Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What does this mean in Qoobox?, note 2017 entries.


  • This topic is locked This topic is locked
7 replies to this topic

#1 sdowney717

sdowney717

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 12 January 2017 - 07:06 AM

2016-11-24 12:15:37 . 2017-01-11 14:38:39              232 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24}.reg.dat
2015-02-26 03:32:58 . 2015-02-26 03:32:58                0 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2015-02-26 03:31:52 . 2015-02-26 03:31:52              377 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat
2015-02-26 03:27:24 . 2017-01-11 14:01:02            3,821 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2015-02-26 03:20:46 . 2017-01-11 12:40:39              204 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2010-11-21 03:23:55 . 2010-11-21 03:23:55           26,624 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\userinit.exe.vir
 

 

are they viruses?

Do they regenerate themselves?

I noticed the symptoms cam back 2 days after running combofix.

My guess if I run combofix every few days, it would keep finding these because some hidden file on the PC is reinfestating the PC again and again.

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,229 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 AM

Posted 13 January 2017 - 02:12 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

The file that Combofix quarantine are saved in the Quarantine folder.

You can delete the files in the Quarantine folder and flush the Recycle bin.

===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs for my review.

Let me know what problem persists with this computer.

#3 sdowney717

sdowney717
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 14 January 2017 - 05:36 PM

thanks nasdaq

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-01-2017
Ran by lr (administrator) on LR-PC (14-01-2017 17:20:02)
Running from C:\Users\lr\Downloads
Loaded Profiles: lr (Available Profiles: lr)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(Microsoft Corporation
) C:\Windows\vVX6000.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.Systray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe
(ExDeus) C:\Program Files (x86)\WMC Recording Storage Pooler\WMCRecordingStoragePooler.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\Windows\ehome\ehrecvr.exe
(Microsoft Corporation) C:\Windows\ehome\mcGlidHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [VX6000] => C:\Windows\vVX6000.exe [764784 2010-05-20] (Microsoft Corporation
)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585744 2015-01-16] (NVIDIA Corporation)
HKLM\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239672 2017-01-09] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [60136 2016-11-15] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [917576 2016-12-13] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira System Speedup User Starter] => C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe [26832 2016-12-13] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira System Speedup Tray] => C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.Systray.exe [159568 2016-12-13] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe [9523496 2017-01-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2180680 2017-01-11] ()
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27219928 2016-11-15] (Skype Technologies S.A.)
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\...\Run: [GoogleChromeAutoLaunch_6D68B2A0DEAB486F8A6016D1605B06C2] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [935768 2016-12-08] (Google Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Startup: C:\Users\lr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zSpeedup.lnk [2017-01-11]
ShortcutTarget: zSpeedup.lnk -> C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe (Avira Operations GmbH & Co. KG)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{144F109A-FB76-4878-8A17-E026DA8A1641}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=hp
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3122017174-3441429465-50051793-1001 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3122017174-3441429465-50051793-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO-x32: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Web TuneUp\4.3.6.255\AVG Web TuneUp.dll [2017-01-11] (AVG)
BHO-x32: AviraBrowserSafety.BrowserSafety -> {c3c77255-42c0-499f-b664-6e981a0b1647} -> C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
DPF: HKLM-x32 {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1395859104622
Handler-x32: abs - {E00957BD-D0E1-4eb9-A025-7743FDC8B27B} - C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-09-23] (Skype Technologies)
 
FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.6\\npsitesafety.dll [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-03] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-03] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2013-12-08] (VideoLAN)
FF Plugin HKU\S-1-5-21-3122017174-3441429465-50051793-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\lr\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3122017174-3441429465-50051793-1001: @talk.google.com/O1DPlugin -> C:\Users\lr\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3122017174-3441429465-50051793-1001: @tools.google.com/Google Update;version=3 -> C:\Users\lr\AppData\Local\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin HKU\S-1-5-21-3122017174-3441429465-50051793-1001: @tools.google.com/Google Update;version=9 -> C:\Users\lr\AppData\Local\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\lr\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\lr\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> mysearch.avg.com/?rvt=1
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3319738&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP4031462D-D01C-4A40-92A8-55B916167BAA&SSPV=","hxxp://www.google.com/","hxxp://search.conduit.com/?ctid=CT3319738&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP4031462D-D01C-4A40-92A8-55B916167BAA&SSPV=","hxxp://getchrome.eu/home/","hxxp://search.yahoo.com/?type=888596&fr=spigot-yhp-ch"
CHR Session Restore: Default -> is enabled.
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => No File
CHR Profile: C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default [2017-01-14]
CHR Extension: (Entanglement Web App) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2013-10-18]
CHR Extension: (Bejeweled) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm [2013-08-24]
CHR Extension: (Angry Birds) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2014-12-14]
CHR Extension: (Google Docs) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-19]
CHR Extension: (Google Drive) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-03]
CHR Extension: (TV) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\beobeededemalmllhkmnkinmfembdimh [2013-08-24]
CHR Extension: (YouTube) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Advanced Font Settings) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\caclkomlalccbpcdllchkeecicepbmbm [2016-07-13]
CHR Extension: (AVG Secure Search) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn [2017-01-11]
CHR Extension: (Google Search) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-03]
CHR Extension: (Netflix) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\deceagebecbceejblnlcjooeohmmeldh [2015-04-04]
CHR Extension: (Tampermonkey) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-12-23]
CHR Extension: (ARC Welder) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\emfinbmielocnlhgmfkkmkngdoccbadn [2016-11-19]
CHR Extension: (YoWindow Free Weather) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\fanogbnclpilemkifpjeglokomebpnef [2016-12-18]
CHR Extension: (Avira Browser Safety) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-09-27]
CHR Extension: (Chrome Remote Desktop) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2016-07-02]
CHR Extension: (Google Docs Offline) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-27]
CHR Extension: (AdBlock) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-12-28]
CHR Extension: (Mailto:) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\gppbppehiogfokmpligejhaepeopajdf [2015-08-25]
CHR Extension: (NPR: News, Music and Books) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcamfjcklnmlbokoackecfjidfjafgog [2013-08-24]
CHR Extension: (AllCast Receiver) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjbljnpdahefgnopeohlaeohgkiidnoe [2017-01-06]
CHR Extension: (Font Rendering Enhancer) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmbmmdjlcdediglgfcdkhinjdelkiock [2016-07-13]
CHR Extension: (Crackle) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibfamoapbmmmlknoopmmfofgladlinic [2015-09-12]
CHR Extension: (goo.gl URL Shortener) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\iblijlcdoidgdpfknkckljiocdbnlagk [2015-05-24]
CHR Extension: (Kindle Cloud Reader) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2014-07-26]
CHR Extension: (Avira SafeSearch Plus) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp [2016-12-18]
CHR Extension: (Type Sample) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\jobccjjaffckfoggljonehppmldgmkmh [2016-09-14]
CHR Extension: (Smooth Fonts) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\jomdmdadhphmnkfocajhglgmhfmeajef [2016-07-13]
CHR Extension: (Google Voice (by Google)) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo [2013-12-04]
CHR Extension: (Google Hangouts) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2016-12-23]
CHR Extension: (Artillery Tower Protector) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldgcejmkikbadghamaadggncnbfekdik [2013-08-24]
CHR Extension: (Dragons of Atlantis) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\manlnjcghdempjdpndlcmaaobbighhcf [2013-08-24]
CHR Extension: (Poppit!) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-07-26]
CHR Extension: (Chrono Download Manager) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mciiogijehkdemklbdcbfkefimifhecn [2015-12-30]
CHR Extension: (App Runtime for Chrome (Beta)) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfaihdlpglflfgpfjcifdjdjcckigekc [2016-11-19]
CHR Extension: (deblurr) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjloeooooapfjiifokponbnboglcgdim [2016-07-13]
CHR Extension: (CanIStream.It) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\nefjaladmbgpekhpikihnnchgbdfojpk [2013-08-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Docs PDF/PowerPoint Viewer (by Google)) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnbmlagghjjcbdhgmkedmbmedengocbn [2013-08-24]
CHR Extension: (Weather Aware) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofiahdodpoomdjoegkmibpmgejobfpcn [2013-08-24]
CHR Extension: (Bastion) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\oohphhdkahjlioohbalmicpokoefkgid [2013-08-24]
CHR Extension: (Bubble Santa) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbokbbbgkgifjmmbokbdiimcffphbgha [2013-08-24]
CHR Extension: (Weather Underground) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjejbgheonogbpfkkjigbmahaljipoej [2015-05-24]
CHR Extension: (Gmail) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-04]
CHR Extension: (Chrome Media Router) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-18]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [chfdnecihphmhljaaejmgoiahnihplgn] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1089592 2016-12-13] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [476736 2016-12-13] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [476736 2016-12-13] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1490296 2016-12-13] (Avira Operations GmbH & Co. KG)
R2 AVG Antivirus; C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe [260080 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgbIDSAgent; C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [6183576 2017-01-11] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1255272 2017-01-09] (AVG Technologies CZ, s.r.o.)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [350528 2016-11-24] (Avira Operations GmbH & Co. KG)
S2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [263704 2016-11-16] (Avira Operations GmbH & Co. KG)
R2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe [76392 2016-10-16] (Google Inc.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2015-01-16] (NVIDIA Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706128 2015-01-16] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21833360 2015-01-16] (NVIDIA Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-10-16] (Realtek Semiconductor)
R2 SpeedupService; C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe [35416 2016-12-13] (Avira Operations GmbH & Co. KG)
R2 vToolbarUpdater40.3.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe [1349704 2017-01-11] (AVG Secure Search)
S3 w7Svc; C:\Program Files (x86)\webcam 7\wService.exe [5262656 2013-12-18] (Moonware Studios)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WMCRecordingStoragePooler; C:\Program Files (x86)\WMC Recording Storage Pooler\WMCRecordingStoragePooler.exe [54784 2010-08-14] (ExDeus) [File not signed]
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [980552 2017-01-11] ()
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AVer88xHD; C:\Windows\System32\drivers\AVer88xHD64.sys [508672 2009-06-25] (AVerMedia TECHNOLOGIES, Inc.)
S3 avgbdisk; C:\Windows\system32\drivers\avgbdiska.sys [165624 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgbidsdriver; C:\Windows\system32\drivers\avgbidsdrivera.sys [311592 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgbidsh; C:\Windows\system32\drivers\avgbidsha.sys [192096 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgblog; C:\Windows\system32\drivers\avgbloga.sys [336920 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgbuniv; C:\Windows\system32\drivers\avgbuniva.sys [50848 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgHwid; C:\Windows\system32\drivers\avgHwid.sys [39288 2017-01-11] (AVG Technologies CZ, s.r.o.)
R2 avgMonFlt; C:\Windows\system32\drivers\avgMonFlt.sys [127072 2017-01-11] (AVG Technologies CZ, s.r.o.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [176464 2016-12-13] (Avira Operations GmbH & Co. KG)
S3 avgRdr; C:\Windows\system32\drivers\avgRdr2.sys [101624 2017-01-11] (AVG Technologies CZ, s.r.o.)
R0 avgRvrt; C:\Windows\system32\drivers\avgRvrt.sys [75664 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgSnx; C:\Windows\system32\drivers\avgSnx.sys [992488 2017-01-11] (AVG Technologies CZ, s.r.o.)
R1 avgSP; C:\Windows\system32\drivers\avgSP.sys [555152 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgStm; C:\Windows\system32\drivers\avgStm.sys [163512 2017-01-11] (AVG Technologies CZ, s.r.o.)
S3 avgVmm; C:\Windows\system32\drivers\avgVmm.sys [311472 2017-01-11] (AVG Technologies CZ, s.r.o.)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [148032 2016-12-13] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-07-18] (Avira Operations GmbH & Co. KG)
R3 AVMNgBasM780; C:\Windows\System32\DRIVERS\AVerBas.sys [72448 2009-06-11] (AVerMedia TECHNOLOGIES, Inc.)
R3 AVMNgCapM780; C:\Windows\System32\DRIVERS\AVerCap.sys [442368 2009-06-11] (AVerMedia TECHNOLOGIES, Inc.)
R3 AVMNgTunM780; C:\Windows\System32\DRIVERS\AVerTun.sys [240768 2009-06-11] (AVerMedia TECHNOLOGIES, Inc.)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-07-18] (Avira Operations GmbH & Co. KG)
R3 Bda8600; C:\Windows\System32\Drivers\Dtf8600b.sys [120704 2007-05-21] (VBox Communications Ltd.)
R3 BdaVb35xx; C:\Windows\System32\Drivers\Vb35xxB.sys [172672 2007-05-21] (VBox Communications Ltd.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-01-16] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
S3 VX6000; C:\Windows\System32\DRIVERS\VX6000Xp.sys [2143600 2010-05-20] (Microsoft Corporation
)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-14 17:20 - 2017-01-14 17:21 - 00027936 _____ C:\Users\lr\Downloads\FRST.txt
2017-01-14 17:18 - 2017-01-14 17:20 - 00000000 ____D C:\FRST
2017-01-14 17:18 - 2017-01-14 17:18 - 02419200 _____ (Farbar) C:\Users\lr\Downloads\FRST64.exe
2017-01-11 10:51 - 2017-01-11 10:52 - 03449440 _____ (AVG Technologies CZ, s.r.o.) C:\Users\lr\Downloads\AVG_Protection_Free_1606 (1).exe
2017-01-11 10:09 - 2017-01-11 10:10 - 00000000 ____D C:\Users\lr\AppData\Local\AVG Web TuneUp
2017-01-11 10:09 - 2017-01-11 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-01-11 10:08 - 2017-01-11 10:10 - 00000000 ____D C:\ProgramData\AVG Web TuneUp
2017-01-11 10:08 - 2017-01-11 10:08 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2017-01-11 10:08 - 2017-01-11 10:08 - 00000000 ____D C:\Program Files (x86)\AVG Web TuneUp
2017-01-11 10:07 - 2017-01-11 10:07 - 00000000 ____D C:\Users\lr\AppData\Roaming\AVG
2017-01-11 10:06 - 2017-01-11 10:06 - 00992488 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSnx.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00555152 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSP.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00397800 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2017-01-11 10:06 - 2017-01-11 10:06 - 00311472 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgVmm.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00163512 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgStm.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00127072 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgMonFlt.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00101624 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRdr2.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00075664 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRvrt.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00039288 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgHwid.sys
2017-01-11 10:06 - 2017-01-11 10:06 - 00003920 _____ C:\Windows\System32\Tasks\Antivirus Emergency Update
2017-01-11 10:06 - 2017-01-11 10:05 - 00336920 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbloga.sys
2017-01-11 10:06 - 2017-01-11 10:05 - 00311592 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsdrivera.sys
2017-01-11 10:06 - 2017-01-11 10:05 - 00192096 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsha.sys
2017-01-11 10:06 - 2017-01-11 10:05 - 00165624 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbdiska.sys
2017-01-11 10:06 - 2017-01-11 10:05 - 00050848 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbuniva.sys
2017-01-11 10:04 - 2017-01-11 10:04 - 00000984 _____ C:\Users\Public\Desktop\AVG.lnk
2017-01-11 10:04 - 2017-01-11 10:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2017-01-11 10:01 - 2017-01-14 13:59 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task
2017-01-11 10:01 - 2017-01-11 10:04 - 00000000 ____D C:\Program Files (x86)\AVG
2017-01-11 10:00 - 2017-01-11 14:39 - 00000000 ____D C:\ProgramData\Avg
2017-01-11 10:00 - 2017-01-11 10:04 - 00000000 ____D C:\Users\lr\AppData\Local\AvgSetupLog
2017-01-11 10:00 - 2017-01-11 10:00 - 03449440 _____ (AVG Technologies CZ, s.r.o.) C:\Users\lr\Downloads\AVG_Protection_Free_1606.exe
2017-01-11 10:00 - 2017-01-11 10:00 - 00000000 ____D C:\Users\lr\AppData\Local\Avg
2017-01-11 09:41 - 2017-01-11 09:41 - 00016122 _____ C:\ComboFix.txt
2017-01-11 07:32 - 2017-01-11 07:32 - 05659315 ____R (Swearware) C:\Users\lr\Downloads\ComboFix.exe
2017-01-11 07:30 - 2017-01-11 07:30 - 00002843 _____ C:\malbytess1.txt
2016-12-15 14:18 - 2017-01-14 12:10 - 00000000 ____D C:\Users\Public\Speedup Sessions
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-14 17:18 - 2013-12-31 13:38 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-14 17:10 - 2013-12-04 06:22 - 00000000 ____D C:\Users\lr\AppData\Roaming\Skype
2017-01-14 10:58 - 2010-11-21 02:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2017-01-11 19:29 - 2016-08-05 17:01 - 00041184 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-11 19:29 - 2016-08-05 17:01 - 00041184 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-11 12:15 - 2009-07-14 00:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-11 12:15 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2017-01-11 12:08 - 2015-02-25 23:19 - 00000000 ____D C:\ProgramData\NVIDIA
2017-01-11 12:08 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-11 09:43 - 2015-02-25 22:19 - 00000000 ____D C:\Qoobox
2017-01-11 09:43 - 2013-07-22 11:29 - 00000000 ____D C:\Users\lr\AppData\Local\Apps\2.0
2017-01-11 09:13 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2017-01-11 06:36 - 2015-02-25 22:36 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-10 05:19 - 2013-12-31 13:38 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-01-10 05:19 - 2013-12-31 13:38 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-01-10 05:19 - 2013-12-31 13:38 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-01-10 05:19 - 2013-12-31 13:38 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-01-10 05:19 - 2013-12-31 13:38 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-06 10:57 - 2016-11-19 18:21 - 00000000 ____D C:\Users\lr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2016-12-27 03:59 - 2014-01-09 15:19 - 00000000 ____D C:\Users\lr\AppData\Local\CrashDumps
2016-12-19 20:01 - 2014-01-02 11:48 - 00026624 _____ C:\Users\lr\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-12-16 17:16 - 2013-07-22 11:29 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-12-16 17:16 - 2013-07-22 11:29 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-12-16 17:16 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Tasks
2016-12-16 15:00 - 2013-12-04 06:23 - 00003498 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3122017174-3441429465-50051793-1001UA
2016-12-16 15:00 - 2013-12-04 06:23 - 00003226 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3122017174-3441429465-50051793-1001Core
2016-12-15 14:19 - 2013-07-22 11:25 - 00000000 ___RD C:\Users\lr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2016-12-15 14:18 - 2016-12-02 19:23 - 00001215 _____ C:\Users\Public\Desktop\Avira System Speedup.lnk
2016-12-15 14:18 - 2016-08-14 14:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-12-15 14:18 - 2016-08-14 14:03 - 00000000 ____D C:\Program Files (x86)\Avira
2016-12-15 14:18 - 2009-07-13 22:20 - 00000000 ___RD C:\Users\Public
 
==================== Files in the root of some directories =======
 
2015-02-19 13:29 - 2015-02-19 13:29 - 0000049 _____ () C:\Users\lr\AppData\Roaming\mbam.context.scan
2014-01-02 11:48 - 2016-12-19 20:01 - 0026624 _____ () C:\Users\lr\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-12-31 12:56 - 2013-12-31 12:56 - 0004095 _____ () C:\Users\lr\AppData\Local\mceamazoncookies.dat
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-13 22:34
 
==================== End of FRST.txt ============================
 
 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,229 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 AM

Posted 15 January 2017 - 10:25 AM

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
SearchMe Toolbar v8.6 (HKLM-x32\...\{8ECCCAF4-1DEE-4445-B072-598991CD941C}) (Version: 8.6 - Spigot, Inc.) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


Press the windows key [img=http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif][b]+ r[/b] on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.

[code]

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=hp
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3122017174-3441429465-50051793-1001 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3122017174-3441429465-50051793-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.6\\npsitesafety.dll [No File]
CHR HomePage: Default -> mysearch.avg.com/?rvt=1
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3319738&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP4031462D-D01C-4A40-92A8-55B916167BAA&SSPV=","hxxp://www.google.com/","hxxp://search.conduit.com/?ctid=CT3319738&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP4031462D-D01C-4A40-92A8-55B916167BAA&SSPV=","hxxp://getchrome.eu/home/","hxxp://search.yahoo.com/?type=888596&fr=spigot-yhp-ch"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => No File
CHR Extension: (AVG Secure Search) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn [2017-01-11]
CHR Extension: (Avira Browser Safety) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-09-27]
CHR Extension: (Avira SafeSearch Plus) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp [2016-12-18]
CHR Extension: (Poppit!) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-07-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Chrome Media Router) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-18]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [chfdnecihphmhljaaejmgoiahnihplgn] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
R2 vToolbarUpdater40.3.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe [1349704 2017-01-11] (AVG Secure Search)
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
===

P.S.
If ComboFix is still present on your computer I suggest your remove it as suggested on this page.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.


When all is well you can remove the tool by following the Uninstall instructions on the same page.

If not present please delete all the Folders that were created by running the tool.

An other method is to reinstall the program and after a restart of the computer, remove it using the /Uninstall switch.

#5 sdowney717

sdowney717
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 15 January 2017 - 12:03 PM

i had also run JRT which i did before your post, but its log has vanished
found it 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 15-01-2017
Ran by lr (15-01-2017 11:46:29) Run:1
Running from C:\Users\lr\Downloads
Loaded Profiles: lr (Available Profiles: lr)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=hp
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3122017174-3441429465-50051793-1001 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3122017174-3441429465-50051793-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={AEFE2B6A-EC77-429E-94B4-36FC1B5AD75D}&mid=d6e84b98254247d3a9dcd16d67c79253-c5d332c2e33978c966b1bb2ee8ca178bfa9a1bb8&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-01-11 15:08:33&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.6\\npsitesafety.dll [No File]
CHR HomePage: Default -> mysearch.avg.com/?rvt=1
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3319738&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP4031462D-D01C-4A40-92A8-55B916167BAA&SSPV=","hxxp://www.google.com/","hxxp://search.conduit.com/?ctid=CT3319738&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP4031462D-D01C-4A40-92A8-55B916167BAA&SSPV=","hxxp://getchrome.eu/home/","hxxp://search.yahoo.com/?type=888596&fr=spigot-yhp-ch"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => No File
CHR Extension: (AVG Secure Search) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn [2017-01-11]
CHR Extension: (Avira Browser Safety) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-09-27]
CHR Extension: (Avira SafeSearch Plus) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp [2016-12-18]
CHR Extension: (Poppit!) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-07-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Chrome Media Router) - C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-18]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [chfdnecihphmhljaaejmgoiahnihplgn] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
R2 vToolbarUpdater40.3.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe [1349704 2017-01-11] (AVG Secure Search)
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\lr\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found. 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value removed successfully
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => key not found. 
HKLM\Software\Wow6432Node\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin => key removed successfully
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\pdf.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => not found.
C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn => moved successfully
C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => moved successfully
C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp => moved successfully
C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi => moved successfully
C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001\SOFTWARE\Google\Chrome\Extensions\chfdnecihphmhljaaejmgoiahnihplgn => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp => key removed successfully
vToolbarUpdater40.3.6 => service not found.
HKLM\System\CurrentControlSet\Services\ACDaemon => key removed successfully
ACDaemon => service removed successfully
HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully
VGPU => service removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key removed successfully
HKU\S-1-5-21-3122017174-3441429465-50051793-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E} => key removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 219348297 B
Java, Flash, Steam htmlcache => 12691 B
Windows/system/drivers => 6037 B
Edge => 0 B
Chrome => 383275872 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 100816 B
systemprofile32 => 65960 B
LocalService => 66228 B
NetworkService => 66228 B
lr => 198225113 B
UpdatusUser => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 772.1 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 11:47:16 ====

Attached Files

  • Attached File  JRT.txt   6.66KB   2 downloads

Edited by sdowney717, 15 January 2017 - 12:07 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,229 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 AM

Posted 15 January 2017 - 02:20 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 sdowney717

sdowney717
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 15 January 2017 - 06:06 PM

Thank you for the help. It seems to be running fine.

 

Was there something found malware wise?



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,229 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 AM

Posted 16 January 2017 - 08:24 AM

Mostly PUP (Potentially Unwanted Programs) and links. Nothing to worry about now>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users