Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan...


  • This topic is locked This topic is locked
10 replies to this topic

#1 HijackThat

HijackThat

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:03:59 PM

Posted 07 June 2017 - 09:13 AM

Hello,
My computer is infected with the acovcnt backdoor trojan, which has a lot of conflicting information on google and bleepingcomputer. There is a post here on bleepingcomputer that advises the infected computer be disconnected from the internet immediately, which I did. I will be happy to provide any logs and symptoms once we start a dialog. Thank you in advance fir your time.

BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:59 PM

Posted 07 June 2017 - 11:10 AM

HijackThat:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil. May I address you by your first name?

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

 

Please follow the instructions in this post, particularly Step :step6:, and provide the requested "FRST.txt" and "Addition.txt" logs.

I would ask that you please copy and paste the contents of all requested log files directly into your replies. I know that the instructions do say to attach the "Addition.txt" file, but it is much faster for me to analyze the logs when that are copied and pasted into your replies. Please do not use "code" or "quote" boxes. Thank you for your anticipated cooperation.

I will need some time to review your FRST logs. That could take a day or two.  In the meantime, until we identify and eliminate any possible backdoor trojan, or determine that one is not present on your computer, I would ask that you do not connect that computer to the Internet, unless you must, for your own protection.  You can use another computer to download the FRST program and then transfer it to possibly infected computer with a USB flash drive.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#3 HijackThat

HijackThat
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:03:59 PM

Posted 08 June 2017 - 07:38 AM

Phil,

 

Thank you for your help!  I will only do as instructed, but I just want to mention that when I first became concerned, I downloaded a few programs (aswMBR, TDSSkiller, and RogueKiller), and ran them, but I stopped there, and came here for help (and I don't believe any of them found or tried to fix anything). 

 

I also wanted to mention the two new symptoms that made me concerned upon turning on my computer: (1) my touchpad scroll feature was and still is missing, and (2) an error message "The exception breakpoint. A breakpoint has been reached...."

 

Logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-06-2017
Ran by ASUS (administrator) on JCTFIH48 (08-06-2017 01:58:23)
Running from F:\File Folder
Loaded Profiles: ASUS (Available Profiles: ASUS)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ASUSTeK Computer Inc.) C:\Windows\System32\FBAgent.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(CyberGhost S.R.L) C:\Program Files\CyberGhost 6\CyberGhost.Service.exe
(ASUS) C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
(ATK) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
() C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
() C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
() C:\Program Files (x86)\ASUS\Wireless Console 3\WimaxConsole.exe
(ASUSTeK) C:\Windows\SysWOW64\ACEngSvr.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NEC Electronics Corporation) C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(ASUS) C:\Windows\AsScrPro.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(asus) C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [192520 2010-10-12] (Trend Micro Inc.)
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-23] (Alcor Micro Corp.)
HKLM\...\Run: [ETDWare] => C:\Program Files\Elantech\ETDCtrl.exe [649608 2010-04-14] (ELAN Microelectronic Corp.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139264 2013-07-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [7350912 2010-02-04] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-01-05] (ASUS)
HKLM-x32\...\Run: [HControlUser] => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [hpqSRMon] => C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateLBPShortCut] => C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [106496 2010-01-23] (NEC Electronics Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1246377405-144990350-4159689615-1000\...\Run: [CyberGhost] => C:\Program Files\CyberGhost 6\CyberGhost.exe [1223728 2017-02-06] (CyberGhost S.R.L.)
HKU\S-1-5-21-1246377405-144990350-4159689615-1000\...\MountPoints2: {c34f1be5-9779-11e4-a501-bcaec523f3ae} - F:\LaunchU3.exe -a
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-08-25] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FancyStart daemon.lnk [2010-12-20]
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{60D6618B-153F-4353-8185-908E676E5888}\_DCE9A4DB2A5F2786140FA3.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2013-10-05]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SRS Premium Sound.lnk [2010-12-20]
ShortcutTarget: SRS Premium Sound.lnk -> C:\Windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe (Acresso Software Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{1E6323ED-1954-412F-A5A4-FBDB1CEFF48A}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{266D77B7-2C62-4247-A5EA-72DB1989415E}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{6A74AFC5-8664-422A-978A-9311B42B88AE}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{6A74AFC5-8664-422A-978A-9311B42B88AE}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{87EAA230-4BC2-48F5-BEF9-D2732D4C463C}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{F9075C88-54EF-448D-838A-D1629CFBE2D7}: [NameServer] 8.8.8.8,8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-1246377405-144990350-4159689615-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg.dll [2010-09-17] (Trend Micro Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe64.dll [2010-09-17] (Trend Micro Inc.)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-09-20] (Hewlett-Packard Co.)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg32.dll [2010-09-17] (Trend Micro Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-04-21] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-09-23] (Microsoft Corporation)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll [2010-09-17] (Trend Micro Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-04-21] (Oracle Corporation)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-09-20] (Hewlett-Packard Co.)
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe64.dll [2010-09-17] (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll [2010-09-17] (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg.dll [2010-09-17] (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg32.dll [2010-09-17] (Trend Micro Inc.)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll [2013-07-24] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2013-07-24] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll [2013-07-24] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2013-07-24] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: mh845en2.default-1420459533500
FF ProfilePath: C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\mh845en2.default-1420459533500 [2017-06-08]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\mh845en2.default-1420459533500 -> Google
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\mh845en2.default-1420459533500 -> Google
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension
FF Extension: (Trend Micro NSC Firefox Extension) - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension [2010-12-20] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: (HP Smart Web Printing) - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-10-05] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF HKU\S-1-5-21-1246377405-144990350-4159689615-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [2017-05-10] ()
FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [2017-05-10] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll [2014-03-11] (Adobe Systems, Inc.)
FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-04-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-04-21] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-09-23] (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll [2013-05-27] (Nitro PDF)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
StartMenuInternet: FIREFOX.EXE - C:\Users\ASUS\AppData\Local\Mozilla Firefox\firefox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
R2 CG6Service; C:\Program Files\CyberGhost 6\CyberGhost.Service.exe [76848 2017-02-06] (CyberGhost S.R.L)
S3 DMAgent; C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [408576 2010-09-01] (Red Bend Ltd.) [File not signed]
S4 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [249344 2009-09-20] (Hewlett-Packard Co.) [File not signed]
S4 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-09-20] (Hewlett-Packard Co.) [File not signed]
S4 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
S4 lxec_device; C:\Windows\system32\lxeccoms.exe [1052328 2010-04-14] ( )
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
S4 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S3 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-05-27] (Nitro PDF Software)
S4 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S4 TiMiniService; C:\Program Files\Trend Micro\Titanium\TiMiniService.exe [241488 2010-09-17] (Trend Micro Inc.)
R2 WiMAXAppSrv; C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [911872 2010-09-01] (Intel® Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-21] ( )
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1800192 2009-08-20] ()
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90704 2010-09-17] (Trend Micro Inc.)
R2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [144464 2010-09-17] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [67664 2010-09-17] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2010-09-17] (Trend Micro Inc.)
S3 aswVmm; \??\C:\Users\ASUS\AppData\Local\Temp\aswVmm.sys [X] <==== ATTENTION

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-06 22:45 - 2017-06-07 00:06 - 00220280 _____ C:\TDSSKiller.3.1.0.15_06.06.2017_22.45.30_log.txt
2017-06-06 22:43 - 2017-06-06 22:45 - 00004612 _____ C:\TDSSKiller.3.1.0.15_06.06.2017_22.43.32_log.txt
2017-06-06 21:59 - 2017-06-06 21:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-06-06 21:58 - 2017-06-06 21:59 - 00000000 ____D C:\Program Files\RogueKiller
2017-06-06 02:25 - 2017-06-06 02:26 - 00000000 ____D C:\Windows\pss

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-08 01:58 - 2014-11-28 18:00 - 00000000 ____D C:\FRST
2017-06-08 01:29 - 2009-07-14 00:45 - 00010240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-08 01:29 - 2009-07-14 00:45 - 00010240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-08 01:27 - 2009-07-14 01:13 - 00796882 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-08 01:27 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2017-06-08 01:22 - 2015-01-08 16:59 - 00045056 _____ C:\Windows\system32\acovcnt.exe
2017-06-08 01:22 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-07 08:43 - 2016-08-05 06:13 - 00000000 ____D C:\Users\ASUS\AppData\Roaming\vlc
2017-06-07 02:25 - 2017-01-04 05:10 - 00000000 ____D C:\Users\ASUS\AppData\Local\mozilla firefox
2017-06-07 01:02 - 2016-08-24 17:02 - 00000000 ____D C:\Users\ASUS\AppData\Local\CyberGhost
2017-06-07 00:31 - 2015-08-06 17:23 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-06 22:20 - 2015-01-02 02:53 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-06-06 22:19 - 2015-01-02 02:53 - 00000000 ____D C:\ProgramData\RogueKiller
2017-06-06 22:17 - 2015-11-13 22:24 - 00000000 ____D C:\Users\ASUS\Downloads\Ant Videos
2017-06-06 08:32 - 2014-02-12 15:49 - 00000000 ____D C:\Users\ASUS\AppData\Roaming\iSpring Solutions
2017-05-30 09:07 - 2014-12-20 14:38 - 00000000 ____D C:\Users\ASUS\AppData\LocalLow\HPAppData
2017-05-21 07:08 - 2015-01-03 07:22 - 00000000 ____D C:\Users\ASUS\AppData\Local\CrashDumps
2017-05-16 05:28 - 2014-09-09 02:31 - 00000000 ____D C:\Users\ASUS\AppData\Local\ElevatedDiagnostics
2017-05-10 10:40 - 2014-12-13 04:19 - 00004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-05-10 10:40 - 2013-08-26 03:01 - 00803320 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-05-10 10:40 - 2013-08-26 03:01 - 00144888 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-05-10 10:40 - 2013-08-26 03:01 - 00000000 ____D C:\Windows\system32\Macromed
2017-05-10 10:40 - 2010-12-20 20:20 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-05-09 11:12 - 2014-11-29 01:52 - 00000000 ____D C:\Users\ASUS\AppData\Roaming\Nitro PDF

==================== Files in the root of some directories =======

2014-02-02 22:08 - 2014-02-02 22:08 - 0000132 _____ () C:\Users\ASUS\AppData\Roaming\Adobe GIF Format CS5 Prefs
2013-12-15 12:37 - 2013-12-15 12:37 - 0000132 _____ () C:\Users\ASUS\AppData\Roaming\Adobe PNG Format CS5 Prefs
2014-08-25 19:39 - 2014-08-25 20:58 - 0017408 _____ () C:\Users\ASUS\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-08-31 01:54 - 2014-08-31 01:54 - 0004096 ____H () C:\Users\ASUS\AppData\Local\keyfile3.drm
2017-03-07 11:51 - 2017-03-07 11:51 - 0007597 _____ () C:\Users\ASUS\AppData\Local\Resmon.ResmonCfg
2016-11-30 01:18 - 2016-11-30 01:18 - 0044441 _____ () C:\ProgramData\1480483103.bdinstall.bin
2016-11-30 01:27 - 2016-11-30 01:27 - 0026767 _____ () C:\ProgramData\1480483654.bdinstall.bin
2016-11-30 01:41 - 2016-11-30 01:41 - 0028466 _____ () C:\ProgramData\1480484481.bdinstall.bin
2014-12-31 00:43 - 2014-12-31 00:43 - 0000000 _____ () C:\ProgramData\cmn_upld.log
2013-10-05 07:09 - 2013-10-05 07:22 - 0001260 _____ () C:\ProgramData\hpzinstall.log
2014-08-14 00:41 - 2014-12-31 00:42 - 0006828 _____ () C:\ProgramData\lxecJSW.log
2014-12-31 00:43 - 2014-12-31 00:43 - 0000000 _____ () C:\ProgramData\LxWbGwLog.log
2014-12-31 00:43 - 2014-12-31 00:43 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt
2010-12-20 20:14 - 2010-12-20 20:14 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-12-20 20:13 - 2010-12-20 20:14 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-06 23:12

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-06-2017
Ran by ASUS (08-06-2017 01:58:42)
Running from F:\File Folder
Windows 7 Home Premium Service Pack 1 (X64) (2013-08-24 12:22:57)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1246377405-144990350-4159689615-500 - Administrator - Disabled)
ASUS (S-1-5-21-1246377405-144990350-4159689615-1000 - Administrator - Enabled) => C:\Users\ASUS
Fix (S-1-5-21-1246377405-144990350-4159689615-1001 - Administrator - Enabled)
Guest (S-1-5-21-1246377405-144990350-4159689615-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Trend Micro Titanium Internet Security (Disabled - Up to date) {68F968AC-2AA0-091D-848C-803E83E35902}
AS: Trend Micro Titanium Internet Security (Disabled - Up to date) {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

6300 (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
6300_Help (x32 Version: 82.0.242.000 - Hewlett-Packard) Hidden
6300Trb (x32 Version: 82.0.242.000 - Hewlett-Packard) Hidden
64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20044 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.3.9120 - Adobe Systems Inc.)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.0.0.400 - Adobe Systems Incorporated)
Adobe Flash Player 25 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 25.0.0.171 - Adobe Systems Incorporated)
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.171 - Adobe Systems Incorporated)
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe Photoshop CS5 (HKLM-x32\...\{15FEDA5F-141C-4127-8D7E-B962D1742728}) (Version: 12.0 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.0.150 - Adobe Systems, Inc.)
AIO_CDB_ProductContext (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
AIO_CDB_Software (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
AIO_Scan (x32 Version: 130.0.421.000 - Hewlett-Packard) Hidden
Alcor Micro USB Card Reader (HKLM-x32\...\AmUStor) (Version: 1.8.1217.36096 - Alcor Micro Corp.)
Alcor Micro USB Card Reader (x32 Version: 1.8.1217.36096 - Alcor Micro Corp.) Hidden
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Applian Director (HKLM-x32\...\Applian Director2.2) (Version: 2.2 - Applian Technologies Inc.)
ASUS FancyStart (HKLM-x32\...\{60D6618B-153F-4353-8185-908E676E5888}) (Version: 1.0.5 - ASUSTeK Computer Inc.)
ASUS LifeFrame3 (HKLM-x32\...\{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}) (Version: 3.0.20 - ASUS)
ASUS Live Update (HKLM-x32\...\{E657B243-9AD4-4ECC-BE81-4CCF8D667FD0}) (Version: 2.5.9 - ASUS)
ASUS MultiFrame (HKLM-x32\...\{9D48531D-2135-49FC-BC29-ACCDA5396A76}) (Version: 1.0.0021 - ASUS)
ASUS SmartLogon (HKLM-x32\...\{64452561-169F-4A36-A2FF-B5E118EC65F5}) (Version: 1.0.0008 - ASUS)
ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 1.02.0028 - ASUS)
ASUS U Series Bamboo ScreenSaver (HKLM-x32\...\ASUS U Series Bamboo ScreenSaver) (Version: 1.0.0001 - ASUS)
ASUS Virtual Camera (HKLM-x32\...\{EC8BD21F-0CA0-4BBF-97D9-4A52B30041A1}) (Version: 1.0.20 - asus)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.29 - Atheros Communications Inc.)
ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0003 - ASUS)
Avidemux 2.6 (32-bit) (HKLM-x32\...\Avidemux 2.6) (Version: 2.6.8.9046 - )
Best Buy pc app (Version: 3.1.1.0 - Best Buy) Hidden
Best Buy pc app (x32 Version: 3.1.1.0 - Best Buy) Hidden
Brother MFL-Pro Suite MFC-J4510DW (HKLM-x32\...\{DD98C438-D769-4677-AA87-3481FA32D20C}) (Version: 2.0.0.0 - Brother Industries, Ltd.)
BufferChm (x32 Version: 130.0.331.000 - Hewlett-Packard) Hidden
BurnAware Free 9.3 (HKLM-x32\...\BurnAware Free_is1) (Version:  - Burnaware)
CCleaner (HKLM\...\CCleaner) (Version: 5.09 - Piriform)
ControlDeck (HKLM-x32\...\{5B65EF64-1DFA-414A-8C94-7BB726158E21}) (Version: 1.0.7 - ASUS)
Copy (x32 Version: 130.0.428.000 - Hewlett-Packard) Hidden
CyberGhost 6 (HKLM\...\CyberGhost 6_is1) (Version:  - CyberGhost S.R.L.)
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.1908 - CyberLink Corp.)
CyberLink Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.3602c - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Defraggler (HKLM\...\Defraggler) (Version: 2.15 - Piriform)
Destinations (x32 Version: 130.0.0.0 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 130.0.465.000 - Hewlett-Packard) Hidden
DocProc (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ETDWare PS/2-x64 7.0.5.11_WHQL (HKLM\...\Elantech) (Version: 7.0.5.11 - ELAN Microelectronics Corp.)
Fast Boot (HKLM\...\{13F4A7F3-EABC-4261-AF6B-1317777F0755}) (Version: 1.0.5 - ASUS)
Fax (x32 Version: 130.0.418.000 - Hewlett-Packard) Hidden
Free QuizMaker 6 (HKLM-x32\...\{829BBFCB-DC13-4C3A-8681-F44E54BBD2F5}) (Version: 6.2.0 - iSpring Solutions Inc.)
GPBaseService2 (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HP Customer Participation Program 13.0 (HKLM\...\HPExtendedCapabilities) (Version: 13.0 - HP)
HP Imaging Device Functions 13.0 (HKLM\...\HP Imaging Device Functions) (Version: 13.0 - HP)
HP Photosmart Essential 3.5 (HKLM\...\HP Photosmart Essential) (Version: 3.5 - HP)
HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B (HKLM\...\{B61ED343-0B14-4241-999C-490CB1A20DA4}) (Version: 13.0 - HP)
HP Smart Web Printing 4.51 (HKLM\...\HP Smart Web Printing) (Version: 4.51 - HP)
HP Solution Center 13.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 13.0 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (x32 Version: 1.00.0001 - Microsoft) Hidden
HPPhotoGadget (x32 Version: 130.0.282.000 - Hewlett-Packard) Hidden
HPPhotoSmartDiscLabelContent1 (x32 Version: 2.04.0000 - Hewlett-Packard) Hidden
HPPhotosmartEssential (x32 Version: 2.04.0000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HPSSupply (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
Intel WiMAX Tutorial (HKLM\...\{4F26C164-9373-4974-8F43-E0F2176AF937}) (Version: 1.5.3.1 - Intel Corporation)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2202 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel® PROSet/Wireless WiFi Software (HKLM\...\{D16A2127-B927-4379-B153-3DEC091E4EEB}) (Version: 13.02.1000 - Intel Corporation)
Intel® Wireless Display (HKLM\...\{C298FF86-AB23-4B58-AC53-A23383C07B3A}) (Version: 1.2.20.0 - Intel Corporation)
Intel® PROSet/Wireless WiMAX Software (HKLM\...\{6548B189-BEA4-4041-80E0-AEB60548E046}) (Version: 2.03.2000 - Intel Corporation)
Java 8 Update 131 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
MarketResearch (x32 Version: 130.0.374.000 - Hewlett-Packard) Hidden
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 43.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.2 (x86 en-US)) (Version: 43.0.2 - Mozilla)
Mozilla Firefox 47.0.2 (x86 en-US) (HKU\S-1-5-21-1246377405-144990350-4159689615-1000\...\Mozilla Firefox 47.0.2 (x86 en-US)) (Version: 47.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.2 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM-x32\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
NEC Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}) (Version: 1.0.19.0 - NEC Electronics Corporation)
NEC Electronics USB 3.0 Host Controller Driver (x32 Version: 1.0.19.0 - NEC Electronics Corporation) Hidden
Network64 (Version: 130.0.572.000 - Hewlett-Packard) Hidden
Network64 (Version: 140.0.221.000 - Hewlett-Packard) Hidden
Nitro Pro 8 (HKLM\...\{ECA5CA8B-CCB0-4611-A9EF-CC796AFE805D}) (Version: 8.5.4.11 - Nitro)
OCR Software by I.R.I.S. 13.0 (HKLM\...\HPOCR) (Version: 13.0 - HP)
PDF Settings CS5 (x32 Version: 10.0 - Adobe Systems Incorporated) Hidden
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Readiris Pro 14 (HKLM-x32\...\{64A9C130-E372-48E9-B31E-E04A42382751}) (Version: 14.00.2573 - I.R.I.S.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6077 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.48 - Piriform)
RogueKiller version 12.11.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.1.0 - Adlice Software)
RuneScape Launcher 1.2.7 (HKLM-x32\...\{FA52A2D0-298E-4D40-8BB7-39928627EA6A}) (Version: 1.2.7 - Jagex Ltd)
Scan (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 13.0 - HP)
Skype™ 6.14 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.14.104 - Skype Technologies S.A.)
SmartWebPrinting (x32 Version: 130.0.457.000 - Hewlett-Packard) Hidden
SolutionCenter (x32 Version: 130.0.373.000 - Hewlett-Packard) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.22 - Piriform)
SRS Premium Sound Control Panel (HKLM\...\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}) (Version: 1.8.50.0 - SRS Labs, Inc.)
Status (x32 Version: 130.0.469.000 - Hewlett-Packard) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TAP-Windows 9.21.2 (HKLM\...\TAP-Windows) (Version: 9.21.2 - )
Toolbox (x32 Version: 130.0.648.000 - Hewlett-Packard) Hidden
TrayApp (x32 Version: 130.0.422.000 - Hewlett-Packard) Hidden
Trend Micro Titanium Internet Security (HKLM\...\{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}) (Version: 3.0 - Trend Micro Inc.)
Trend Micro Titanium Internet Security (Version: 3.00 - Trend Micro Inc.) Hidden
Tweaking.com - Windows Repair (All in One) (HKLM-x32\...\Tweaking.com - Windows Repair (All in One)) (Version: 2.10.2 - Tweaking.com)
UnloadSupport (x32 Version: 11.0.0 - Hewlett-Packard) Hidden
USB2.0 UVC VGA WebCam (HKLM\...\USB2.0 UVC VGA WebCam) (Version: 5.8.54000.206 - Sonix)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
VSDC Free Video Editor version 5.7.5.667 (HKLM-x32\...\VSDC Free Video Editor_is1) (Version: 5.7.5.667 - Flash-Integro LLC)
WebReg (x32 Version: 130.0.132.017 - Hewlett-Packard) Hidden
What's Running 2.2 (HKLM-x32\...\What's Running_is1) (Version: 2.2 - WhatsRunning.net)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 2.30.2 - ASUS)
WinRAR 5.00 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)
WinUtilities Free Edition 14.51 (HKLM-x32\...\{FC274982-5AAD-4C20-848D-4424A5043010}_is1) (Version: 14.51 - YL Computing, Inc)
Wireless Console 3 (HKLM-x32\...\{20FDF948-C8ED-4543-A539-F7F4AEF5AFA2}) (Version: 3.0.15 - ASUS)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1587CAA4-982B-49DB-B35A-683FB1885AD2} - System32\Tasks\AdobeAAMUpdater-1.0-JCTFIH48-ASUS => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2010-03-06] (Adobe Systems Incorporated)
Task: {15A6C6A1-E607-4AFC-87CC-C0BC5934804C} - System32\Tasks\ASUS SmartLogon Console Sensor => C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe [2009-07-31] (ASUS)
Task: {34DD3B3B-06C6-4D16-8A02-77BFF9D28560} - System32\Tasks\AdobeAAMUpdater-1.0-ASUS-U43F-ASUS => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2010-03-06] (Adobe Systems Incorporated)
Task: {3B707620-F68D-4CF6-BB56-2D46A163D36F} - System32\Tasks\ASUSControlDeck => C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe [2010-05-17] (asus)
Task: {40322A8C-732F-4F3E-A3E1-65A99CD8C462} - System32\Tasks\WC3 => C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2010-01-04] ()
Task: {461F384E-9BA2-4C20-97B2-CDE498DDCF35} - System32\Tasks\ACMON => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [2009-07-23] (ATK)
Task: {504B06CB-7BC7-4F79-B706-9C42BDD6758B} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
Task: {55C68868-894B-4642-907D-4A7A8817EECB} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-05-10] (Adobe Systems Incorporated)
Task: {6A6FF672-2B1C-439D-86F4-78109B65D197} - System32\Tasks\{0E727D6B-4E91-4D66-9079-44895BAD1EA4} => pcalua.exe -a "C:\Program Files (x86)\4Media\PDF to PowerPoint Converter\Uninstall.exe"
Task: {830C1839-66E8-4A2C-98D8-BE7DC5276640} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe
Task: {A0B2A09C-0E3F-4426-9E20-9B41A5E08F43} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-08-19] (Piriform Ltd)
Task: {A66196F5-1863-46A5-8AC3-A7AF49DAFFBD} - System32\Tasks\AVAST Software\Avast settings backup
Task: {A8A6603E-972C-40B0-A123-499C8DE52BF8} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe
Task: {B9602042-2690-4AAD-B008-44B7CCA28BFD} - System32\Tasks\ASUS Live Update => C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe [2007-11-30] ()
Task: {C4298E80-8759-484B-B3FC-553E41538241} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
Task: {C8DF0BD8-818A-437A-A548-AFFA435D2820} - System32\Tasks\AdobeAAMUpdater-1.0-ASUS-PC-ASUS => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2010-03-06] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2010-03-05 13:21 - 2010-03-05 13:21 - 01501696 _____ () C:\Program Files\Common Files\Intel\WirelessCommon\Libeay32.dll
2014-08-14 00:36 - 2009-11-04 16:18 - 00189440 _____ () C:\Windows\system32\spool\PRTPROCS\x64\lxecdrpp.dll
2013-11-07 09:14 - 2005-04-22 00:36 - 00143360 ____R () C:\Windows\system32\BrSNMP64.dll
2016-08-24 16:44 - 2017-02-06 09:42 - 00306736 _____ () C:\Program Files\CyberGhost 6\MobileConcepts45.dll
2016-11-08 04:10 - 2017-02-06 09:42 - 00025648 _____ () C:\Program Files\CyberGhost 6\BugSplatDotNet.dll
2016-08-24 16:44 - 2017-02-06 09:42 - 00120368 _____ () C:\Program Files\CyberGhost 6\CyberGhost.RESTCommunicator.dll
2008-10-01 03:02 - 2008-10-01 03:08 - 00011264 _____ () C:\Program Files (x86)\ASUS\Splendid\GLCDdll.dll
2010-12-20 20:33 - 2007-11-30 15:20 - 00051768 _____ () C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
2010-01-04 21:43 - 2010-01-04 21:43 - 01597440 _____ () C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
2009-12-30 21:33 - 2009-12-30 21:33 - 00059904 _____ () C:\Program Files (x86)\ASUS\Wireless Console 3\WimaxConsole.exe
2012-01-11 00:12 - 2012-01-11 00:12 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-11-07 09:13 - 2009-02-27 20:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2009-11-02 18:20 - 2009-11-02 18:20 - 00619816 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
2009-11-02 18:23 - 2009-11-02 18:23 - 00013096 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
2010-02-23 19:14 - 2010-02-23 19:14 - 00071680 _____ () C:\Program Files (x86)\ASUS\ControlDeck\Brightness.dll
2010-02-23 19:11 - 2010-02-23 19:11 - 00076288 _____ () C:\Program Files (x86)\ASUS\ControlDeck\Volume.dll
2010-02-23 19:12 - 2010-02-23 19:12 - 00186880 _____ () C:\Program Files (x86)\ASUS\ControlDeck\Resolution.dll
2010-02-23 19:14 - 2010-02-23 19:14 - 00050688 _____ () C:\Program Files (x86)\ASUS\ControlDeck\P4GControl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences [386]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1246377405-144990350-4159689615-1000\...\adlice.com -> www.adlice.com
IE trusted site: HKU\S-1-5-21-1246377405-144990350-4159689615-1000\...\adlice.com -> hxxp://www.adlice.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2015-01-05 08:29 - 00000019 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1246377405-144990350-4159689615-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\ASUS\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AdobeCS5ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: ASUS Screen Saver Protector => C:\Windows\AsScrPro.exe
MSCONFIG\startupreg: BrStsMon00 => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
MSCONFIG\startupreg: CLMLServer => "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
MSCONFIG\startupreg: IntelWireless => "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
MSCONFIG\startupreg: IntelWirelessWiMAX => "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
MSCONFIG\startupreg: SwitchBoard => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
MSCONFIG\startupreg: Trend Micro Titanium => C:\Program Files\Trend Micro\Titanium\VizorShortCut.exe -ReFlush "none" "none"
MSCONFIG\startupreg: VizorHtmlDialog.exe => "C:\Program Files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe" "DEF" "EULA" "C:\Program Files\Trend Micro\Titanium\UI\Installer.cmpt\resources\preinstall_01_welcome_trial.html" "DEF" "DEF" "DEF"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{E9673199-A954-477A-8F2B-D8F1B22DE77B}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{E36E8D8E-FE7A-49AD-BBF0-7DF5920FD055}] => (Allow) LPort=2869
FirewallRules: [{F92BEB49-9765-45FA-8BD7-9A6B9B4ED117}] => (Allow) LPort=1900
FirewallRules: [{D46CDB6E-82AE-453B-838E-487A396BD798}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{48377776-B8AA-4420-A156-8E246EAB9EE1}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{76A68868-24BD-4CD7-9D47-12166F35ED8C}] => (Allow) C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
FirewallRules: [{EA738408-6AB0-4486-8CF5-2511A0098582}] => (Allow) C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
FirewallRules: [{D0619DEF-3DC3-4759-8BBE-69B0E216A2C2}] => (Allow) C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
FirewallRules: [{D50F668D-A21B-4E9E-B949-5EA0EAA36E3D}] => (Allow) C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
FirewallRules: [{30429EA4-70F9-45EA-84BE-6AFD450B068D}] => (Allow) C:\Program Files (x86)\Intel Corporation\Intel Wireless Display\WiDiApp.exe
FirewallRules: [{BF1D4818-5E3B-4E8E-B0EE-EBB5D8EB7718}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
FirewallRules: [{EC8EF53A-263B-468E-92AC-AA7FAFFB0820}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
FirewallRules: [{80B4FF7C-7593-4B07-BA03-44CD337D132D}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpofxm08.exe
FirewallRules: [{D90609D7-1741-4F89-BD74-90E839E693D1}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hposfx08.exe
FirewallRules: [{B55B112A-DFD2-4A24-91A4-E34EDE690720}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hposid01.exe
FirewallRules: [{8AF5BDA6-4C9A-4AD0-AE75-66271C989A95}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqkygrp.exe
FirewallRules: [{9D7A72AB-AB9B-456A-92F1-1FDEA0AD82AD}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcopy2.exe
FirewallRules: [{901B6BAF-8C0D-4CA7-8652-4CD186AF87EB}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpfccopy.exe
FirewallRules: [{4F888AA7-64AF-42C8-B9D5-1D63D7A37F9B}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpzwiz01.exe
FirewallRules: [{F045B2EE-739D-472D-ABA3-363EF246AC45}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpoews01.exe
FirewallRules: [{61D1AA1A-F0BA-4201-A33F-377149A69C11}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqnrs08.exe
FirewallRules: [{BAEDB324-67C2-4A94-8C3D-E6335B872B80}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe
FirewallRules: [{0718973E-F2B7-475E-9E9D-3CAB9303B562}] => (Allow) C:\Program Files (x86)\common files\hp\digital imaging\bin\hpqphotocrm.exe
FirewallRules: [{F1A0C08E-0F9F-4A57-B3A4-D6A2F419CA6E}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqsudi.exe
FirewallRules: [{97DA2D37-7176-466A-A54A-A5A16BF4F703}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqpsapp.exe
FirewallRules: [{9924BED5-AD21-4AAF-A85C-825339A69EC6}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpofxs08.exe
FirewallRules: [{7A4B8D79-E0F4-4E95-A5EB-1B98B3AC54FE}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqfxt08.exe
FirewallRules: [{E00749B3-4EC2-4A11-A18B-C4C96D75E813}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqpse.exe
FirewallRules: [{DC766FB5-FD01-458B-A7C0-65CE0D5C050E}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgplgtupl.exe
FirewallRules: [{70A84063-60DB-45C6-8E82-BF5326505BD9}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
FirewallRules: [{A271AD45-C756-4C42-A3E9-6D158D2F774A}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqusgm.exe
FirewallRules: [{8E5F42D6-3447-4A27-83EE-3B6A78C91062}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqusgh.exe
FirewallRules: [{17BAA73D-E3D4-46E1-8DED-A3A40E47090B}] => (Allow) C:\Program Files (x86)\HP\hp software update\hpwucli.exe
FirewallRules: [{159B33DA-A533-4D98-BEED-0C41457B3886}] => (Allow) C:\Program Files (x86)\HP\digital imaging\smart web printing\smartwebprintexe.exe
FirewallRules: [{8346926A-E7B2-4452-9B36-D6239C0138DE}] => (Allow) C:\Program Files (x86)\Brother\Brmfl12b\FAXRX.exe
FirewallRules: [{34929EDC-7D27-42A2-B96A-A7DE6830400B}] => (Allow) C:\Program Files (x86)\Brother\Brmfl12b\FAXRX.exe
FirewallRules: [{5CF08F0B-E1A0-4A8D-88B0-0D659253E762}] => (Allow) LPort=54925
FirewallRules: [{B2F3F384-DADA-4096-AF9E-3BEE5DF6ABD5}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [TCP Query User{EB87F7D6-4DA8-4A23-A1DA-79CA89C30BD4}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [UDP Query User{7C41DAE2-B834-4BCE-AE9C-3E1A366EA151}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [{46A7D9E7-D594-467E-AB71-C668C74C45BF}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [{65FFB9A1-82DD-49EB-874B-05B354C8B276}] => (Allow) C:\Windows\system32\lxeccoms.exe
FirewallRules: [TCP Query User{136CD062-794E-48E9-B7A7-B255E0570C1F}C:\users\asus\appdata\local\{d469264e-9882-9e28-a2ee-f4ea82c047f3}\syshost.exe] => (Block) C:\users\asus\appdata\local\{d469264e-9882-9e28-a2ee-f4ea82c047f3}\syshost.exe
FirewallRules: [UDP Query User{4C6494AB-6A27-4662-83A6-6E4B0E88D78C}C:\users\asus\appdata\local\{d469264e-9882-9e28-a2ee-f4ea82c047f3}\syshost.exe] => (Block) C:\users\asus\appdata\local\{d469264e-9882-9e28-a2ee-f4ea82c047f3}\syshost.exe
FirewallRules: [{9FB6848C-DC4A-4E48-B0C4-B88C4E9FF556}] => (Allow) C:\Users\ASUS\AppData\Local\Mozilla Firefox\firefox.exe
FirewallRules: [{F340D707-9962-4131-A4F2-F1821BAA67FC}] => (Allow) C:\Users\ASUS\AppData\Local\Mozilla Firefox\firefox.exe
FirewallRules: [{309EE522-9C0A-4A3B-B415-F16D9CE0C98D}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{17E0E4D8-40F0-45C7-A1E1-42A7B731164B}] => (Allow) C:\Program Files (x86)\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{885446A5-E886-4BD4-8815-C864ADB28D84}] => (Allow) C:\Program Files (x86)\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{D6D9C5ED-C579-4421-95C7-A6FE17F1438A}] => (Allow) C:\Program Files (x86)\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{A4511792-4C60-4D70-A5DC-6B57F70C2BFB}] => (Allow) C:\Program Files (x86)\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{B8850539-E698-4858-B62B-24602D1E87A0}] => (Allow) C:\Program Files (x86)\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [{99BB4EF0-78AC-46C9-9D6F-98C76C4FB79B}] => (Allow) C:\Program Files (x86)\FlashIntegro\VideoEditor\Updater.exe

==================== Restore Points =========================

Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/08/2017 01:58:45 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.


Operation:
   Instantiating VSS server

Error: (06/08/2017 01:58:45 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
   Instantiating VSS server

Error: (06/08/2017 01:27:20 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.


Operation:
   Instantiating VSS server

Error: (06/08/2017 01:27:20 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]


Operation:
   Instantiating VSS server

Error: (06/08/2017 01:22:31 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/08/2017 01:22:31 AM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/08/2017 01:22:31 AM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/08/2017 01:22:31 AM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    Element not found.  (HRESULT : 0x80070490) (0x80070490)

Error: (06/08/2017 01:22:31 AM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/08/2017 01:22:31 AM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)


System errors:
=============
Error: (06/08/2017 01:22:32 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (06/08/2017 01:22:32 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (06/07/2017 08:08:50 AM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
An instance of the service is already running.

Error: (06/07/2017 08:08:20 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (06/07/2017 08:08:20 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (06/06/2017 08:51:36 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\Windows\System32\IWMSSvc.dll

Error: (06/06/2017 07:59:04 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\Windows\System32\IWMSSvc.dll

Error: (06/06/2017 07:50:44 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (06/06/2017 07:50:44 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (06/06/2017 01:51:37 AM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
An instance of the service is already running.


==================== Memory info ===========================

Processor: Intel® Core™ i5 CPU M 480 @ 2.67GHz
Percentage of memory in use: 23%
Total physical RAM: 5941.2 MB
Available physical RAM: 4550.33 MB
Total Virtual: 11880.58 MB
Available Virtual: 10339.3 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:149.04 GB) (Free:101.12 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Data) (Fixed) (Total:425.64 GB) (Free:53.22 GB) NTFS
Drive f: (Centon USB) (Removable) (Total:7.43 GB) (Free:6.3 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596.2 GB) (Disk ID: E0C5913D)
Partition 1: (Not Active) - (Size=21.5 GB) - (Type=1C)
Partition 2: (Active) - (Size=149 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=425.6 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 7.4 GB) (Disk ID: 4209CD15)
Partition 1: (Not Active) - (Size=7.4 GB) - (Type=0B)

==================== End of Addition.txt ============================



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:59 PM

Posted 08 June 2017 - 12:38 PM

HijackThat:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

You should check your Windows settings and possible hot key combinations to determine if the touchpad might have been accidentally disabled or turned off.
 

My computer is infected with the acovcnt backdoor trojan

 

On what do you base that statement? You could check out this link, and others, because you do have an ASUS computer. See also this link. I am not seeing any malware in the FRST logs.

That said, FRST is not perfect, but it is very thorough and I would have expected to see evidence in the FRST logs, if a backdoor trojan was at work. There are, of course, some very sophisticated infections that hide in unusual places, but I don't want to subject you, and your computer, to an entire gamut of unnecessary scans, so it is important for me to understand what symptoms your computer is exhibiting that lead you to believe that a backdoor trojan is installed on your computer? Please provide as much detail as possible.

As for the "Exception" error message, the logs are showing some possible issues with your Windows installation, but let's focus for now, on ensuring that there is no malware lurking around your computer.

.

:step1: I note in the FRST logs that your TrendMicroTitanium Internet Security is disabled.

 

AV: Trend Micro Titanium Internet Security (Disabled - Up to date) {68F968AC-2AA0-091D-848C-803E83E35902}
AS: Trend Micro Titanium Internet Security (Disabled - Up to date) {D3988948-0C9A-0693-BE3C-BB4CF86413BF}

 

I am guessing that you disabled it to run FRST. That is not necessary. Please re-enable your TrendMicro Titanium Internet Security. I will let you know if future scans require you to disable your computer protection.

In the meantime, please run a full system scan with your Internet Security package.

.


:step2: I note in the FRST logs that you have the older version of Malwarebytes installed. You should uninstall the older version, after saving your licence information if it is a paid version, and install the new version. Instructions can be found here as to how to uninstall MBAM 2, using the MB-Clean tool.

 

Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)

 

Please run an MBAM scan. Please copy and paste the scan log into your next reply. Please ensure that under "Settings", "Protection", "Scan for rootkits" is enabled before running the scan.

.


:step3: I note in the FRST logs that you have QuickTime installed on your computer.

 

QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)

 

You should uninstall that program, unless you really need it, because it now presents a security vulnerability. See this link for more information.

 

.


:step4: I also note in your FRST logs that you have WinUtilities installed. I would strongly recommend that you remove it. Bleeping Computer warns against the use of system and registry optimizers; see this link and this link for more information. Moreover when I went to the company's website, I was hit with a fake Microsoft Tech Support scam, that froze my web browser.

 

WinUtilities Free Edition 14.51 (HKLM-x32\...\{FC274982-5AAD-4C20-848D-4424A5043010}_is1) (Version: 14.51 - YL Computing, Inc)

 

.

 

:step5: Please run a FRST fix for me. I am going to do some clean-up since Avast is no longer showing as installed on your computer, nor is RealNetworks. The FRST logs show some remnants of those previous installations.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
File: C:\Users\ASUS\AppData\Local\Temp\aswVmm.sys
Task: {504B06CB-7BC7-4F79-B706-9C42BDD6758B} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
Task: {A8A6603E-972C-40B0-A123-499C8DE52BF8} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe
Task: {A8A6603E-972C-40B0-A123-499C8DE52BF8} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe
C:\Program Files (x86)\RealNetworks
Task: {A66196F5-1863-46A5-8AC3-A7AF49DAFFBD} - System32\Tasks\AVAST Software\Avast settings backup
File: C:\Windows\system32\acovcnt.exe
EmptyTemp:
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST/FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.
  • Then please reboot your computer.

.

:step6: I see that you have ESET Online Scanner installed on your computer. Please run an ESET online scan for me. Please copy and paste any detection logs that are produced. Note: there will be no log created if ESET does not detect any malware.

.


Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 HijackThat

HijackThat
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:03:59 PM

Posted 09 June 2017 - 04:37 PM

___0___

Regarding acovcnt: (1) I noticed the symptoms I mentioned above, (2) I did a malwarebytes scan, which is what I normally do while I simultaneously started sniffing around in places like system32 and I saw acovcnt as one of the only recently updated files, (3) so I looked it up and saw the following post on bleepingcomputer, which concluded that the poster disconnect from the internet and reinstall Windows.  Yikes

 

https://www.bleepingcomputer.com/forums/t/258732/removal-of-backdoorbot-acovcntexe/

 

I looked at the links you provided and am glad to see it is likely not malicious.

 

Regarding hotkeys: during my sniffing around, I also tried to undo any accidental touchpad buttons I may have inadvertently pressed, but couldn’t find anything.

 

 

___1___

I’ve actually never used Trend Micro.  I think it came pre-installed on the computer, and I never set it up.  I just clicked on it to go ahead and enable it, but nothing happens when I try to open it.  When I have had issues in the past which have been rare, I usually just fall back on Malwarebytes.  I am happy to take recommendations on better security.

 

___2___

(1) MB Clean tool used

(2) Malwarebytes v. 3.1.2.1733 installed

(3) scan results:

 

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 6/9/17

Scan Time: 8:54 AM

Log File: mb scan.txt

Administrator: Yes

 

-Software Information-

Version: 3.1.2.1733

Components Version: 1.0.141

Update Package Version: 1.0.2092

License: Free

 

-System Information-

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: JCTFIH48\ASUS

 

-Scan Summary-

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 336909

Threats Detected: 0

(No malicious items detected)

Threats Quarantined: 0

(No malicious items detected)

Time Elapsed: 6 min, 53 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 0

(No malicious items detected)

 

Physical Sector: 0

(No malicious items detected)

 

 

(end)

 

 

___3___

(1) Quicktime uninstalled

 

___4___

(1) WinUtilities uninstalled

 

___5___

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-06-2017

Ran by ASUS (09-06-2017 09:15:03) Run:2

Running from F:\File Folder

Loaded Profiles: ASUS (Available Profiles: ASUS)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

 

CreateRestorePoint:

CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File

FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found

File: C:\Users\ASUS\AppData\Local\Temp\aswVmm.sys

Task: {504B06CB-7BC7-4F79-B706-9C42BDD6758B} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe

Task: {A8A6603E-972C-40B0-A123-499C8DE52BF8} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe

Task: {A8A6603E-972C-40B0-A123-499C8DE52BF8} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe

C:\Program Files (x86)\RealNetworks

Task: {A66196F5-1863-46A5-8AC3-A7AF49DAFFBD} - System32\Tasks\AVAST Software\Avast settings backup

File: C:\Windows\system32\acovcnt.exe

EmptyTemp:

 

*****************

 

Error: (0) Failed to create a restore point.

Processes closed successfully.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully

HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.

HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} => value removed successfully

 

========================= File: C:\Users\ASUS\AppData\Local\Temp\aswVmm.sys ========================

 

"C:\Users\ASUS\AppData\Local\Temp\aswVmm.sys" => not found.

====== End of File: ======

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{504B06CB-7BC7-4F79-B706-9C42BDD6758B} => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{504B06CB-7BC7-4F79-B706-9C42BDD6758B} => key removed successfully

C:\Windows\System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1246377405-144990350-4159689615-1000 => moved successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealDownloaderDownloaderScheduledTaskS-1-5-21-1246377405-144990350-4159689615-1000 => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A8A6603E-972C-40B0-A123-499C8DE52BF8} => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A8A6603E-972C-40B0-A123-499C8DE52BF8} => key removed successfully

C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => moved successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A8A6603E-972C-40B0-A123-499C8DE52BF8} => key not found.

C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1246377405-144990350-4159689615-1000 => key not found.

"C:\Program Files (x86)\RealNetworks" => not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{A66196F5-1863-46A5-8AC3-A7AF49DAFFBD} => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A66196F5-1863-46A5-8AC3-A7AF49DAFFBD} => key removed successfully

C:\Windows\System32\Tasks\AVAST Software\Avast settings backup => moved successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVAST Software\Avast settings backup => key removed successfully

 

========================= File: C:\Windows\system32\acovcnt.exe ========================

 

File not signed

MD5: 6BCAF46E2B7FA9ACE92B4D39F3037C5C

Creation and modification date: 2015-01-08 16:59 - 2017-06-09 09:12

Size: 0045056

Attributes: ----A

Company Name:

Internal Name:

Original Name:

Product:

Description:

File Version:

Product Version:

Copyright:

 

====== End of File: ======

 

 

=========== EmptyTemp: ==========

 

BITS transfer queue => 8388608 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7166031 B

Java, Flash, Steam htmlcache => 544 B

Windows/system/drivers => 0 B

Edge => 0 B

Chrome => 0 B

Firefox => 434041970 B

Opera => 0 B

 

Temp, IE cache, history, cookies, recent:

Users => 0 B

Default => 0 B

Public => 0 B

ProgramData => 0 B

systemprofile => 36325414 B

systemprofile32 => 1110523 B

LocalService => 66228 B

NetworkService => 66228 B

ASUS => 569566 B

 

RecycleBin => 0 B

EmptyTemp: => 465.1 MB temporary data Removed.

 

================================

 

 

The system needed a reboot.

 

==== End of Fixlog 09:15:44 ====

 

 

___6___

(1) connected back to the internet

(2) ran ESET online scanner

(3) no malware found



#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:59 PM

Posted 10 June 2017 - 11:58 AM

HijackThat:
 
Thank you for the logs and for doing all of those scans.  I checked the MD5 "hash" of the C:\Windows\system32\acovcnt.exe  file at VirusTotal and it came back clean.  You could, if you wanted to be absolutely certain that this file is harmless, upload the actual file to VirusTotal and press the "Scan it!" button.
 
For information on selecting an anti-virus program, I recommend that you consult this post by quietman7, one of Bleeping Computer's foremost computer security experts.
 
Since you are here any ways, let's just run a few more standards scans for PUPs, adware, and such.
 
.
 
 
:step1: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • After the scan has finished ...
  • Uncheck any PUP and adware applications that you want to keep.
  • Then click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.
 
 
:step2: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.


Please provide me with an update as to how your computer is working now.

 

If you are still having problems with the touchpad on your laptop, please provide me with the make and model and I will do some research to see if I can determine a cause for it not working as it should.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#7 HijackThat

HijackThat
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:03:59 PM

Posted 11 June 2017 - 11:31 AM

____1____

# AdwCleaner v6.047 - Logfile created 11/06/2017 at 09:21:34

# Updated on 19/05/2017 by Malwarebytes

# Database : 2017-06-10.1 [Local]

# Operating System : Windows 7 Home Premium Service Pack 1 (X64)

# Username : ASUS - JCTFIH48

# Running from : F:\File Folder\AdwCleaner.exe

# Mode: Clean

# Support : https://www.malwarebytes.com/support

 

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

[-] Folder deleted: C:\Users\ASUS\AppData\LocalLow\HPAppData

 

***** [ Files ] *****

 

 

***** [ DLL ] *****

 

 

***** [ WMI ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar

[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1

[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar

[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1

[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}

[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}

[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{B722ED8B-0B38-408E-BB89-260C73BCF3D4}

[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}

[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}

[-] Key deleted: HKU\S-1-5-21-1246377405-144990350-4159689615-1000\Software\Yahoo\Companion

[-] Key deleted: HKU\S-1-5-21-1246377405-144990350-4159689615-1000\Software\Yahoo\YFriendsBar

[-] Key deleted: HKU\S-1-5-21-1246377405-144990350-4159689615-1000\Software\AppDataLow\Software\Yahoo\Companion

[#] Key deleted on reboot: HKCU\Software\Yahoo\Companion

[#] Key deleted on reboot: HKCU\Software\Yahoo\YFriendsBar

[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Yahoo\Companion

[-] Key deleted: HKLM\SOFTWARE\Yahoo\Companion

[#] Key deleted on reboot: [x64] HKCU\Software\Yahoo\Companion

[#] Key deleted on reboot: [x64] HKCU\Software\Yahoo\YFriendsBar

[#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\Yahoo\Companion

[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\YMERemote.DLL

 

***** [ Web browsers ] *****

 

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C0].txt - [2432 Bytes] - [11/06/2017 09:21:34]

C:\AdwCleaner\AdwCleaner[S1].txt - [1239 Bytes] - [02/09/2015 19:07:30]

C:\AdwCleaner\AdwCleaner[S2].txt - [2665 Bytes] - [11/06/2017 09:14:54]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2651 Bytes] ##########

 

 

___2___

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 8.1.3 (04.10.2017)

Operating System: Windows 7 Home Premium x64

Ran by ASUS (Administrator) on Sun 06/11/2017 at  9:28:46.52

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

File System: 21

 

Successfully deleted: C:\ProgramData\1480483103.bdinstall.bin (File)

Successfully deleted: C:\ProgramData\1480483654.bdinstall.bin (File)

Successfully deleted: C:\ProgramData\1480484481.bdinstall.bin (File) 

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\921NP8PY (Temporary Internet Files Folder)

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1MPYPO (Temporary Internet Files Folder)

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6UKYAJ0 (Temporary Internet Files Folder)

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIV8UXAN (Temporary Internet Files Folder)

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O80S197S (Temporary Internet Files Folder)

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PUCDEWL8 (Temporary Internet Files Folder)

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T3LU6I2B (Temporary Internet Files Folder)

Successfully deleted: C:\Users\ASUS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U2NOA615 (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\921NP8PY (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1MPYPO (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6UKYAJ0 (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIV8UXAN (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O80S197S (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PUCDEWL8 (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T3LU6I2B (Temporary Internet Files Folder)

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U2NOA615 (Temporary Internet Files Folder)

 

 

Registry: 0

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 06/11/2017 at  9:30:17.66

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

___3___

I would really appreciate help restoring my touchpad function, the model is U43F Asus; the two functions that seem to have inexplicably disappeared are (1) scroll vertical and horizontal, and (2) the two-finger double tap, which opens a link in a new tab or acts like a middle-click.  After looking around just now, I believe the features I am talking about are part of the ELAN smart-pad program, but no matter what I do I cannot seem to restore my touchpad functions.  I’ve never messed with the touchpad controls on this computer before, so I don’t have much of a baseline to work from.  I also noticed that the little touchpad icon doesn’t seem to be in the lower-right taskbar, which I’m pretty it did before. 

 

Regarding my computer in general: it never was acting very funny except for the sudden disappearance of the touchpad functions and the appearance of the error message "The exception breakpoint. A breakpoint has been reached...." two times upon restarting the computer.  Ever since, I have restarted multiple times and the error message has not appeared.

 

* I just wanted to note too: I tried to “Browse” for acovcnt to test it with VirusTotal and it does not appear in order to be selected.  It is there in the file, but then not there when I try to locate it through the browse function.  I tried to drag and drop and copy the file pathway into the search box but neither worked.  I am no longer worried about that file, but I thought it was worth mentioning.



#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:59 PM

Posted 11 June 2017 - 12:26 PM

HijackThat:
 
Thank you for your logs.  Just some minor junk removed there.
 
The file is on your computer because FRST found it.  Do you have "Show Hidden Files" enabled in Windows Explorer?  You might even have to temporarily turn on "Protected Operating System" files to see it.  I am quite certain that the file is clean though.
 
I have found a couple of references with respect to your touchpad problems.
 
Reference Link 1 (Do not download DriverEasy) It is better to download drivers directly from the manufacturer's website, in this case: ASUS. Why driver updaters are undesirable.
Reference Link 2
 
  
You could also do a Google search yourself for: "asus touchpad not working windows 7" with, or without, including the model number of your laptop.
 
Hopefully you can resolve this problem.  It could well be a hardware issue, so check the Device Manager, under Control Panel, for any warning symbols or indications that the device is not working properly.
 
Since we have eliminated malware as an issue, I will do a clean-up.
 
.
 
 
:step1: bwebb7v.jpgDownload Delfix from here and save it to your desktop.
  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.
When the tool is finished, a log will open in notepad. Please copy and paste the contents of the log into your next reply.
.

 
Thank you, good luck with the touchpad, and have a great day.  Please keep me posted.

Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#9 HijackThat

HijackThat
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:03:59 PM

Posted 13 June 2017 - 04:30 AM

Thank you for your help.

I tried a few of the things that the links you provided suggested with no fix yet.  I'm having a hard time finding the same driver that is currently installed from 2010 (ELAN v.7.0.5.11) so that if I uninstall or rollback I have it as backup to reinstall.  Is there a forum on bleepingcomputer that provides help with this sort of issue?


# DelFix v1.013 - Logfile created 13/06/2017 at 04:49:29
# Updated 17/04/2016 by Xplode
# Username : ASUS - JCTFIH48
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\RegBackup
Deleted : C:\TDSSKiller.3.0.0.42_13.12.2014_02.23.20_log.txt
Deleted : C:\TDSSKiller.3.1.0.15_06.06.2017_22.43.32_log.txt
Deleted : C:\TDSSKiller.3.1.0.15_06.06.2017_22.45.30_log.txt
Deleted : C:\Users\ASUS\Desktop\JRT.txt
Deleted : C:\Users\ASUS\Downloads\AdwCleaner.exe
Deleted : C:\Users\ASUS\Downloads\adwcleaner_4.105.exe
Deleted : C:\Users\ASUS\Downloads\dds.com
Deleted : C:\Users\ASUS\Downloads\esetsmartinstaller_enu(1).exe
Deleted : C:\Users\ASUS\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\ASUS\Downloads\FRST64(1).exe
Deleted : C:\Users\ASUS\Downloads\FRST64.exe
Deleted : C:\Users\ASUS\Downloads\JRT(1).exe
Deleted : C:\Users\ASUS\Downloads\JRT.exe
Deleted : C:\Users\ASUS\Downloads\tdsskiller.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...


New restore point created !

########## - EOF - ##########
 



#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:59 PM

Posted 13 June 2017 - 08:20 AM

HijackThat:
 
Thank you for the Delfix log.  It looks good.
 
You can try posting in either the Windows 7 Forum; or, I would preferably seek assistance in the Internal Hardware Forum (because the touchpad is integral to the laptop - keyboard questions are normally found in the External Hardware Forum).  The touchpad issue does not really sound like it is a Windows 7 issue, per se.  You should let them know, wherever you post, that you did receive assistance here, in this Forum, so that the experts know that malware has been excluded as a possible cause/factor.


. . . Some Final Advice . . .

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out-of-date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows Vista or later is fine) and leaving it on, and using and keeping up-to-date an antivirus solution such as Bitdefender. Antiviral solutions don't even have to cost money; later versions of Windows Defender provide perfectly acceptable protection for free. If for some reason you don't like Windows Defender, there are other free products available as well:

  • Avira (shows nag screen to purchase full product when updating, home use only)
  • Bitdefender Free (home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

If you want more information on methods malware uses to infect your computer, consider browsing our How did I get infected? topic.

.

It has been a pleasure assisting you and I hope that you will avoid any further infections in the future. Your most important protection step is to ALWAYS HAVE MORE THAN ONE RECENT BACKUP OF YOUR ENTIRE SYSTEM on an external drive that is only connected to your computer long enough to backup or restore. I do system images weekly. With the free backup software out there (Easeus ToDo Backup Home, Macrium Reflect, etc.), and the very reasonable prices for external USB hard drives, there is no reason to not have a backup.

Unless you have further questions for me, then we can conclude your topic in this Forum.  Good luck finding a solution to your touchpad issues.  I will watch for your topic to find out how it is resolved.

On behalf of the Bleeping Computer community, thank you for choosing BC to assist you with your computer issues, stay safe out there in cyberspace, and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:59 PM

Posted 15 June 2017 - 12:55 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users