) ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [154816 2016-04-04] (Avira Operations GmbH & Co. KG)

R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [141920 2016-04-04] (Avira Operations GmbH & Co. KG)

R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-04-04] (Avira Operations GmbH & Co. KG)

R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-04-04] (Avira Operations GmbH & Co. KG)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)

 

==================== NetSvcs (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== One Month Created files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2016-06-24 13:39 - 2016-06-24 13:41 - 00001585 _____ C:\Users\user\Desktop\Fixlog.txt

2016-06-24 13:38 - 2016-06-24 13:38 - 00000000 ____D C:\Users\user\Desktop\FRST-OlderVersion

2016-06-24 13:29 - 2016-06-24 14:24 - 00003044 _____ C:\Users\user\Desktop\Rkill.txt

2016-06-24 13:26 - 2016-06-24 13:26 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\user\Desktop\rkill.exe

2016-06-22 11:39 - 2016-06-22 11:39 - 00328219 _____ C:\Users\user\Downloads\Title Research Services  Mr  Hendricks.pdf

2016-06-22 10:42 - 2016-06-23 13:39 - 00000000 ____D C:\Users\user\Downloads\Attachments_2016622_Property_Plats

2016-06-22 10:40 - 2016-06-22 10:42 - 06146666 _____ C:\Users\user\Downloads\Attachments_2016622.zip

2016-06-20 09:44 - 2016-06-20 09:44 - 00000008 ___RH C:\Users\user\hwid

2016-06-20 09:43 - 2016-06-20 11:01 - 00000000 ____D C:\Jts

2016-06-20 09:43 - 2016-06-20 09:43 - 00001406 _____ C:\Users\user\Desktop\Trader Workstation.lnk

2016-06-20 09:43 - 2016-06-20 09:43 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trader Workstation

2016-06-20 09:43 - 2016-06-20 09:43 - 00000000 ____D C:\Users\user\.i4j_jres

2016-06-20 09:40 - 2016-06-20 09:44 - 00000000 ____D C:\Users\user\.oracle_jre_usage

2016-06-19 12:23 - 2016-06-24 14:25 - 00019993 _____ C:\Users\user\Desktop\FRST.txt

2016-06-19 12:23 - 2016-06-19 12:24 - 00026461 _____ C:\Users\user\Desktop\Addition.txt

2016-06-19 12:21 - 2016-06-24 14:25 - 00000000 ____D C:\FRST

2016-06-19 12:21 - 2016-06-19 12:21 - 00068332 _____ C:\Windows\ntbtlog.txt

2016-06-19 11:11 - 2016-06-24 13:38 - 02387456 _____ (Farbar) C:\Users\user\Desktop\FRST64.exe

2016-06-18 16:36 - 2016-06-18 16:36 - 00000000 ____D C:\Users\user\AppData\Roaming\Virus Scan

2016-06-18 16:31 - 2016-06-18 16:32 - 02527376 _____ (Trend Micro Inc.) C:\Users\user\Downloads\HousecallLauncher64.exe

2016-06-18 16:29 - 2016-06-18 16:29 - 00000036 _____ C:\Users\user\AppData\Local\housecall.guid.cache

2016-06-18 16:24 - 2016-06-18 16:24 - 00000000 ____D C:\Users\user\AppData\Local\ESET

2016-06-18 16:16 - 2016-06-18 16:16 - 00000000 ____D C:\Users\user\AppData\Local\F-Secure

2016-06-18 16:16 - 2016-06-18 16:16 - 00000000 ____D C:\ProgramData\F-Secure

2016-06-18 16:14 - 2016-06-18 16:14 - 00000000 ____D C:\Users\user\AppData\Roaming\QuickScan

2016-06-18 16:06 - 2016-06-18 16:06 - 00004839 _____ C:\Users\user\Desktop\JRT.txt

2016-06-15 08:22 - 2016-05-23 18:37 - 00394960 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll

2016-06-15 08:22 - 2016-05-23 17:54 - 00346312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2016-06-15 08:22 - 2016-05-21 12:28 - 25802752 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2016-06-15 08:22 - 2016-05-21 11:57 - 20341248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2016-06-15 08:22 - 2016-05-20 17:27 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2016-06-15 08:22 - 2016-05-20 17:27 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll

2016-06-15 08:22 - 2016-05-20 17:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2016-06-15 08:22 - 2016-05-20 17:10 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2016-06-15 08:22 - 2016-05-20 17:09 - 00572416 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2016-06-15 08:22 - 2016-05-20 17:09 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec

2016-06-15 08:22 - 2016-05-20 17:09 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll

2016-06-15 08:22 - 2016-05-20 17:08 - 02895360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2016-06-15 08:22 - 2016-05-20 17:08 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll

2016-06-15 08:22 - 2016-05-20 17:02 - 06051328 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2016-06-15 08:22 - 2016-05-20 17:00 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2016-06-15 08:22 - 2016-05-20 16:59 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2016-06-15 08:22 - 2016-05-20 16:57 - 00497664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2016-06-15 08:22 - 2016-05-20 16:57 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2016-06-15 08:22 - 2016-05-20 16:57 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll

2016-06-15 08:22 - 2016-05-20 16:56 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2016-06-15 08:22 - 2016-05-20 16:56 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec

2016-06-15 08:22 - 2016-05-20 16:55 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll

2016-06-15 08:22 - 2016-05-20 16:54 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2016-06-15 08:22 - 2016-05-20 16:54 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll

2016-06-15 08:22 - 2016-05-20 16:54 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2016-06-15 08:22 - 2016-05-20 16:54 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe

2016-06-15 08:22 - 2016-05-20 16:50 - 02287104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2016-06-15 08:22 - 2016-05-20 16:49 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2016-06-15 08:22 - 2016-05-20 16:48 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2016-06-15 08:22 - 2016-05-20 16:45 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe

2016-06-15 08:22 - 2016-05-20 16:45 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2016-06-15 08:22 - 2016-05-20 16:44 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2016-06-15 08:22 - 2016-05-20 16:44 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2016-06-15 08:22 - 2016-05-20 16:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll

2016-06-15 08:22 - 2016-05-20 16:41 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2016-06-15 08:22 - 2016-05-20 16:33 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll

2016-06-15 08:22 - 2016-05-20 16:33 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll

2016-06-15 08:22 - 2016-05-20 16:32 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll

2016-06-15 08:22 - 2016-05-20 16:29 - 13815808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2016-06-15 08:22 - 2016-05-20 16:28 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2016-06-15 08:22 - 2016-05-20 16:27 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2016-06-15 08:22 - 2016-05-20 16:27 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll

2016-06-15 08:22 - 2016-05-20 16:26 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll

2016-06-15 08:22 - 2016-05-20 16:25 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2016-06-15 08:22 - 2016-05-20 16:23 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2016-06-15 08:22 - 2016-05-20 16:23 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2016-06-15 08:22 - 2016-05-20 16:22 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll

2016-06-15 08:22 - 2016-05-20 16:21 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2016-06-15 08:22 - 2016-05-20 16:19 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll

2016-06-15 08:22 - 2016-05-20 16:14 - 04610048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2016-06-15 08:22 - 2016-05-20 16:12 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll

2016-06-15 08:22 - 2016-05-20 16:11 - 15420928 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2016-06-15 08:22 - 2016-05-20 16:11 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll

2016-06-15 08:22 - 2016-05-20 16:09 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2016-06-15 08:22 - 2016-05-20 16:09 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2016-06-15 08:22 - 2016-05-20 16:08 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2016-06-15 08:22 - 2016-05-20 16:08 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2016-06-15 08:22 - 2016-05-20 16:07 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll

2016-06-15 08:22 - 2016-05-20 16:07 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll

2016-06-15 08:22 - 2016-05-20 16:06 - 02131968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2016-06-15 08:22 - 2016-05-20 15:46 - 02597888 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2016-06-15 08:22 - 2016-05-20 15:42 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2016-06-15 08:22 - 2016-05-20 15:38 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2016-06-15 08:22 - 2016-05-20 15:38 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2016-06-15 08:22 - 2016-05-20 15:34 - 01544192 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2016-06-15 08:22 - 2016-05-20 15:23 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2016-06-15 08:20 - 2016-06-06 11:58 - 00041704 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe

2016-06-15 08:20 - 2016-06-06 11:50 - 01204224 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2016-06-15 08:20 - 2016-06-03 08:05 - 01413120 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll

2016-06-15 08:20 - 2016-05-27 08:06 - 00569856 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll

2016-06-15 08:20 - 2016-05-27 08:06 - 00544256 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll

2016-06-15 08:20 - 2016-05-27 08:06 - 00276480 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll

2016-06-15 08:20 - 2016-05-27 08:06 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll

2016-06-15 08:20 - 2016-05-22 08:06 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll

2016-06-15 08:20 - 2016-05-18 11:10 - 00312832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll

2016-06-15 08:20 - 2016-05-18 11:09 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll

2016-06-15 08:20 - 2016-05-13 17:15 - 00382184 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll

2016-06-15 08:20 - 2016-05-13 17:09 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll

2016-06-15 08:20 - 2016-05-13 17:09 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll

2016-06-15 08:20 - 2016-05-13 17:09 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll

2016-06-15 08:20 - 2016-05-13 17:09 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll

2016-06-15 08:20 - 2016-05-13 16:54 - 00308456 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2016-06-15 08:20 - 2016-05-13 16:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll

2016-06-15 08:20 - 2016-05-13 16:49 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll

2016-06-15 08:20 - 2016-05-13 16:49 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll

2016-06-15 08:20 - 2016-05-13 16:27 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2016-06-15 08:20 - 2016-05-12 12:20 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys

2016-06-15 08:20 - 2016-05-12 12:20 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys

2016-06-15 08:20 - 2016-05-12 12:15 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll

2016-06-15 08:20 - 2016-05-12 12:15 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll

2016-06-15 08:20 - 2016-05-12 12:15 - 00105472 _____ (Microsoft Corporation) C:\Windows\system32\winipsec.dll

2016-06-15 08:20 - 2016-05-12 12:15 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll

2016-06-15 08:20 - 2016-05-12 12:15 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll

2016-06-15 08:20 - 2016-05-12 12:15 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00794624 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00502272 _____ (Microsoft Corporation) C:\Windows\system32\IPSECSVC.DLL

2016-06-15 08:20 - 2016-05-12 12:14 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00373760 _____ (Microsoft Corporation) C:\Windows\system32\polstore.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00096256 _____ (Microsoft Corporation) C:\Windows\system32\gpapi.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00075776 _____ (Microsoft Corporation) C:\Windows\system32\FwRemoteSvr.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll

2016-06-15 08:20 - 2016-05-12 12:14 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\polstore.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00079360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00070144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winipsec.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FwRemoteSvr.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll

2016-06-15 08:20 - 2016-05-12 10:18 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

2016-06-15 08:20 - 2016-05-12 10:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe

2016-06-15 08:20 - 2016-05-12 10:03 - 03217408 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2016-06-15 08:20 - 2016-05-12 09:58 - 00464896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys

2016-06-15 08:20 - 2016-05-12 09:58 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys

2016-06-15 08:20 - 2016-05-12 09:58 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys

2016-06-15 08:20 - 2016-05-12 09:58 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys

2016-06-15 08:20 - 2016-05-12 09:58 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys

2016-06-15 08:20 - 2016-05-12 09:58 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys

2016-06-15 08:20 - 2016-05-12 09:57 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe

2016-06-15 08:20 - 2016-05-12 09:56 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe

2016-06-15 08:20 - 2016-05-12 09:51 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll

2016-06-15 08:20 - 2016-05-12 08:05 - 00459640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys

2016-06-15 08:20 - 2016-05-12 08:05 - 00297984 _____ (Microsoft Corporation) C:\Windows\system32\bcryptprimitives.dll

2016-06-15 08:20 - 2016-05-12 08:04 - 00249352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcryptprimitives.dll

2016-06-15 08:20 - 2016-05-11 12:02 - 00483840 _____ (Microsoft Corporation) C:\Windows\system32\StructuredQuery.dll

2016-06-15 08:20 - 2016-05-11 12:02 - 00444928 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll

2016-06-15 08:20 - 2016-05-11 12:02 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll

2016-06-15 08:20 - 2016-05-11 12:02 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\ws2_32.dll

2016-06-15 08:20 - 2016-05-11 10:19 - 00363520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\StructuredQuery.dll

2016-06-15 08:20 - 2016-05-11 10:19 - 00351744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll

2016-06-15 08:20 - 2016-05-11 10:19 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll

2016-06-15 08:20 - 2016-05-11 10:19 - 00206336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ws2_32.dll

2016-06-15 08:20 - 2016-05-11 10:11 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\netbtugc.exe

2016-06-15 08:20 - 2016-05-11 10:01 - 00026624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netbtugc.exe

2016-06-15 08:20 - 2016-05-11 09:58 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netbt.sys

2016-06-15 08:20 - 2016-04-09 01:58 - 14186496 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll

2016-06-15 08:20 - 2016-04-09 01:57 - 01867776 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll

2016-06-15 08:20 - 2016-04-09 01:54 - 12881408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2016-06-15 08:20 - 2016-04-09 01:54 - 01499648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll

2016-06-15 08:20 - 2016-04-09 00:53 - 03231232 _____ (Microsoft Corporation) C:\Windows\explorer.exe

2016-06-15 08:20 - 2016-04-09 00:44 - 02973184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe

2016-06-15 08:20 - 2016-03-09 14:00 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\webio.dll

2016-06-15 08:20 - 2016-03-09 13:40 - 00316416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webio.dll

2016-06-15 08:19 - 2016-04-14 11:46 - 00114408 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe

2016-06-15 08:19 - 2016-04-14 11:42 - 03243520 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll

2016-06-15 08:19 - 2016-04-14 11:42 - 01941504 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll

2016-06-15 08:19 - 2016-04-14 11:42 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll

2016-06-15 08:19 - 2016-04-14 11:42 - 00070144 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll

2016-06-15 08:19 - 2016-04-14 11:42 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\msimsg.dll

2016-06-15 08:19 - 2016-04-14 10:33 - 02365440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

2016-06-15 08:19 - 2016-04-14 10:33 - 01806848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2016-06-15 08:19 - 2016-04-14 10:33 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll

2016-06-15 08:19 - 2016-04-14 10:33 - 00025088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msimsg.dll

2016-06-15 08:19 - 2016-04-14 10:19 - 00128000 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe

2016-06-15 08:19 - 2016-04-14 10:11 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe

2016-06-13 20:47 - 2016-06-13 20:47 - 01610816 _____ (Malwarebytes) C:\Users\user\Desktop\JRT.exe

2016-06-13 20:28 - 2016-06-13 20:28 - 00000000 ____D C:\Program Files (x86)\ESET

2016-06-13 20:17 - 2016-06-13 20:17 - 02870984 _____ (ESET) C:\Users\user\Desktop\esetsmartinstaller_enu.exe

2016-06-13 20:08 - 2016-06-13 20:08 - 03677248 _____ C:\Users\user\Desktop\AdwCleaner.exe

2016-06-13 19:17 - 2016-06-13 19:17 - 00000000 ____D C:\Users\user\Documents\ProcAlyzer Dumps

2016-06-13 18:46 - 2016-06-18 15:58 - 00031292 _____ C:\Users\user\Desktop\MTB.txt

2016-06-13 18:41 - 2016-06-13 18:41 - 00891392 _____ (Farbar) C:\Users\user\Desktop\MiniToolBox.exe

2016-06-13 17:01 - 2016-06-13 17:01 - 00000000 ____D C:\Users\user\AppData\Local\Privatefirewall

2016-06-13 16:03 - 2013-09-29 21:24 - 00133152 _____ (Privacyware/PWI, Inc.) C:\Windows\system32\Drivers\pwipf6.sys

2016-06-13 16:02 - 2016-06-13 16:02 - 00000146 _____ C:\Windows\ODBC.INI

2016-06-13 16:02 - 2016-06-13 16:02 - 00000000 ____D C:\ProgramData\Privacyware

2016-06-13 16:02 - 2016-06-13 16:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privatefirewall 7.0

2016-06-13 16:02 - 2016-06-13 16:02 - 00000000 ____D C:\Program Files (x86)\Privacyware

2016-06-13 15:52 - 2016-06-13 15:52 - 00000000 ____D C:\Users\user\AppData\LocalLow\Avira

2016-06-13 15:31 - 2016-06-18 15:55 - 00000000 ____D C:\AdwCleaner

2016-06-13 15:09 - 2016-06-13 15:09 - 00000000 ____D C:\Program Files\Common Files\AV

2016-06-13 15:08 - 2016-06-13 15:13 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2

2016-06-13 15:05 - 2016-06-18 16:26 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy

2016-06-13 15:05 - 2016-06-13 15:05 - 00001337 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk

2016-06-13 15:05 - 2016-06-13 15:05 - 00001325 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk

2016-06-13 15:05 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe

2016-06-13 15:04 - 2016-06-13 15:13 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy

2016-06-13 14:25 - 2016-06-22 10:36 - 00001016 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira Phantom VPN.lnk

2016-06-13 14:25 - 2016-06-22 10:36 - 00001004 _____ C:\Users\Public\Desktop\Avira Phantom VPN.lnk

2016-06-13 14:25 - 2016-06-13 14:25 - 00000000 ____D C:\Users\user\AppData\Roaming\Avira

2016-06-13 14:24 - 2016-06-13 14:24 - 00003432 _____ C:\Windows\System32\Tasks\Avira Browser Safety Updater Task

2016-06-13 14:23 - 2016-06-13 14:23 - 00000000 ____D C:\Users\user\AppData\Roaming\Mozilla

2016-06-13 14:21 - 2016-04-04 17:07 - 00154816 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys

2016-06-13 14:21 - 2016-04-04 17:07 - 00141920 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys

2016-06-13 14:21 - 2016-04-04 17:07 - 00079696 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys

2016-06-13 14:21 - 2016-04-04 17:07 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys

2016-06-13 14:02 - 2016-06-13 14:25 - 00000000 ____D C:\ProgramData\Avira

2016-06-13 14:02 - 2016-06-13 14:25 - 00000000 ____D C:\Program Files (x86)\Avira

2016-06-13 14:02 - 2016-06-13 14:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira

2016-06-13 14:02 - 2016-06-13 14:02 - 00001170 _____ C:\Users\Public\Desktop\Avira Launcher.lnk

2016-06-13 14:02 - 2016-06-13 14:02 - 00000000 ____D C:\ProgramData\Package Cache

2016-06-04 14:39 - 2016-06-04 14:40 - 06893008 _____ (Piriform Ltd) C:\Users\user\Downloads\ccsetup518.exe

2016-06-03 14:22 - 2016-06-03 14:22 - 00000000 ____D C:\Users\user\AppData\Local\Microsoft Help

2016-05-29 12:38 - 2016-05-29 12:38 - 00002216 _____ C:\Users\Public\Desktop\HP DeskJet 2130 series.lnk

2016-05-29 12:38 - 2016-05-29 12:38 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard

2016-05-29 12:37 - 2016-05-29 12:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP

2016-05-29 12:36 - 2016-05-29 12:37 - 00000000 ____D C:\ProgramData\HP

2016-05-29 12:36 - 2016-05-29 12:36 - 00000057 _____ C:\ProgramData\Ament.ini

2016-05-29 12:36 - 2016-05-29 12:36 - 00000000 ____D C:\Program Files\HP

2016-05-29 12:36 - 2016-05-29 12:36 - 00000000 ____D C:\Program Files (x86)\HP

2016-05-29 12:14 - 2016-05-29 12:38 - 00000000 ____D C:\Users\user\AppData\Local\HP

2016-05-26 08:07 - 2016-05-26 08:08 - 00000000 ____D C:\Users\user\Downloads\Attachments_2016526

 

==================== One Month Modified files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2016-06-24 13:53 - 2009-07-13 23:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2016-06-24 13:53 - 2009-07-13 23:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2016-06-24 13:45 - 2016-02-24 21:15 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2016-06-24 13:44 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2016-06-24 13:28 - 2016-04-19 21:34 - 00000000 ____D C:\Users\user\Documents\Microsoft Excel

2016-06-24 13:27 - 2016-02-24 21:15 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2016-06-24 07:22 - 2016-04-30 07:17 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2016-06-24 07:22 - 2016-04-30 07:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2016-06-24 01:22 - 2016-04-30 07:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

2016-06-23 21:06 - 2016-03-13 17:35 - 00000000 ____D C:\Users\user\AppData\Roaming\SoftGrid Client

2016-06-23 20:21 - 2016-04-30 16:23 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps

2016-06-23 13:41 - 2016-05-12 17:01 - 00000000 ____D C:\Users\user\Downloads\Attachments_2016512

2016-06-21 16:24 - 2009-07-14 00:13 - 00782164 _____ C:\Windows\system32\PerfStringBackup.INI

2016-06-21 16:24 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf

2016-06-21 08:10 - 2016-04-19 21:34 - 00000000 ____D C:\Users\user\Documents\Microsoft Word

2016-06-18 16:36 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\Downloaded Program Files

2016-06-18 16:02 - 2016-05-09 18:57 - 00000000 ____D C:\Users\user\AppData\Local\ElevatedDiagnostics

2016-06-18 06:35 - 2016-02-24 21:04 - 00000000 ____D C:\Users\user\AppData\Local\Adobe

2016-06-16 18:11 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache

2016-06-15 21:22 - 2009-07-13 23:45 - 00275800 _____ C:\Windows\system32\FNTCACHE.DAT

2016-06-15 21:19 - 2016-04-30 06:55 - 00000000 ____D C:\Windows\system32\appraiser

2016-06-13 19:31 - 2010-11-20 22:27 - 00484008 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

2016-06-13 18:14 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Public\Libraries

2016-06-13 18:10 - 2009-07-14 00:08 - 00032540 _____ C:\Windows\Tasks\SCHEDLGU.TXT

2016-06-04 14:41 - 2016-04-19 20:58 - 00000826 _____ C:\Users\Public\Desktop\CCleaner.lnk

2016-06-02 10:32 - 2015-11-20 18:26 - 00061560 _____ C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

2016-05-25 21:32 - 2016-04-30 06:54 - 00000000 ___SD C:\Windows\SysWOW64\GWX

2016-05-25 21:32 - 2016-04-30 06:54 - 00000000 ___SD C:\Windows\system32\GWX

 

==================== Files in the root of some directories =======

 

2016-06-18 16:29 - 2016-06-18 16:29 - 0000036 _____ () C:\Users\user\AppData\Local\housecall.guid.cache

2016-05-29 12:36 - 2016-05-29 12:36 - 0000057 _____ () C:\ProgramData\Ament.ini

2015-11-20 20:06 - 2015-11-20 20:08 - 0002454 _____ () C:\ProgramData\clear.fiSDK20.log

2015-11-20 20:07 - 2015-11-20 20:07 - 0000032 _____ () C:\ProgramData\PS.log

 

Some files in TEMP:

====================

C:\Users\user\AppData\Local\Temp\avgnt.exe

 

 

==================== Bamital & volsnap =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2016-06-17 03:02

 

==================== End of FRST.txt ============================

 

 

 

 

 

 

I was unable to attach the Addition.text file, so I ended up posting it below:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01

Ran by user (2016-06-24 14:25:55)

Running from C:\Users\user\Desktop

Windows 7 Home Premium Service Pack 1 (X64) (2015-11-20 23:25:55)

Boot Mode: Normal

==========================================================

 

 

==================== Accounts: =============================

 

Administrator (S-1-5-21-537413098-2744756720-3065880487-500 - Administrator - Disabled)

Guest (S-1-5-21-537413098-2744756720-3065880487-501 - Limited - Disabled)

user (S-1-5-21-537413098-2744756720-3065880487-1000 - Administrator - Enabled) => C:\Users\user

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}

AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

FW: Privatefirewall (Enabled) {16337F50-A853-219F-6DEC-E7BDA0A7E8E7}

 

==================== Installed Programs ======================

 

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

Acer Backup Manager (HKLM-x32\...\InstallShield_{0B61BBD5-DA3C-409A-8730-0C3DC3B0F270}) (Version: 3.0.0.100 - NTI Corporation)

Acer Crystal Eye Webcam (HKLM-x32\...\InstallShield_{A0382E3C-7384-429A-9BFA-AF5888E5A193}) (Version: 1.5.2108.00 - CyberLink Corp.)

Acer Crystal Eye Webcam (x32 Version: 1.5.2108.00 - CyberLink Corp.) Hidden

Acer ePower Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 6.00.3010 - Acer Incorporated)

Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 5.00.3508 - Acer Incorporated)

Acer Instant Update Service (HKLM\...\{682EC6E8-A300-45FD-8F09-0F3A6EA334D6}) (Version: 1.00.3004 - Acer Incorporated)

Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.04.3506 - Acer Incorporated)

Acer ScreenSaver (HKLM-x32\...\Acer Screensaver) (Version: 1.1.0913.2011 - Acer Incorporated)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 18.0.0.144 - Adobe Systems Incorporated)

Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.242 - Adobe Systems Incorporated)

Adobe Reader X (10.1.16) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)

Atheros Bluetooth Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.4.0.126 - Atheros)

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.0.8.8 - Atheros Communications Inc.)

Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.17.273 - Avira Operations GmbH & Co. KG)

Avira Browser Safety (HKLM-x32\...\{9E10EA90-5E97-43B7-A246-FC7B4F5E9493}) (Version: 1.4.5.509 - Avira Operations GmbH & Co KG)

Avira Launcher (HKLM-x32\...\{761cd2c4-5249-4346-8318-a499d06d2681}) (Version: 1.1.63.21885 - Avira Operations GmbH & Co. KG)

Avira Launcher (x32 Version: 1.1.63.21885 - Avira Operations GmbH & Co. KG) Hidden

Avira Phantom VPN (HKLM-x32\...\Avira Phantom VPN) (Version: 1.2.0.20046 - Avira Operations GmbH & Co. KG)

Backup Manager V3 (x32 Version: 3.0.0.100 - NTI Corporation) Hidden

CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)

clear.fi Media (HKLM-x32\...\{E9AF1707-3F3A-49E2-8345-4F2D629D0876}) (Version: 2.00.3004 - Acer Incorporated)

clear.fi Photo (HKLM-x32\...\{B5AD89F2-03D3-4206-8487-018298007DD0}) (Version: 2.00.3004 - Acer Incorporated)

clear.fi SDK - MVP 2 (x32 Version: 2.0.1505 - CyberLink Corp.) Hidden

clear.fi SDK- Movie 2 (x32 Version: 2.0.1502 - CyberLink Corp.) Hidden

CyberLink MediaEspresso (HKLM-x32\...\InstallShield_{E3739848-5329-48E3-8D28-5BBD6E8BE384}) (Version: 6.5.1720_38230 - CyberLink Corp.)

D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden

Dolby Home Theater v4 (HKLM-x32\...\{B26438B4-BF51-49C3-9567-7F14A5E40CB9}) (Version: 7.2.7000.7 - Dolby Laboratories Inc)

ETDWare PS/2-X64 10.6.9.9_WHQL (HKLM\...\Elantech) (Version: 10.6.9.9 - ELAN Microelectronic Corp.)

Evernote v. 4.5.2 (HKLM-x32\...\{F77EF646-19EB-11E1-9A9E-984BE15F174E}) (Version: 4.5.2.5866 - Evernote Corp.)

Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)

Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7619.1252 - Google Inc.)

Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden

Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden

HP DeskJet 2130 series Basic Device Software (HKLM\...\{54A80AED-ADB5-4D32-83F2-A9A5DF4ED2C1}) (Version: 35.0.61.54677 - Hewlett-Packard Co.)

HP DeskJet 2130 series Help (HKLM-x32\...\{1CDFD3C9-BDF8-4DDC-BDA2-EBC53F938B5F}) (Version: 35.0.0 - Hewlett Packard)

Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3501 - Acer Incorporated)

Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)

Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1351 - Intel Corporation)

Intel® OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version:  - Intel Corporation)

Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2653 - Intel Corporation)

Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)

Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.220 - Intel Corporation)

Intel® Trusted Connect Service Client (HKLM\...\{6199B534-A1B6-46ED-873B-97B0ECF8F81E}) (Version: 1.23.216.0 - Intel Corporation)

JetClean (HKLM-x32\...\BlueSprig_JetClean_is1) (Version: 1.5.0 - BlueSprig)

Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Launch Manager (HKLM-x32\...\LManager) (Version: 5.1.15 - Acer Inc.)

Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)

Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)

Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)

Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.5139.5005 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)

MyWinLocker (Version: 4.0.14.27 - Egis Technology Inc.) Hidden

MyWinLocker 4 (x32 Version: 4.0.14.27 - Egis Technology Inc.) Hidden

MyWinLocker Suite (HKLM-x32\...\InstallShield_{17DF9714-60C9-43C9-A9C2-32BCAED44CBE}) (Version: 4.0.14.19 - Egis Technology Inc.)

MyWinLocker Suite (x32 Version: 4.0.14.19 - Egis Technology Inc.) Hidden

newsXpresso (HKLM-x32\...\InstallShield_{613C0AC5-3A67-4B94-8B13-9176AD83F5BF}) (Version: 1.0.0.40 - esobi Inc.)

newsXpresso (x32 Version: 1.0.0.40 - esobi Inc.) Hidden

NTI Media Maker 9 (HKLM-x32\...\InstallShield_{D3D5C4E8-040F-4C6F-8105-41D43CF94F44}) (Version: 9.0.2.9006 - NTI Corporation)

NTI Media Maker 9 (x32 Version: 9.0.2.9006 - NTI Corporation) Hidden

Privatefirewall 7.0 (HKLM-x32\...\{E8EA933E-03A2-4E62-9F52-812C72BE2A6B}) (Version: 7.0.30.3 - PWI, Inc.)

Qualcomm Atheros Direct Connect (x32 Version: 3.1 - Qualcomm Atheros) Hidden

Qualcomm Atheros WiFi Driver Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 3.1 - Qualcomm Atheros)

Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6570 - Realtek Semiconductor Corp.)

Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.85 - Realtek Semiconductor Corp.)

RoboForm 7-9-18-5 (All Users) (HKLM-x32\...\AI RoboForm) (Version: 7-9-18-5 - Siber Systems)

Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)

Shredder (Version: 2.0.8.9 - Egis Technology Inc.) Hidden

Shredder (x32 Version: 2.0.8.9 - Egis Technology Inc.) Hidden

Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)

Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)

Trader Workstation (HKU\S-1-5-21-537413098-2744756720-3065880487-1000\...\5889-6375-8446-2021) (Version: applicant (957.1b) 20160608 16:51:49 - Interactive Brokers LLC)

Welcome Center (HKLM-x32\...\Acer Welcome Center) (Version: 1.02.3507 - Acer Incorporated)

Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)

 

==================== Custom CLSID (Whitelisted): ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== Scheduled Tasks (Whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

Task: {20E50CB3-4F7B-4AE4-A9FB-6BC31BA1DAFB} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-06-01] (Piriform Ltd)

Task: {29D222E2-9C6A-4E3E-9453-FEE1E8B2B9BD} - System32\Tasks\PMMUpdate => C:\Program Files\EgisTec IPS\PMMUpdate.exe [2011-03-28] (Egis Technology Inc.)

Task: {3C16E596-A254-4045-825D-9B3E582C47AE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-24] (Google Inc.)

Task: {41B7FBA1-25EC-4480-9822-410DB88C5995} - System32\Tasks\JetCleanLoginCheckUpdate => C:\Program Files (x86)\BlueSprig\JetClean\AutoUpdate.exe [2013-05-14] (BlueSprig)

Task: {4D9294EA-959B-4F5A-B020-C10E61FF36E4} - System32\Tasks\Run RoboForm TaskBar Icon => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2016-04-21] (Siber Systems)

Task: {4DDC8BBE-5DCF-4BF4-AC65-237F92F446B7} - System32\Tasks\Avira Browser Safety Updater Task => C:\Program Files (x86)\Avira\Browser Safety\AviraBrowserSafetyUpdater.exe [2015-03-11] (Avira Operations GmbH & Co. KG)

Task: {6C3F849C-4619-41DB-B656-2EB404F9DD3F} - System32\Tasks\DeviceDetector => C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe [2011-05-20] (CyberLink)

Task: {9C11E7FC-2DBF-46FA-B09D-550632505302} - System32\Tasks\Recovery Management\Burn Notification => C:\Program Files\Acer\Acer eRecovery Management\NotificationCenter\Notification.exe [2012-03-15] (Acer)

Task: {A24B9320-26B1-49E0-BAC5-EDAEAE159BE2} - System32\Tasks\UALU notificatin => C:\Program Files\Acer\Acer Updater\UALU.exe [2012-02-06] (Acer Incorporated)

Task: {CF72CA93-3735-4DBC-B3AA-0DACEF565DC9} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-24] (Google Inc.)

Task: {D6EB2246-E0B3-490A-A069-5CC17C235303} - System32\Tasks\EgisUpdate => C:\Program Files\EgisTec IPS\EgisUpdate.exe [2011-03-28] (Egis Technology Inc.)

Task: {F0303A10-696E-46BE-B520-8CEF4715DD2C} - System32\Tasks\Open URL by RoboForm => Rundll32.exe url.dll,FileProtocolHandler "hxxp://www.roboform.com/test-pass.html?aaa=KICMMMNJMMOMLMKJMMJMCNLJNMLJLMCNLMOMLJMJCNOJNMPMNMCNIMNMGMIMLJOMJMKJKMPMIMJMJNJICMIMCNGMCNOMHMFMGMCNPMCNHMOMOMNMFMJMCNOMCNIMJMPMOMCNNMJNPICMPMFMEKMICNJJCKFMOMGMIMJNHICMEKMICNJJCKJNBJCMKIMIKJNIJNKJCMJNNICMJNDJCMKJBJJNMJCMNMFMIMIM (the data entry has 39 more characters).

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

 

==================== Shortcuts =============================

 

(The entries could be listed to be restored or removed.)

 

==================== Loaded Modules (Whitelisted) ==============

 

2012-05-02 01:06 - 2012-02-13 20:53 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll

2012-04-06 22:29 - 2012-04-06 22:29 - 00040552 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe

2012-04-06 22:29 - 2012-04-06 22:29 - 00022120 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe

2010-02-28 02:33 - 2010-02-28 02:33 - 00077664 _____ () C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe

2012-01-05 16:22 - 2012-01-05 16:22 - 00465344 _____ () C:\Program Files (x86)\NTI\Acer Backup Manager\sqlite3.dll

2012-01-05 16:22 - 2012-01-05 16:22 - 01081368 _____ () C:\Program Files (x86)\NTI\Acer Backup Manager\ACE.dll

2012-01-05 16:22 - 2012-01-05 16:22 - 00125464 _____ () C:\Program Files (x86)\NTI\Acer Backup Manager\MailConverter32.dll

2016-06-13 15:05 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy\snlThirdParty150.bpl

2016-06-13 15:05 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy\DEC150.bpl

2016-06-13 15:05 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy\snlFileFormats150.bpl

2016-06-13 15:05 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy\sqlite3.dll

2016-06-13 15:05 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy\av\BDSmartDB.dll

2016-05-11 11:02 - 2016-05-11 11:02 - 00172032 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\5a8eeeddc97028a9f94d0518c22f4c2c\IsdiInterop.ni.dll

2012-05-02 00:25 - 2011-11-29 22:00 - 00059392 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

2015-11-20 19:47 - 2011-12-15 21:39 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll

 

==================== Alternate Data Streams (Whitelisted) =========

 

(If an entry is included in the fixlist, only the ADS will be removed.)

 

 

==================== Safe Mode (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

 

==================== Association (Whitelisted) ===============

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

 

 

==================== Internet Explorer trusted/restricted ===============

 

(If an entry is included in the fixlist, it will be removed from the registry.)

 

 

==================== Hosts content: ===============================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

 

 

==================== Other Areas ============================

 

(Currently there is no automatic fix for this section.)

 

HKU\S-1-5-21-537413098-2744756720-3065880487-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

DNS Servers: 192.168.1.1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

Windows Firewall is disabled.

 

==================== MSCONFIG/TASK MANAGER disabled items ==

 

(Currently there is no automatic fix for this section.)

 

 

==================== FirewallRules (Whitelisted) ===============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

FirewallRules: [{0E6A23AB-811D-440C-91F5-94BDBBE718E0}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

FirewallRules: [{A10B1C4C-EF9C-4FF8-B8AE-57A113BA02CC}] => (Allow) LPort=2869

FirewallRules: [{027BFC2E-3C34-4488-89DE-6983DDA934DC}] => (Allow) LPort=1900

FirewallRules: [{CDA0455B-06E4-4F25-957C-8749EB36044E}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

FirewallRules: [{3552ADE4-807E-4E3D-ABB3-5E36274C9020}] => (Allow) C:\Program Files (x86)\Acer\WDAgent\DCDhcpService.exe

FirewallRules: [{D9C0FE07-1EAA-4E29-9C23-E2BE8A5E8E99}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Media\DMCDaemon.exe

FirewallRules: [{C9189CAD-6D43-4169-9D31-100FAABBF409}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Media\DMCDaemon.exe

FirewallRules: [{3AB6C8DE-8012-4642-8317-7DAFD10F0677}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Media\WindowsUpnpMV.exe

FirewallRules: [{39AD6161-E825-4084-9BBE-98D7EF6F9BD2}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Media\WindowsUpnpMV.exe

FirewallRules: [{34DBF7D9-2BA9-40C6-A121-52D7868B7B7D}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Photo\DMCDaemon.exe

FirewallRules: [{44531AE2-9EDA-42C5-BC00-E1D9DB080D13}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Photo\DMCDaemon.exe

FirewallRules: [{B464FE06-E705-4291-A7DC-08BBD8A6BB9E}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Photo\WindowsUpnp.exe

FirewallRules: [{3017EF9B-1C87-40A4-9E18-2F0EB708E717}] => (Allow) C:\Program Files (x86)\Acer\clear.fi Photo\WindowsUpnp.exe

FirewallRules: [{1F846A1B-8F8B-4871-B916-91FFC6A28C4B}] => (Allow) C:\Program Files (x86)\Acer\clear.fi SDK20\Movie\PlayMovie.exe

FirewallRules: [{8A1C480F-C4D8-49F2-9EC5-9DE1DB9ABC68}] => (Allow) C:\Program Files (x86)\Acer\clear.fi SDK20\MVP\VideoPlayer.exe

FirewallRules: [{7854E23B-830A-4A23-A962-9CD940C52CF7}] => (Allow) C:\Program Files (x86)\Acer\clear.fi SDK20\MVP\MusicPlayer.exe

FirewallRules: [{9AB6FA2E-A3B4-456C-91D2-7864147E1AF5}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe

FirewallRules: [{5288F859-5AC0-4F03-9AC1-784AFF9899FF}] => (Allow) C:\Program Files\HP\HP DeskJet 2130 series\Bin\USBSetup.exe

FirewallRules: [{CDAEEE62-3DFF-4C27-93E2-9E59AB3E2BB8}] => (Allow) C:\Program Files\HP\HP DeskJet 2130 series\Bin\HPNetworkCommunicatorCom.exe

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

 

==================== Restore Points =========================

 

13-06-2016 16:02:15 Installed Privatefirewall 7.0

14-06-2016 07:57:39 Windows Update

15-06-2016 18:50:38 Windows Update

21-06-2016 07:27:27 Windows Update

24-06-2016 01:20:43 Windows Update

24-06-2016 13:39:33 Restore Point Created by FRST

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (06/24/2016 01:45:40 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (06/24/2016 01:39:32 PM) (Source: VSS) (EventID: 8194) (User: )

Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.

.

This is often caused by incorrect security settings in either the writer or requestor process.

 

 

Operation:

   Gathering Writer Data

 

Context:

   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

   Writer Name: System Writer

   Writer Instance ID: {9ed59d7c-6672-4498-b265-fdbc111bc691}

 

Error: (06/24/2016 07:23:50 AM) (Source: PerfNet) (EventID: 2005) (User: )

Description:

 

Error: (06/24/2016 07:23:49 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (06/24/2016 12:27:37 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (06/23/2016 08:21:43 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.18347, time stamp: 0x573f74b6

Faulting module name: MSHTML.dll, version: 11.0.9600.18349, time stamp: 0x5740931d

Exception code: 0xc0000005

Fault offset: 0x004f36a5

Faulting process id: 0x1204

Faulting application start time: 0xIEXPLORE.EXE0

Faulting application path: IEXPLORE.EXE1

Faulting module path: IEXPLORE.EXE2

Report Id: IEXPLORE.EXE3

 

Error: (06/23/2016 08:13:22 AM) (Source: PerfNet) (EventID: 2005) (User: )

Description:

 

Error: (06/23/2016 08:13:20 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (06/22/2016 11:31:45 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (06/22/2016 10:33:54 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

 

System errors:

=============

Error: (06/24/2016 01:45:25 PM) (Source: Service Control Manager) (EventID: 7003) (User: )

Description: The McAfee Personal Firewall Service service depends the following service: MfeFire. This service might not be installed.

 

Error: (06/24/2016 01:45:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The McAfee SiteAdvisor Service service failed to start due to the following error:

%%2 = The system cannot find the file specified.

 

 

Error: (06/24/2016 01:44:18 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)

Description: WLAN Extensibility Module has stopped unexpectedly.

 

Module Path: C:\Program Files (x86)\Acer\WDAgent\AthIhvWlanExt.dll

 

Error: (06/24/2016 01:44:18 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)

Description: WLAN Extensibility Module has stopped unexpectedly.

 

Module Path: C:\Program Files (x86)\Acer\WDAgent\AthIhvWlanExt.dll

 

Error: (06/24/2016 01:44:10 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)

Description: WLAN Extensibility Module has stopped unexpectedly.

 

Module Path: C:\Program Files (x86)\Acer\WDAgent\AthIhvWlanExt.dll

 

Error: (06/24/2016 01:44:05 PM) (Source: DCOM) (EventID: 10010) (User: )

Description: {3EB3C877-1F16-487C-9050-104DBCD66683}

 

Error: (06/24/2016 01:40:31 PM) (Source: Service Control Manager) (EventID: 7032) (User: )

Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:

%%1056 = An instance of the service is already running.

 

 

Error: (06/24/2016 01:40:30 PM) (Source: DCOM) (EventID: 10010) (User: )

Description: {9E175B6D-F52A-11D8-B9A5-505054503030}

 

Error: (06/24/2016 01:40:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Spybot-S&D 2 Security Center Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

 

Error: (06/24/2016 01:40:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

 

 

==================== Memory info ===========================

 

Processor: Intel® Pentium® CPU B950 @ 2.10GHz

Percentage of memory in use: 52%

Total physical RAM: 3932.36 MB

Available physical RAM: 1849.23 MB

Total Virtual: 7862.9 MB

Available Virtual: 4977.14 MB

 

==================== Drives ================================

 

Drive c: (Acer) (Fixed) (Total:449.66 GB) (Free:397.39 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 01E40565)

Partition 1: (Not Active) - (Size=16 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=449.7 GB) - (Type=07 NTFS)

 

==================== End of Addition.txt =



#7 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 24 June 2016 - 04:43 PM

Here is the Farbar Service Scanner log that was requested in step 5. The Rkill tool is running much faster (9 seconds) compared to nearly 2 minutes the first time I run it. I'm seeing less freeze-ups and glitchiness with the software I'm running (I'm not having to use safe mode any more), so we are doing some good which is much appreciated. Let me know what else you may need. Thanks, Marvin

 

 

Farbar Service Scanner Version: 27-01-2016

Ran by user (administrator) on 24-06-2016 at 15:25:51

Running from "C:\Users\user\Desktop"

Microsoft Windows 7 Home Premium  Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error. Google IP is unreachable

Attempt to access Google.com returned error: Google.com is unreachable

Attempt to access Yahoo.com returned error: Yahoo.com is unreachable

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

 

 

System Restore:

============

 

System Restore Policy:

========================

 

 

Action Center:

============

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy:

============================

 

 

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

 

 

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

 

 

Other Services:

==============

 

 

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\SDRSVC.dll => File is digitally signed

C:\Windows\System32\vssvc.exe => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Windows\System32\ipnathlp.dll => File is digitally signed

C:\Windows\System32\iphlpsvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

 

 

**** End of log ****



#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:28 PM

Posted 25 June 2016 - 10:17 AM

Marvin:

 

Thank you for the logs.  I am really glad that you got FRST logs in Normal Boot Mode.  Now I will be able to really have a good look for any traces of malware.

 

It could take a day or two for me to get back to you, as I do have to consult with a Malware Response Instructor before posting, so I thank you in advance for your patience.  Be assured that your logs are being worked on.

 

Have a great weekend.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:28 PM

Posted 26 June 2016 - 12:06 PM

Marvin:

Thank you for your posts and logs. That is great news that you could get a set of "Normal Mode" FRST logs. :thumbup2:

Thank you for informing me that you had run ComboFix. That is a very powerful anti-malware utility that can seriously damage your computer, if it is not run under the supervision of a person trained in its use. It is a "nuclear" type anti-malware weapon. For more information, you can refer to this post by one of Bleeping Computer's foremost experts, Quietman7.

The good news is that I am not seeing signs of any active malware on your computer in your most recent, and complete, FRST logs run in "Normal Mode.". :thumbup2: Your Farbar Service Scan was normal too.

 


:step1: You have two anti-spyware apps active simulataneously: Avira Antivirus and Spybot Search and Destroy.

 

AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

 

It is recommended that you only have one anti-virus and one anti-spyware program installed in your computer because multiple anti-virus and anti-spyware applications can interfere with each other, slow down the computer, and cause computer issues. See this post here from Quietman7, part of which I have quoted below for your information.
 

As a general rule, using more than one anti-malware program like Malwarebytes Anti-Malware, SuperAntispyware, Emsisoft Emergency Kit, Windows Defender in Windows 7 and earlier, Zemana AntiMalware, etc. will not conflict with each other or your anti-virus if using only one of them for real-time protection and the others as stand-alone on demand scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. Using different signature databases will aid in detection and removal of more threats when scanning your system for malware.

Security vendors use different scanning engines and different detection methods such as Heuristic Analysis, Behavioral Analysis, Sandboxing and Signature file detection which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus or anti-malware database is updated can also account for differences in threat detections. Further, each vendor has its own definition (naming standards) of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.

If using multiple anti-malware real-time resident shields together at the same time, there can be conflicts as a result of the overlap in protection. These conflicts are typical when similar applications try to compete for resources and exclusive rights to perform an action. They may identify the activity of each other as suspicious and produce alerts. Further, your anti-virus may detect suspicious activity while anti-malware programs are scanning (reading) files, especially if it uses a heuristic scanning engine, regardless if they are running in real-time or on demand. The anti-virus may even detect as threats, any malware removed by these programs and placed into quarantined areas. This can lead to a repetitive cycle of endless alerts or false alarms that continually warn a threat has been found if the contents of the quarantine folder are not removed before beginning a new security scan. Generally these conflicts are more of an annoyance rather than the significant conflicts which occur when running two anti-virus programs in real time.

 

I would recommend that you uninstall Spybot, or disable the real-time protection anti-spyware module of Avira Anti-Virus. Conflicts between the two products might explain some of the issues that you are experiencing.
 

 

:step2: You also have a PC optimizer installed on your computer.

 

JetClean (HKLM-x32\...\BlueSprig_JetClean_is1) (Version: 1.5.0 - BlueSprig)

 

Bleeping Computer does recommend the use of PC Optimizers and Registry Cleaners. Please see this excellent post on the subject by Quietman7.

 

I would recommend that you uninstall this program. Using such programs can cause computer issues, and I speak from personal experience. You are well advised to stay away from PC Optimizers and Registry Cleaners. They are all "snake oil" as well as being dangerous to the health and performance of your computer.
 

 

:step3: You have a remnant of McAfee left in your computer, which is creating constant errors because it can't find the files that it is looking for. This too can cause strange issues and degrade system performance.

 

I recommend that you download the McAfee Consumer Product Removal tool and run it. Please go to this link, download the tool, and run it according to the instructions provided. Please reboot your computer after you run the MCPR tool.

 


:step4: After completing the above instructions, please let me know how your computer is running now? Are you still having problems with launching downloaded programs. If so, which ones? Did you try re-downloading those programs to determine if the original download(s) might have been corrupted?

If there are any issues, please describe them in as much detail as possible and I will see what I can do to assist you further. The good news, as I have said, is that there does not appear to be any malware on your computer right now, so if there are still issues, we will have to look into other possible causes.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#10 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 26 June 2016 - 02:40 PM

Phil,             

 

Thanks for your last post. I’m glad to hear you didn’t find any malware on the logs, but unfortunately we still have problems. I didn’t say anything on Saturday after you made your post as I didn’t want to spoil your weekend.

 

After the progress we made earlier on Friday, I lost probably 40-50% of the gains by Friday night as things started getting a little glitchy again. It isn’t so much as the software apps not working as it is with my surfing slowing down and my keystrokes don’t seem to be not as responsive in real time. Right now, I am unable to use the ‘0’ (zero) and ‘-‘ (hyphen) keys. I can still get around and navigate ok in normal mode.

 

I am attaching a printscreen file showing the processes and elevated Memory and CPU numbers I’m seeing for 3 iexplore.exe files and 1 svchost.exe file in Task Manager. Also, a printscreen of my CCleaner tool that I just run that shows 4580 temporary files and a total of 352 MB for all files that could be removed. I can run CCleaner again tomorrow, and it will show similar numbers after I’ve done the cleaning and deleting.

 

I guess that is the reason why I’m running double sets of anti-virus software and utility cleaning programs in the hopes that something will catch the malware that’s present. Whatever has infected my laptop has proven to be really stealthy.

 

I’ll go ahead and run the McAfee software removal tool.

 

I appreciate everything you've done so far. Let me know your thoughts and the best way to proceed forward.

 

Thanks,

Marvin

Attached Files



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:28 PM

Posted 28 June 2016 - 03:03 PM

Marvin:

Thank you for your post. Please accept my apologies for the delay in responding. Sometimes, "real life" gets in the way, and I have been kind of "jammed" for the last couple of days.

As I understand your post, and I might have misinterpreted it, you do not wish to uninstall/disable one of your anti-spyware applications, and you don't want to part with your JetClean PC Optimizer. As I explained in my previous post, running multiple, real-time, similar security applications can seriously degrade computer performance, actually lessen a computer's security, and cause all sorts of unusual, and unwanted, symptoms. Add to that mix a PC Optimizer, and computer issues are inevitable, sooner or later.

I would like to eliminate those items as being the possible cause of your computer issues. This is your computer, so it is your decision. At a minimum, I ask that you disable Spybot (AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}) and not use that, or any registry cleaner/PC optimizer programs, while we are working together to resolve your computer issues.
 

Whatever has infected my laptop has proven to be really stealthy.


Neither I, nor the Malware Response Instructor assigned to supervise me while I am dealing with your topic, can detect any active malware in either sets of your FRST logs.

Based on the two screen shots you provided, it appears the issues are more related to Internet Explorer than anything else: high CPU usage as well as a proliferation of IE temp files.  So please disable Spybot, then please delete the IE temp files so that you start with none. You can find instructions, here as to how to delete the IE temp files.. Then please check CPU/temp files after launching IE, without ANY add-ons/extensions running/active. You can find instructions, here, on disabling all IE add-ons and extensions.

It is possible that there may be one or more IE browser add-on(s) that are causing the problems. Please let me know what you find.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#12 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 29 June 2016 - 04:22 PM

Phil,

 

Thanks for your reply, and no worries about the response times. At times, I get very busy myself.

 

No, it is not that I’d rather not uninstall or disable the Spybot or registry cleaner programs. It’s just that I downloaded these software programs after I got infected and I know this isn’t where the problems are coming from. And part of it may be my concern that this malware is proving to be extremely tough and I may end up losing my laptop as a result.

 

Here are the steps that I have taken since yesterday:

 

  • I completely uninstalled the Spybot, CCleaner and JetBoost software late yesterday afternoon and also deleted all of the IE temporary files. I also disabled the IE add-ons and extensions per the instructions using Option 1 by unchecking the “Enable third party browser extensions” box, and selecting “Apply” and “OK”. I also reviewed and removed several individual software add-ons and accelerators. Then I restarted the laptop.
  • Upon restarting the laptop, I checked the CPU and Memory numbers in Task Manager for the iexplore.exe and svchost.exe files, and the numbers were unchanged (still elevated and similar to the numbers seen previously when the IE add-ons and extensions were being allowed). In addition, this morning there were 6851 new IE temporary files found on my system.
  • However, there was something of interest to note, as this morning the “Enable third party browser extensions” box was checked again when I looked at the settings in IE. And I haven’t been in these settings since yesterday afternoon when I turned this function off.
  • I unchecked this box again and have been monitoring this to see if this happens again. I also looked at Option 3 this morning, checking the IE add-ons option in the registry using RegEdit, and it was already set to “no”. I was unable to review Option 2 Group Policy (I couldn’t get the Group Policy Editor to work) as I have the Windows 7 Home Premium software version.

 

With your observation that the problems may instead be related to IE, I think we may be on the right track now. Although I’m wondering if the problems may lie in something changing my Group Policy System Administrator settings, instead of there being problems with the IE add-ons and extensions settings. Recently, I remember (not sure how, what or where) coming across a message saying this particular program has been blocked by Group Policy (it might have been Windows Defender).

 

I remember checking the Group Policy settings and permissions, and finding that I did not have permission to make any changes to the settings. If my thinking is correct (and I admit I’m not too knowledgeable in this area), this line of thinking also supports my initial claim of having lost control of my System files.

 

I’ve had problems in the past with trying to set Yahoo as my Home Page, as I got continued competition with Microsoft/Bing wanting to take over in being the Home Page when I first open IE. Doesn’t seem to be a problem now.

 

I hope what I’ve mentioned here ties together consistently and hopefully makes sense, as I struggle trying to wrap my mind around about what’s actually going on with my laptop.

 

I also appreciate your continued patience and also the input from your instructor. Let me know your thoughts and how you’d like to proceed.

 

Best wishes,

Marvin



#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:28 PM

Posted 01 July 2016 - 08:56 AM

Marvin:

Thank you for your post. Your latest information might be very helpful.

Thank you for uninstalling Spybot and JetClean. It was not necessary to remove CCleaner. That is a very good program for cleaning out temp files. Bleeping Computer however recommends against using the registry cleaning component of CCleaner, even though it is better than most, in that it does make a backup before it "cleans" the registry.
 

With your observation that the problems may instead be related to IE, I think we may be on the right track now. Although I’m wondering if the problems may lie in something changing my Group Policy System Administrator settings, instead of there being problems with the IE add-ons and extensions settings. Recently, I remember (not sure how, what or where) coming across a message saying this particular program has been blocked by Group Policy (it might have been Windows Defender).

I remember checking the Group Policy settings and permissions, and finding that I did not have permission to make any changes to the settings. If my thinking is correct (and I admit I’m not too knowledgeable in this area), this line of thinking also supports my initial claim of having lost control of my System files.


The Group Policy restriction that you saw might have been Avira disabling Windows Defender. A lot of anti-virus programs disable Windows Defender to avoid conflicts between them and Windows Defender.

What I find interesting is that Windows 7 Home Premium does not permit user access to gpedit.exe (Group Policy Editor). That is only available in Windows 7 Pro, and higher. Now there are utiilities to hack Windows 7 Home Premium to add gpedit.exe capability, but from what I understand, this violates the Windows EULA and can also lead to serious computer issues. Please see this link.

I am not sure how much surfing that you do. IE temp files can quickly proliferate if you are doing any amount of serious surfing. In fact, I have CCleaner Pro set to automatically clean my browsers on exit, and you can do that in IE11 too, without CCleaner. Just select "Tools", "Internet Options", "Browsing History", and check the box "Delete browsing history on exit."

I also found this thread.

The first post sounds like what you are describing and the user resolved his problem by running the Microsoft Safety Scanner, linked to in the second post in that thread.

As I said, I can't see any active malware on your computer, but FRST is like any tool: it is not always perfect. Let's run some standard scans to see if anything turns up. If nothing is detected by ESET and MBAM, then please run the Microsoft Safety Scanner and see what it finds. It might detect something, which it considers malware, and it might resolve your problem. You have nothing to lose by trying. If any of the scans find something, then we will be in touch with the developer of FRST because he is extremely conscientious about keeping FRST updated and accurate.

.


:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK
  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply

Don't forget to re-enable your antivirus when finished!

.


:step2: Malwarebytes Anti-Malware Free and Malwarebytes Chameleon Including External Drive

----------

  • Download Malwarebytes Anti-Malware Free and save it to your Desktop.
  • Double click the desktop icon, click Run, then Yes.
  • Click OK for English, then click Next.
  • Select I accept the agreement, then continue to click Next, then finally click Install.
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium, if you do not want the free trial of the paid version, then click Finish.
  • On the Dashboard, select Settings.
  • Click on Detection and Protection.
  • Ensure that Scan for rootkits is checked. If not, check it.
  • If you are notified the Database is out of date, click Update Now.
  • Attach any external drives you want to scan, if not already attached.
  • Click the Scan button near the top.
  • Select Custom Scan, then click Configure Scan.
  • Place a check mark in any additonal drives you would like to scan.
  • Click Scan now.

----------
Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
Click Start (Start, Search, All files and folders for Windows XP), then type mbam.
Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open. Follow those instructions until the Malwarebytes program starts the scan.

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com

----------

  • When completed, click the down arrow on Export Log and select Text file (*.txt).
  • Save the file to your desktop as MBAM.txt.
  • Click Apply Actions, then restart your computer, if requested.
  • Please copy and paste the contents of MBAM.txt into your next reply.

.


:step3: Optionally, please run the Microsoft Safety Scanner, that I linked to, above.

.


:step4: You said that you were seeing large files in the Task Manager.
 

Windows Task Manager, Im getting large file sizes for some of the ieplore.exe and svchost.exe files.

 

Please attach some screenshots showing what you are seeing. It would also help if you could expand the Task Manager Processes window, so that I can see all available information on the processes, particularly the iexplore.exe and svchost.exe processes. You should upload those screenshots to Dropbox, Sendspace, or whatever cloud storage that you are accustomed to using and just post the links. The upload limit here is very small (250 KB total), and you have probably used most of your allowed upload space by uploading your previous two screenshots.

 

.


:step5: Please copy and paste the following logs into your next reply, if anything is detected:

  • ESET Online Scan log;
  • MBAM log; and,
  • Microsoft Safety Scanner log.

 

.


Hopefully something might be detected to enable us to resolve your issues or the screenshots might hold a clue.  The Instructor and I are determined to resolve your issues - that's what we are here for.  Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#14 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 02 July 2016 - 06:42 PM

Phil,

 

Thanks for your latest reply. Sorry for not replying sooner, but I’ve been severely ‘hooked up’ yesterday and today.

 

Latest update: I went ahead and re-installed CCleaner as I tend to favor this program as well. I’ve noticed CCleaner will delete well over 99% of my temp files, but it won’t delete all of them. I get about 8 to 10 temp files remaining that can’t be deleted, either manually or even by using a tough file shredder software program. More on this later on in my post, plus a small unexpected surprise.

 

Regarding Group Policy and Windows Defender, I should have mentioned before that there were several other programs (including Windows Defender) in a Group Policy program listing where I was prevented from accessing or changing the permission settings in these programs. I just don’t remember how I got to where these programs were listed.

 

You mentioned the downside in hacking Windows 7 with gpedit (Group Policy Editor). I was aware that this option was available, and I may consider this step later on if we’re unable to successfully get control of the laptop.

 

The link you sent about the user having an excessive number of temp files and high CPU numbers for the iexplore.exe and svchost.exe files was eerily similar to what I’m going through. I tried to download the Microsoft Safety Scanner, and it took me five tries before I finally got it downloaded. This was the first time I’ve had problems with something preventing me from downloading files since I first posted on this forum. Unfortunately, I ran both the ‘quick’ and ‘full’ scans and come up with nothing. However, going back to the other gentleman’s post and our similar problems, I am almost certain that I’ve come across the Win32 Trojan Downloader virus before on my laptop. It’s got me wondering now perhaps we’re dealing with a variant of the same virus, and I’m going to research this possibility further.

 

I ran the ESET scanner, and it only come up with a false positive on the CCleaner software I’m running, as follows:

 

C:\Users\user\Downloads\ccsetup516.exe         Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted

C:\Users\user\Downloads\ccsetup518.exe         Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted

 

The Malwarebytes Anti-Malware software also didn’t find anything in its scan.

 

Going back to the temp files I mentioned earlier that I couldn’t delete, I ran the Junkware Removal Tool to show proof of what I was saying, as I know the JRT software will delete the undeletable temp files I’m getting. As a bonus, it caught the SearchScopes adware program that was messing with my home page settings (Yahoo vs. Microsoft/Bing) awhile back, along with my default search engine settings. The JRT log contents are shown below. In an earlier run, JRT also deleted a Windows wininit.ini file that I had.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 8.0.6 (04.25.2016)

Operating System: Windows 7 Home Premium x64

Ran by user (Administrator) on Fri 07/01/2016 at 10:48:01.12

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 8

 

Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QW8SSC1 (Temporary Internet Files Folder)

Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EODYEAAY (Temporary Internet Files Folder)

Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2GL3Y1C (Temporary Internet Files Folder)

Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R1F3DPG3 (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QW8SSC1 (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EODYEAAY (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2GL3Y1C (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R1F3DPG3 (Temporary Internet Files Folder)

 

Registry: 2

 

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} (Registry Key)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Fri 07/01/2016 at 10:50:01.08

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

In summary, it looks to me like there may be some growing support for considering a variant of Win32 Trojan Downloader, plus we know the SearchScopes adware is probably still present on my laptop.

 

I’m not set up for cloud storage and will try to get you the 2 printscreen files tomorrow showing the high CPU numbers for the iexplore.com and svchost.exe files, as well as the remaining processes shown in Task Manager.

 

Have a good weekend,

Marvin



#15 trumpt

trumpt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 03 July 2016 - 11:58 AM

Here are the links to the two screenshots showing the high CPU usage for my processes in Task Manager:

 

https://drive.google.com/file/d/0B_7bSMZf7Fk6TGlXQTNic2ljbmM/view

 

https://drive.google.com/file/d/0B_7bSMZf7Fk6SFZhVjR3TWtFeG8/view






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users