Jump to content

Infected with Trojan:Ramnit.A


gab
 Share

Recommended Posts

Hello,

Giving you as much background as possible. All of the below over the past 7 days or so.

- computer started to behave strangely with homepage on browser being hijacked

- ran adwc cleaner which seemed to clear the website home page hijacking issue

- Trojan:Ramnit alert poping up on Microsoft essentials but with error message 0x80508023 "The program could not find the malware and other potentially unwanted software on this computer"

- tried to download malwarebytes but access to the site blocked as well as access to microsoft website

- Google chrome not working

- managed to run malwarebytes via usb key and chameleon - looked like a lot of malware was cleaned out

- re run scans - coming out all clean

- re started the computer - trojan alert disappeared but malwarebytes could not be run from destop and chrome still not working and access to microsoft and malwareytes site blocked

- ran rogue killer - which killes a couple of processes

- this unblocked chrome and allowed access to malwarebytes both the application from desktop and access to website

- did a restart to the computer

- trojan.ramnit.a alert re-appeared and all access to malwarebytes website and software blocked again 

 

- ran dds from usbkey and here are the logs

Thank you in advance for your hep :)

attach.txt

dds.txt

Link to post
Share on other sites

If you are definitely infected with W32 Ramnit.A then it is bad news,  read the following script, especially the four links at the end.

 

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll  and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

 

With this particular infection the safest solution and only sure way to remove it effectively is to Reformat and reinstall the OS.

 

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

 

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a vast variety of malware and are a major source of system infection.

 

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

 

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

 

When should I re-format? How should I reinstall?

 

Where to draw the line? When to recommend a format and reinstall?

 

Backdoors and what they mean to you

 

http://technet.microsoft.com/en-us/library/cc512587.aspx

 

The only way forward with this infection is to re-format your hard drive and re-install your system. If you wish to continue run the following:

 

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Filles

    :Reg[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"CroKwyfw"=-:FilesC:\Users\Charlotte\AppData\Local\tlwxmyvg:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

Link to post
Share on other sites

Hello Kevin,

Thank you for your reply. Grateful for your help

Sorry just to be clear before I start.... Why do all the steps you highlight above if you are saying that the only way out is to reformat? Is there still hope to clean this without reformating or are all the steps just in case the computer is not actullay infected with Ramnit.A or is it yet a third option?

Sorry for asking but just wanted to understand what I am trying to do :)

 

Thanks again

Link to post
Share on other sites

Thank you very much Kevin - here is my homework

 

Here is the omt log

 

========== FILES ==========
C:\Users\Charlotte\AppData\Local\tlwxmyvg folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Charlotte
->Temp folder emptied: 964676939 bytes
->Temporary Internet Files folder emptied: 92886608 bytes
->Java cache emptied: 2826343 bytes
->Google Chrome cache emptied: 8689108 bytes
->Flash cache emptied: 9646 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 955921850 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 6695732 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 761 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 78039 bytes
RecycleBin emptied: 3558664943 bytes
 
Total Files Cleaned = 5,332.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 10142013_125659
 
Files moved on Reboot...
C:\Users\Charlotte\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 moved successfully.
C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 moved successfully.
C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 moved successfully.
C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 moved successfully.
C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Cache\index moved successfully.
 
Registry entries deleted on Reboot...
 
 
 
 
-----------------------------------------------------------------------------------------------------
FRST log
------------------------------------------------------------------------------------------------------------
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by Charlotte (administrator) on CHARLOTTELENOVO on 14-10-2013 13:10:19
Running from C:\Users\Charlotte\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\windows\system32\nvvsvc.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
(Vimicro) C:\Program Files (x86)\USB Camera\VM331_STI.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Dropbox, Inc.) C:\Users\Charlotte\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtLED\RtLEDService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtLED\RtLED.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
() C:\Users\Charlotte\Desktop\RogueKiller.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================

 

Addition.txt

Link to post
Share on other sites

Apologies, here it is:

 

 

---------------------------------------------------------------------

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-10-2013
Ran by Charlotte at 2013-10-14 13:11:05
Running from C:\Users\Charlotte\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Microsoft Security Essentials (Enabled - Up to date) {3F839487-C7A2-C958-E30C-E2825BA31FB5}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {84E27563-E198-C6D6-D9BC-D9F020245508}
 
==================== Installed Programs ======================
 
 Update for Microsoft Office 2007 (KB2508958) (x32)
Adobe AIR (x32 Version: 3.1.0.4880)
Adobe Reader X (10.1.8) (x32 Version: 10.1.8)
Algobox (x32)
Atheros Client Installation Program (x32 Version: 7.0)
D3DX10 (x32 Version: 15.4.2368.0902)
Dropbox (HKCU Version: 2.0.26)
Energy Management (x32 Version: 6.0.2.1)
Facebook Video Calling 1.2.0.287 (x32 Version: 1.2.287)
Files Opened (x32 Version: 1.0)
Fitbit Connect (x32 Version: 1.0.0.2578)
GeoGebra 4 (HKCU)
Google Chrome (x32 Version: 30.0.1599.69)
Google Update Helper (x32 Version: 1.3.21.153)
HP Officejet 6500 E710n-z Basic Device Software (Version: 22.50.231.0)
HP Officejet 6500 E710n-z Help (x32 Version: 140.0.2.2)
HP Officejet 6500 E710n-z Product Improvement Study (Version: 22.50.231.0)
HP Update (x32 Version: 5.002.006.003)
I.R.I.S. OCR (x32 Version: 12.3.4.0)
Intel® Control Center (x32 Version: 1.2.1.1007)
Intel® Management Engine Components (x32 Version: 7.0.0.1144)
Intel® Processor Graphics (x32 Version: 9.17.10.2867)
Intel® Rapid Storage Technology (x32 Version: 10.1.5.1001)
Java 7 Update 40 (x32 Version: 7.0.400)
Java Auto Updater (x32 Version: 2.1.9.8)
Junk Mail filter update (x32 Version: 15.4.3502.0922)
KNOWHOW APP CENTRE (x32 Version: 25501)
Lenovo Bluetooth with Enhanced Data Rate Software (Version: 6.3.0.8000)
Lenovo EasyCamera (x32 Version: 13.10.1201.1)
Lenovo EE Boot Optimizer (Version: 0.0.1.5)
Lenovo Games Console (x32 Version: 1.2.6.436)
Lenovo OneKey Recovery (Version: 7.0.1628)
Lenovo OneKey Recovery (x32 Version: 7.0.1628)
Lenovo PowerDVD 10 (x32 Version: 10.0.2811.52)
Lenovo YouCam (x32 Version: 3.1.3603)
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300)
Marketsplash Shortcuts (x32 Version: 1.0.1.7)
Mesh Runtime (x32 Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2007 Service Pack 3 (SP3) (x32)
Microsoft Office 2010 (x32 Version: 14.0.4763.1000)
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (x32 Version: 14.0.5130.5003)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (x32)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Standard 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Security Client (Version: 4.2.0223.1)
Microsoft Security Essentials (Version: 4.2.223.1)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (x32 Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (x32 Version: 10.0.30319)
MSVCRT (x32 Version: 15.4.2862.0708)
MSVCRT_amd64 (x32 Version: 15.4.2862.0708)
NVIDIA Control Panel 306.97 (Version: 306.97)
NVIDIA Graphics Driver 306.97 (Version: 306.97)
NVIDIA Install Application (Version: 2.1002.85.551)
NVIDIA Optimus 1.10.8 (Version: 1.10.8)
NVIDIA PhysX (x32 Version: 9.12.0604)
NVIDIA PhysX System Software 9.12.0604 (Version: 9.12.0604)
NVIDIA Update 1.10.8 (Version: 1.10.8)
NVIDIA Update Components (Version: 1.10.8)
Onekey Theater (x32 Version: 2.0.2.7)
ooVoo (x32 Version: 2.2.4.25)
Picasa 3 (x32 Version: 3.8)
Power2Go (x32 Version: 5.6.0.7303)
Realtek Ethernet Controller Driver For Windows 7 (x32 Version: 7.21.531.2010)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6267)
Realtek USB 2.0 Reader Driver (x32 Version: 6.1.7600.10008)
RtLED (Version: 1.0.3)
savennshaire  (x32 Version: )
Shared C Run-time for x64 (Version: 10.0.0)
SRS Premium Sound Control Panel (Version: 1.10.18.0)
Synaptics Pointing Device Driver (Version: 15.2.7.0)
Update for 2007 Microsoft Office System (KB967642) (x32)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (x32 Version: 3)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (x32)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (x32)
Update for Microsoft Office Excel 2007 Help (KB963678) (x32)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (x32)
Update for Microsoft Office Outlook 2007 Help (KB963677) (x32)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2827325) 32-Bit Edition (x32)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (x32)
Update for Microsoft Office Script Editor Help (KB963671) (x32)
Update for Microsoft Office Word 2007 Help (KB963665) (x32)
UserGuide (x32 Version: 1.0.0.6)
VeriFace (x32 Version: 4.0.0.1206)
Windows Driver Package - Lenovo (ACPIVPC) System  (12/02/2010 6.1.0.1) (Version: 12/02/2010 6.1.0.1)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (x32 Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Mail (x32 Version: 15.4.3502.0922)
Windows Live Mesh (x32 Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (x32 Version: 15.4.5722.2)
Windows Live Messenger (x32 Version: 15.4.3538.0513)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (x32 Version: 15.4.3502.0922)
Windows Live Photo Common (x32 Version: 15.4.3502.0922)
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922)
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (x32 Version: 15.4.3502.0922)
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922)
Windows Live UX Platform (x32 Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109)
Windows Live Writer (x32 Version: 15.4.3502.0922)
Windows Live Writer Resources (x32 Version: 15.4.3502.0922)
WinZip 17.5 (Version: 17.5.10480)
 
==================== Restore Points  =========================
 
22-09-2013 10:37:18 Windows Update
25-09-2013 18:25:20 Windows Update
29-09-2013 10:00:50 Windows Update
02-10-2013 18:23:03 Windows Update
06-10-2013 08:52:04 Windows Update
06-10-2013 19:55:28 Removed Java 6 Update 37
06-10-2013 19:57:10 Installed Java 7 Update 40
12-10-2013 17:13:09 Windows Update
13-10-2013 14:39:18 Windows Update
 
==================== Hosts content: ==========================
 
2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {2380A193-F611-454B-AA4D-AECCE83CD6F0} - System32\Tasks\{2093BC98-F915-4AE4-BA06-040A471CC9B7} => Chrome.exe 
Task: {343DE399-AAF2-4A19-B2CA-A2DA07B5155B} - System32\Tasks\{9E1CEB81-A11E-4B57-9611-4609F0E13948} => C:\Program Files (x86)\McAfee Security Scan\2.0.181\McUICnt.exe
Task: {349EA501-27F2-4636-BAF1-7BB32354933E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-10-07] (Google Inc.)
Task: {47EFAB08-1550-4BD6-9E56-3242BE12B489} - System32\Tasks\HPCustParticipation HP Officejet 6500 E710n-z => C:\Program Files\HP\HP Officejet 6500 E710n-z\Bin\HPCustPartic.exe [2010-11-16] (Hewlett-Packard Co.)
Task: {569646FF-C79D-4A45-A6DF-0638EEF2F374} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-736948839-1154005400-1853624935-1001UA => C:\Users\Charlotte\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-04-26] (Facebook Inc.)
Task: {61291323-1E68-4FC1-B186-E327571C1790} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-736948839-1154005400-1853624935-1001Core => C:\Users\Charlotte\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-04-26] (Facebook Inc.)
Task: {61739A59-42D2-401E-9F00-DC97B10755F0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-10-07] (Google Inc.)
Task: {69B437BF-E039-48CA-A417-CE97A3A7ED58} - System32\Tasks\MirageAgent => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [2010-12-05] (CyberLink)
Task: {F293947A-6BC9-4D29-9331-09616E11154B} - System32\Tasks\{A75EFDAE-70C7-4AF7-98DC-DBAB72930696} => C:\Program Files (x86)\McAfee Security Scan\2.0.181\McUICnt.exe
Task: {F58ACD34-4676-4758-8BA9-DEF3CF8837DA} - System32\Tasks\Desk 365 RunAsStdUser => C:\Program Files (x86)\Desk 365\desk365.exe
Task: C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-736948839-1154005400-1853624935-1001Core.job => C:\Users\Charlotte\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-736948839-1154005400-1853624935-1001UA.job => C:\Users\Charlotte\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2010-11-11 11:42 - 2010-11-11 11:42 - 00202144 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect64.dll
2010-11-11 11:44 - 2010-11-11 11:44 - 00156576 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll64.dll
2011-10-05 09:46 - 2011-10-05 09:46 - 01502720 _____ () C:\windows\system32\IcnOvrly.dll
2011-10-05 09:46 - 2011-10-05 09:46 - 00622592 _____ () C:\windows\system32\SimpleExt.dll
2008-12-20 04:20 - 2011-10-05 10:06 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2008-12-20 04:20 - 2011-10-05 10:06 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2011-04-14 04:01 - 2011-03-25 10:28 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2011-02-15 13:26 - 2011-02-15 13:26 - 00205088 _____ () C:\Program Files\Lenovo\Bluetooth Software\btkeyind.dll
2010-11-11 11:38 - 2010-11-11 11:38 - 00161696 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect32.dll
2010-11-11 11:39 - 2010-11-11 11:39 - 00133024 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll32.dll
2011-10-05 09:46 - 2011-10-05 09:46 - 00013664 _____ () C:\Program Files (x86)\Lenovo\VeriFace\ChooseLang.dll
2013-03-13 21:48 - 2013-03-13 21:48 - 24978944 _____ () C:\Users\Charlotte\AppData\Roaming\Dropbox\bin\libcef.dll
2013-10-07 00:53 - 2013-10-03 07:02 - 00698832 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\libglesv2.dll
2013-10-07 00:53 - 2013-10-03 07:02 - 00099792 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\libegl.dll
2013-10-07 00:53 - 2013-10-03 07:03 - 04055504 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\pdf.dll
2013-10-07 00:53 - 2013-10-03 07:03 - 00415184 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\ppGoogleNaClPluginChrome.dll
2013-10-07 00:53 - 2013-10-03 07:02 - 01604560 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/14/2013 01:01:04 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/14/2013 10:37:03 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/14/2013 08:54:21 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.
 
Error: (10/13/2013 05:53:07 PM) (Source: Application Error) (User: )
Description: Faulting application name: twmiybhg.exe, version: 0.0.0.0, time stamp: 0xf36bac23
Faulting module name: kernel32.dll, version: 6.1.7601.18229, time stamp: 0x51fb1115
Exception code: 0xc0000005
Fault offset: 0x000148b6
Faulting process id: 0xb44
Faulting application start time: 0xtwmiybhg.exe0
Faulting application path: twmiybhg.exe1
Faulting module path: twmiybhg.exe2
Report Id: twmiybhg.exe3
 
Error: (10/13/2013 05:51:39 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/13/2013 04:39:27 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/13/2013 04:01:17 PM) (Source: Application Error) (User: )
Description: Faulting application name: twmiybhg.exe, version: 0.0.0.0, time stamp: 0xf36bac23
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x0003e3b6
Faulting process id: 0x80
Faulting application start time: 0xtwmiybhg.exe0
Faulting application path: twmiybhg.exe1
Faulting module path: twmiybhg.exe2
Report Id: twmiybhg.exe3
 
Error: (10/13/2013 03:58:05 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/13/2013 02:38:35 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.
 
Error: (10/07/2013 05:17:21 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (10/14/2013 01:01:45 PM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069
 
Error: (10/14/2013 01:01:45 PM) (Source: Service Control Manager) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: 
%%1330
 
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
 
Error: (10/14/2013 01:00:39 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (10/14/2013 00:56:59 PM) (Source: Service Control Manager) (User: )
Description: The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/14/2013 10:38:05 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069
 
Error: (10/14/2013 10:38:05 AM) (Source: Service Control Manager) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: 
%%1330
 
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
 
Error: (10/14/2013 10:36:57 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (10/14/2013 10:35:33 AM) (Source: BugCheck) (User: )
Description: 0x00000034 (0x0000000000000107, 0xffffffffc0000420, 0x0000000000000000, 0x0000000000000000)C:\windows\MEMORY.DMP101413-19125-01
 
Error: (10/14/2013 10:35:24 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 10:33:46 on ‎14/‎10/‎2013 was unexpected.
 
Error: (10/13/2013 05:52:44 PM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2012-11-28 21:24:28.722
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\SET8B20.tmp because the set of per-page image hashes could not be found on the system.
 
  Date: 2012-11-28 21:24:28.715
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\SET8B20.tmp because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 26%
Total physical RAM: 8106.17 MB
Available physical RAM: 5986.33 MB
Total Pagefile: 16210.52 MB
Available Pagefile: 13945.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:654.69 GB) (Free:587.12 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:27.27 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 607FD847)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=655 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=15 GB) - (Type=12)
 
==================== End Of Log ============================
Link to post
Share on other sites

Ap[ologies and thank you for your patience - had to run it again - here it is:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by Charlotte (administrator) on CHARLOTTELENOVO on 14-10-2013 20:19:39
Running from C:\Users\Charlotte\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\windows\system32\nvvsvc.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
(Vimicro) C:\Program Files (x86)\USB Camera\VM331_STI.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Dropbox, Inc.) C:\Users\Charlotte\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtLED\RtLEDService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtLED\RtLED.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Intel Corporation) C:\windows\system32\igfxsrvc.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11697768 2010-12-14] (Realtek Semiconductor)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2538280 2010-12-22] (Synaptics Incorporated)
HKLM\...\Run: [Lenovo EE Boot Optimizer] - C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-10-05] (Lenovo)
HKLM\...\Run: [OnekeyStudio] - C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [789920 2011-10-05] (Lenovo)
HKLM\...\Run: [updatePRCShortCut] - C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM\...\Run: [Energy Management] - C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9769888 2011-10-05] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] - C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-10-05] (Lenovo(beijing) Limited)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [Facebook Update] - C:\Users\Charlotte\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2013-04-26] (Facebook Inc.)
HKCU\...\Run: [Fitbit Connect] - C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [3093024 2013-02-25] (Fitbit, Inc.)
HKCU\...\Run: [CroKwyfw] - C:\Users\Charlotte\AppData\Local\tlwxmyvg\crokwyfw.exe [228864 2013-10-05] ()
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKLM-x32\...\Run: [331BigDog] - C:\Program Files (x86)\USB Camera\VM331_STI.EXE [536576 2010-01-15] (Vimicro)
HKLM-x32\...\Run: [YouCam Mirage] - C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2010-12-05] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] - C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [224352 2010-12-05] (CyberLink Corp.)
HKLM-x32\...\Run: [VeriFaceManager] - C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2011-10-05] (Lenovo)
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe [87336 2010-02-03] (CyberLink Corp.)
HKLM-x32\...\Run: [updateP2GShortCut] - C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [updatePRCShortCut] - C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [Fitbit Connect] - C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [3093024 2013-02-25] (Fitbit, Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKU\UpdatusUser\...\Run: [FactoryTest] - C:\Windows\Test.bat
HKU\UpdatusUser\...\Run: [Power2GoExpress] - NA
AppInit_DLLs:   C:\windows\system32\nvinitx.dll [247144 2012-10-02] (NVIDIA Corporation)
AppInit_DLLs-x32: c:\windows\syswow64\nvinit.dll, c:\windows\syswow64\nvinit.dll [202600 2012-10-02] (NVIDIA Corporation)
Startup: C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crokwyfw.exe ()
Startup: C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Charlotte\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: savennshaire  - {1FF687FB-5D1C-6F12-03B9-65B4F7CC592A} - C:\ProgramData\savennshaire\51ffa22076538.dll No File
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU -  No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.40.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.40.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Charlotte\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Extension: putlockerdownloader - C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\profiles\extensions\putlockerdownloader@putlockerdownloader.com.xpi
FF Extension: No Name - C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\profiles\extensions\search.sqlite
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
 
Chrome: 
=======
CHR Extension: (Google Docs) - C:\Users\CHARLO~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\CHARLO~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\CHARLO~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\CHARLO~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\CHARLO~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\Users\CHARLO~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
 
==================== Services (Whitelisted) =================
 
R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [956192 2011-02-15] (Broadcom Corporation.)
R2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [1239584 2013-02-25] (Fitbit, Inc.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
R2 RtLedService; C:\Program Files\Realtek\RtLED\RtLEDService.exe [311296 2010-09-30] (Realtek Semiconductor Corp.)
 
==================== Drivers (Whitelisted) ====================
 
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited)
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [228224 2010-10-21] (Vimicro Corporation)
R3 vmuvcflt; C:\Windows\System32\Drivers\vmuvcflt.sys [8320 2010-08-16] (Vimicro Corporation)
U2 CLKMSVC10_3A60B698; 
U2 CLKMSVC10_C3B3B687; 
U2 DriverService; 
U2 IAStorDataMgrSvc; 
U2 idealife Update Service; 
U3 IGRS; 
U2 IviRegMgr; 
U2 Oasis2Service; 
U2 PCCarerServic; 
U2 ReadyComm.DirectRouter; 
U2 RichVideo; 
U2 SoftwareService; 
U2 Stereo Service; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-14 13:11 - 2013-10-14 13:11 - 00020702 _____ C:\Users\Charlotte\Desktop\Addition.txt
2013-10-14 13:10 - 2013-10-14 13:10 - 00000000 ____D C:\FRST
2013-10-14 13:09 - 2013-10-14 13:09 - 01954124 _____ (Farbar) C:\Users\Charlotte\Desktop\FRST64.exe
2013-10-14 13:05 - 2013-10-13 14:09 - 00951296 _____ C:\Users\Charlotte\Desktop\RogueKiller.exe
2013-10-14 13:00 - 2013-10-14 13:00 - 00000000 ____D C:\Users\Charlotte\AppData\Local\tlwxmyvg
2013-10-14 12:56 - 2013-10-14 12:56 - 00000000 ____D C:\_OTM
2013-10-14 12:55 - 2013-10-14 12:55 - 00522240 _____ (OldTimer Tools) C:\Users\Charlotte\Desktop\OTM.exe
2013-10-14 12:54 - 2013-10-14 12:54 - 00002855 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10142013_125415.txt
2013-10-14 12:17 - 2013-10-14 12:17 - 00002773 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_121722.txt
2013-10-14 12:05 - 2013-10-14 12:05 - 00002740 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_120517.txt
2013-10-14 11:58 - 2013-10-14 11:58 - 00002704 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_115836.txt
2013-10-14 11:45 - 2013-10-14 11:45 - 00002670 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_114549.txt
2013-10-14 10:35 - 2013-10-14 10:35 - 937100066 _____ C:\windows\MEMORY.DMP
2013-10-14 10:35 - 2013-10-14 10:35 - 00286144 _____ C:\windows\Minidump\101413-19125-01.dmp
2013-10-14 10:35 - 2013-10-14 10:35 - 00000000 ____D C:\windows\Minidump
2013-10-14 09:14 - 2013-10-14 09:14 - 00002685 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10142013_091435.txt
2013-10-14 09:12 - 2013-10-14 09:12 - 00002601 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_091258.txt
2013-10-13 17:59 - 2013-10-13 17:59 - 00020215 _____ C:\Users\Charlotte\Desktop\dds.txt
2013-10-13 17:59 - 2013-10-13 17:59 - 00012329 _____ C:\Users\Charlotte\Desktop\attach.txt
2013-10-13 17:48 - 2013-10-13 17:48 - 00002615 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10132013_174840.txt
2013-10-13 17:43 - 2013-10-13 17:43 - 00002534 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_174303.txt
2013-10-13 16:17 - 2013-10-13 16:17 - 00002224 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_161757.txt
2013-10-13 16:15 - 2013-10-13 16:15 - 00002512 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10132013_161539.txt
2013-10-13 16:13 - 2013-10-13 16:13 - 00002431 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_161336.txt
2013-10-13 15:58 - 2013-10-13 15:58 - 00000000 ____D C:\ProgramData\Energy Management
2013-10-13 15:50 - 2013-09-23 00:28 - 01767936 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2013-10-13 15:50 - 2013-09-23 00:28 - 01141248 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 14335488 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 13761024 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 02876928 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 02048512 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 00493056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 00391168 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 00109056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 00061440 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 00039424 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2013-10-13 15:50 - 2013-09-23 00:27 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2013-10-13 15:50 - 2013-09-22 23:55 - 02241024 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2013-10-13 15:50 - 2013-09-22 23:55 - 01365504 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2013-10-13 15:50 - 2013-09-22 23:55 - 00051712 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2013-10-13 15:50 - 2013-09-22 23:54 - 19252224 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 15404544 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 03959296 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 02647552 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 00855552 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 00603136 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 00136704 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 00067072 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 00053248 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2013-10-13 15:50 - 2013-09-22 23:54 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2013-10-13 15:50 - 2013-09-21 04:38 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2013-10-13 15:50 - 2013-09-21 04:30 - 02706432 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2013-10-13 15:50 - 2013-09-21 03:48 - 00089600 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
2013-10-13 15:50 - 2013-09-21 03:39 - 00071680 _____ (Microsoft Corporation) C:\windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-13 14:22 - 2013-10-13 14:22 - 00002248 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_142221.txt
2013-10-13 14:20 - 2013-10-13 14:20 - 00003132 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10132013_142026.txt
2013-10-13 14:18 - 2013-10-13 14:18 - 00002945 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_141831.txt
2013-10-13 14:13 - 2013-10-14 12:54 - 00000000 ____D C:\Users\Charlotte\Desktop\RK_Quarantine
2013-10-13 13:25 - 2013-07-04 13:50 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\comctl32.dll
2013-10-13 13:25 - 2013-07-04 12:50 - 00530432 _____ (Microsoft Corporation) C:\windows\SysWOW64\comctl32.dll
2013-10-13 13:25 - 2013-06-06 06:50 - 00041472 _____ (Microsoft Corporation) C:\windows\system32\lpk.dll
2013-10-13 13:25 - 2013-06-06 06:49 - 00100864 _____ (Microsoft Corporation) C:\windows\system32\fontsub.dll
2013-10-13 13:25 - 2013-06-06 06:49 - 00014336 _____ (Microsoft Corporation) C:\windows\system32\dciman32.dll
2013-10-13 13:25 - 2013-06-06 06:47 - 00046080 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2013-10-13 13:25 - 2013-06-06 05:57 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\lpk.dll
2013-10-13 13:25 - 2013-06-06 05:51 - 00070656 _____ (Microsoft Corporation) C:\windows\SysWOW64\fontsub.dll
2013-10-13 13:25 - 2013-06-06 05:50 - 00010240 _____ (Microsoft Corporation) C:\windows\SysWOW64\dciman32.dll
2013-10-13 13:25 - 2013-06-06 04:30 - 00368128 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2013-10-13 13:25 - 2013-06-06 04:01 - 00295424 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\atmfd.dll
2013-10-13 13:25 - 2013-06-06 04:01 - 00034304 _____ (Adobe Systems) C:\windows\SysWOW64\atmlib.dll
2013-10-13 13:23 - 2013-07-12 11:41 - 00185344 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbvideo.sys
2013-10-13 13:23 - 2013-07-12 11:41 - 00100864 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbcir.sys
2013-10-13 13:23 - 2013-07-03 05:40 - 00042496 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbscan.sys
2013-10-13 13:23 - 2013-06-25 23:55 - 00785624 _____ (Microsoft Corporation) C:\windows\system32\Drivers\Wdf01000.sys
2013-10-13 13:22 - 2013-09-14 02:10 - 00497152 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys
2013-10-13 13:22 - 2013-09-08 03:30 - 01903552 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2013-10-13 13:22 - 2013-09-08 03:27 - 00327168 _____ (Microsoft Corporation) C:\windows\system32\mswsock.dll
2013-10-13 13:22 - 2013-09-08 03:03 - 00231424 _____ (Microsoft Corporation) C:\windows\SysWOW64\mswsock.dll
2013-10-13 13:22 - 2013-08-29 03:17 - 05549504 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2013-10-13 13:22 - 2013-08-29 03:16 - 01732032 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2013-10-13 13:22 - 2013-08-29 03:16 - 00859648 _____ (Microsoft Corporation) C:\windows\system32\tdh.dll
2013-10-13 13:22 - 2013-08-29 03:16 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2013-10-13 13:22 - 2013-08-29 03:13 - 00878080 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2013-10-13 13:22 - 2013-08-29 02:51 - 03969472 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2013-10-13 13:22 - 2013-08-29 02:51 - 03914176 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2013-10-13 13:22 - 2013-08-29 02:50 - 01292192 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2013-10-13 13:22 - 2013-08-29 02:50 - 00619520 _____ (Microsoft Corporation) C:\windows\SysWOW64\tdh.dll
2013-10-13 13:22 - 2013-08-29 02:50 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2013-10-13 13:22 - 2013-08-29 02:48 - 00640512 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2013-10-13 13:22 - 2013-08-29 01:49 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2013-10-13 13:22 - 2013-08-29 01:49 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2013-10-13 13:22 - 2013-08-29 01:49 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2013-10-13 13:22 - 2013-08-29 01:49 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2013-10-13 13:22 - 2013-08-28 02:21 - 03155968 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2013-10-13 13:22 - 2013-08-28 02:12 - 00461312 _____ (Microsoft Corporation) C:\windows\system32\scavengeui.dll
2013-10-13 13:22 - 2013-08-01 13:09 - 00983488 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2013-10-13 13:22 - 2013-07-20 11:33 - 00124112 _____ (Microsoft Corporation) C:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-13 13:22 - 2013-07-20 11:33 - 00102608 _____ (Microsoft Corporation) C:\windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-13 13:22 - 2013-07-04 13:57 - 00259584 _____ (Microsoft Corporation) C:\windows\system32\WebClnt.dll
2013-10-13 13:22 - 2013-07-04 13:50 - 00102400 _____ (Microsoft Corporation) C:\windows\system32\davclnt.dll
2013-10-13 13:22 - 2013-07-04 12:57 - 00205824 _____ (Microsoft Corporation) C:\windows\SysWOW64\WebClnt.dll
2013-10-13 13:22 - 2013-07-04 12:51 - 00081920 _____ (Microsoft Corporation) C:\windows\SysWOW64\davclnt.dll
2013-10-13 13:22 - 2013-07-04 11:11 - 00140800 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2013-10-13 13:22 - 2013-07-03 05:05 - 00076800 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidclass.sys
2013-10-13 13:22 - 2013-07-03 05:05 - 00032896 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidparse.sys
2013-10-13 13:11 - 2013-10-13 14:13 - 00002040 _____ C:\Users\Charlotte\Desktop\Rkill.txt
2013-10-13 13:11 - 2013-10-13 13:11 - 00000000 ____D C:\Users\Charlotte\Desktop\rkill
2013-10-07 22:14 - 2013-10-07 22:14 - 00000000 ____D C:\windows\Microsoft Antimalware
2013-10-07 00:53 - 2013-10-07 00:53 - 00002255 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-07 00:52 - 2013-10-14 19:57 - 00000904 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-07 00:52 - 2013-10-14 12:59 - 00000900 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-07 00:52 - 2013-10-07 00:52 - 00003900 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-07 00:52 - 2013-10-07 00:52 - 00003648 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-07 00:51 - 2013-10-07 00:51 - 00000000 ____D C:\Users\Charlotte\AppData\Local\Deployment
2013-10-07 00:51 - 2013-10-07 00:51 - 00000000 ____D C:\Users\Charlotte\AppData\Local\Apps\2.0
2013-10-07 00:27 - 2013-10-07 00:41 - 00000000 ____D C:\AdwCleaner
2013-10-06 23:46 - 2013-10-06 23:46 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-06 23:46 - 2013-10-06 23:46 - 00000000 ____D C:\Users\Charlotte\AppData\Roaming\Malwarebytes
2013-10-06 23:46 - 2013-10-06 23:46 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-06 23:46 - 2013-10-06 23:46 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-06 23:46 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2013-10-06 20:58 - 2013-10-06 20:58 - 00000000 ____D C:\ProgramData\Oracle
2013-10-06 20:58 - 2013-10-06 20:57 - 00264616 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2013-10-06 20:57 - 2013-10-06 20:57 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2013-10-06 20:57 - 2013-10-06 20:57 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2013-10-06 20:57 - 2013-10-06 20:57 - 00096168 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2013-10-06 20:57 - 2013-10-06 20:57 - 00000000 ____D C:\Program Files (x86)\Java
2013-10-06 20:55 - 2013-10-06 20:55 - 00000000 ____D C:\ProgramData\McAfee
2013-10-06 10:39 - 2013-10-06 10:39 - 00003006 _____ C:\windows\System32\Tasks\{2093BC98-F915-4AE4-BA06-040A471CC9B7}
2013-10-06 09:34 - 2013-10-14 13:05 - 00000000 _____ C:\Users\Charlotte\AppData\Local\bmnyeuxg.log
2013-10-05 12:44 - 2013-10-14 10:36 - 00822356 _____ C:\Users\Charlotte\AppData\Local\rgsevmpk.log
2013-10-05 12:44 - 2013-10-14 10:36 - 00003407 _____ C:\Users\Charlotte\AppData\Local\pnchjnih.log
2013-10-05 12:44 - 2013-10-14 10:36 - 00003288 _____ C:\Users\Charlotte\AppData\Local\vultbvmi.log
2013-10-05 12:43 - 2013-10-14 13:00 - 00047436 _____ C:\Users\Charlotte\AppData\Local\flxjjfkh.log
2013-10-05 12:43 - 2013-10-14 10:36 - 00005370 _____ C:\Users\Charlotte\AppData\Local\ievbrqql.log
2013-10-05 12:43 - 2013-10-12 16:55 - 00000004 _____ C:\Users\Charlotte\AppData\Local\onvwxpte.log
2013-10-05 12:43 - 2013-10-05 12:43 - 00000000 _____ C:\Users\Charlotte\AppData\Local\yxefexgn.log
2013-10-05 12:43 - 2013-10-05 12:43 - 00000000 _____ C:\Users\Charlotte\AppData\Local\fdppcbsf.log
2013-10-05 12:42 - 2013-10-14 13:05 - 00000028 _____ C:\Users\Charlotte\AppData\Local\dxbgpxat.log
2013-10-05 12:42 - 2013-10-12 16:55 - 00220864 _____ C:\Users\Charlotte\AppData\Local\eoitluhq.log
2013-10-05 12:42 - 2013-10-05 12:42 - 00000064 _____ C:\ProgramData\qyjbnmeu.log
2013-09-28 12:56 - 2013-09-28 12:56 - 00000000 ____D C:\Users\Charlotte\Documents\TES2
2013-09-28 12:46 - 2013-09-28 12:55 - 00020561 _____ C:\Users\Charlotte\Downloads\Lacroissance (1).odt
2013-09-26 21:41 - 2013-09-26 21:41 - 00021164 _____ C:\Users\Charlotte\Downloads\Lacroissance.odt
2013-09-23 17:20 - 2013-09-23 17:20 - 00086528 _____ C:\Users\Charlotte\Downloads\Croiss.endogène.ppt
2013-09-23 17:18 - 2013-09-23 17:18 - 02716160 _____ C:\Users\Charlotte\Downloads\1(SourcesCroissance).ppt
2013-09-23 17:17 - 2013-09-23 17:18 - 02407750 _____ C:\Users\Charlotte\Downloads\Source de la C.documents cours 2013.pptx
2013-09-23 16:55 - 2013-10-05 16:32 - 00012472 _____ C:\Users\Charlotte\Downloads\Copie de prog annuelle term.xlsx
2013-09-16 17:29 - 2013-09-16 17:29 - 00218419 _____ C:\Users\Charlotte\Downloads\etude-fonction-avec-exp-cor.odt
 
==================== One Month Modified Files and Folders =======
 
2013-10-14 19:57 - 2013-10-07 00:52 - 00000904 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-14 19:21 - 2011-10-05 09:17 - 01347640 _____ C:\windows\WindowsUpdate.log
2013-10-14 19:20 - 2013-04-26 20:39 - 00000944 _____ C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-736948839-1154005400-1853624935-1001UA.job
2013-10-14 19:20 - 2011-10-05 09:46 - 02316722 _____ C:\FaceProv.log
2013-10-14 19:20 - 2011-10-05 09:46 - 00000000 ____D C:\ProgramData\VeriFace
2013-10-14 13:11 - 2013-10-14 13:11 - 00020702 _____ C:\Users\Charlotte\Desktop\Addition.txt
2013-10-14 13:10 - 2013-10-14 13:10 - 00000000 ____D C:\FRST
2013-10-14 13:09 - 2013-10-14 13:09 - 01954124 _____ (Farbar) C:\Users\Charlotte\Desktop\FRST64.exe
2013-10-14 13:08 - 2009-07-14 06:13 - 00726444 _____ C:\windows\system32\PerfStringBackup.INI
2013-10-14 13:06 - 2009-07-14 05:45 - 00021280 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-14 13:06 - 2009-07-14 05:45 - 00021280 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-14 13:05 - 2013-10-06 09:34 - 00000000 _____ C:\Users\Charlotte\AppData\Local\bmnyeuxg.log
2013-10-14 13:05 - 2013-10-05 12:42 - 00000028 _____ C:\Users\Charlotte\AppData\Local\dxbgpxat.log
2013-10-14 13:02 - 2013-08-10 14:05 - 00000000 ____D C:\Users\Charlotte\AppData\Roaming\Dropbox
2013-10-14 13:00 - 2013-10-14 13:00 - 00000000 ____D C:\Users\Charlotte\AppData\Local\tlwxmyvg
2013-10-14 13:00 - 2013-10-05 12:43 - 00047436 _____ C:\Users\Charlotte\AppData\Local\flxjjfkh.log
2013-10-14 13:00 - 2013-08-10 14:07 - 00000000 ___RD C:\Users\Charlotte\Dropbox
2013-10-14 13:00 - 2011-10-05 09:50 - 00507553 _____ C:\windows\system32\fastboot.set
2013-10-14 12:59 - 2013-10-07 00:52 - 00000900 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-14 12:59 - 2009-07-14 06:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-10-14 12:59 - 2009-07-14 05:51 - 00096028 _____ C:\windows\setupact.log
2013-10-14 12:56 - 2013-10-14 12:56 - 00000000 ____D C:\_OTM
2013-10-14 12:55 - 2013-10-14 12:55 - 00522240 _____ (OldTimer Tools) C:\Users\Charlotte\Desktop\OTM.exe
2013-10-14 12:54 - 2013-10-14 12:54 - 00002855 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10142013_125415.txt
2013-10-14 12:54 - 2013-10-13 14:13 - 00000000 ____D C:\Users\Charlotte\Desktop\RK_Quarantine
2013-10-14 12:17 - 2013-10-14 12:17 - 00002773 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_121722.txt
2013-10-14 12:05 - 2013-10-14 12:05 - 00002740 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_120517.txt
2013-10-14 11:58 - 2013-10-14 11:58 - 00002704 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_115836.txt
2013-10-14 11:45 - 2013-10-14 11:45 - 00002670 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_114549.txt
2013-10-14 10:36 - 2013-10-05 12:44 - 00822356 _____ C:\Users\Charlotte\AppData\Local\rgsevmpk.log
2013-10-14 10:36 - 2013-10-05 12:44 - 00003407 _____ C:\Users\Charlotte\AppData\Local\pnchjnih.log
2013-10-14 10:36 - 2013-10-05 12:44 - 00003288 _____ C:\Users\Charlotte\AppData\Local\vultbvmi.log
2013-10-14 10:36 - 2013-10-05 12:43 - 00005370 _____ C:\Users\Charlotte\AppData\Local\ievbrqql.log
2013-10-14 10:35 - 2013-10-14 10:35 - 937100066 _____ C:\windows\MEMORY.DMP
2013-10-14 10:35 - 2013-10-14 10:35 - 00286144 _____ C:\windows\Minidump\101413-19125-01.dmp
2013-10-14 10:35 - 2013-10-14 10:35 - 00000000 ____D C:\windows\Minidump
2013-10-14 09:14 - 2013-10-14 09:14 - 00002685 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10142013_091435.txt
2013-10-14 09:12 - 2013-10-14 09:12 - 00002601 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10142013_091258.txt
2013-10-14 09:06 - 2013-04-26 20:39 - 00000922 _____ C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-736948839-1154005400-1853624935-1001Core.job
2013-10-13 19:14 - 2009-07-14 04:20 - 00000000 ____D C:\windows\rescache
2013-10-13 17:59 - 2013-10-13 17:59 - 00020215 _____ C:\Users\Charlotte\Desktop\dds.txt
2013-10-13 17:59 - 2013-10-13 17:59 - 00012329 _____ C:\Users\Charlotte\Desktop\attach.txt
2013-10-13 17:48 - 2013-10-13 17:48 - 00002615 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10132013_174840.txt
2013-10-13 17:43 - 2013-10-13 17:43 - 00002534 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_174303.txt
2013-10-13 16:17 - 2013-10-13 16:17 - 00002224 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_161757.txt
2013-10-13 16:15 - 2013-10-13 16:15 - 00002512 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10132013_161539.txt
2013-10-13 16:13 - 2013-10-13 16:13 - 00002431 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_161336.txt
2013-10-13 15:58 - 2013-10-13 15:58 - 00000000 ____D C:\ProgramData\Energy Management
2013-10-13 15:57 - 2009-07-14 05:45 - 00319592 _____ C:\windows\system32\FNTCACHE.DAT
2013-10-13 15:52 - 2011-12-16 19:27 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-13 15:49 - 2013-03-19 18:54 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-13 15:49 - 2013-03-19 18:54 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-13 15:44 - 2013-07-23 08:46 - 00000000 ____D C:\windows\system32\MRT
2013-10-13 15:43 - 2012-12-03 11:10 - 80541720 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2013-10-13 15:36 - 2012-11-18 14:33 - 00001202 _____ C:\Users\Charlotte\Desktop\Google Chrome.lnk
2013-10-13 14:22 - 2013-10-13 14:22 - 00002248 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_142221.txt
2013-10-13 14:20 - 2013-10-13 14:20 - 00003132 _____ C:\Users\Charlotte\Desktop\RKreport[0]_D_10132013_142026.txt
2013-10-13 14:18 - 2013-10-13 14:18 - 00002945 _____ C:\Users\Charlotte\Desktop\RKreport[0]_S_10132013_141831.txt
2013-10-13 14:13 - 2013-10-13 13:11 - 00002040 _____ C:\Users\Charlotte\Desktop\Rkill.txt
2013-10-13 14:09 - 2013-10-14 13:05 - 00951296 _____ C:\Users\Charlotte\Desktop\RogueKiller.exe
2013-10-13 13:11 - 2013-10-13 13:11 - 00000000 ____D C:\Users\Charlotte\Desktop\rkill
2013-10-12 16:55 - 2013-10-05 12:43 - 00000004 _____ C:\Users\Charlotte\AppData\Local\onvwxpte.log
2013-10-12 16:55 - 2013-10-05 12:42 - 00220864 _____ C:\Users\Charlotte\AppData\Local\eoitluhq.log
2013-10-07 22:14 - 2013-10-07 22:14 - 00000000 ____D C:\windows\Microsoft Antimalware
2013-10-07 17:15 - 2010-11-21 04:47 - 00069942 _____ C:\windows\PFRO.log
2013-10-07 16:03 - 2013-08-02 15:34 - 00000000 ____D C:\ProgramData\InstallMate
2013-10-07 00:53 - 2013-10-07 00:53 - 00002255 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-07 00:52 - 2013-10-07 00:52 - 00003900 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-07 00:52 - 2013-10-07 00:52 - 00003648 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-07 00:52 - 2011-10-05 10:04 - 00000000 ____D C:\Program Files (x86)\Google
2013-10-07 00:51 - 2013-10-07 00:51 - 00000000 ____D C:\Users\Charlotte\AppData\Local\Deployment
2013-10-07 00:51 - 2013-10-07 00:51 - 00000000 ____D C:\Users\Charlotte\AppData\Local\Apps\2.0
2013-10-07 00:41 - 2013-10-07 00:27 - 00000000 ____D C:\AdwCleaner
2013-10-07 00:33 - 2009-07-14 04:20 - 00000000 ____D C:\windows\system32\NDF
2013-10-07 00:28 - 2011-12-10 22:42 - 00000997 _____ C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-10-07 00:28 - 2011-12-10 16:49 - 00000000 ____D C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GeoGebra 4
2013-10-06 23:46 - 2013-10-06 23:46 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-06 23:46 - 2013-10-06 23:46 - 00000000 ____D C:\Users\Charlotte\AppData\Roaming\Malwarebytes
2013-10-06 23:46 - 2013-10-06 23:46 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-06 23:46 - 2013-10-06 23:46 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-06 23:36 - 2013-08-05 14:01 - 00000000 ____D C:\Program Files (x86)\SaveShare
2013-10-06 23:36 - 2011-10-05 10:05 - 00000000 ____D C:\Program Files\Google
2013-10-06 21:06 - 2011-12-10 22:44 - 00000000 ____D C:\Users\Charlotte\AppData\Local\Google
2013-10-06 21:06 - 2011-10-05 10:05 - 00000000 ____D C:\ProgramData\Google
2013-10-06 20:58 - 2013-10-06 20:58 - 00000000 ____D C:\ProgramData\Oracle
2013-10-06 20:57 - 2013-10-06 20:58 - 00264616 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2013-10-06 20:57 - 2013-10-06 20:57 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2013-10-06 20:57 - 2013-10-06 20:57 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2013-10-06 20:57 - 2013-10-06 20:57 - 00096168 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2013-10-06 20:57 - 2013-10-06 20:57 - 00000000 ____D C:\Program Files (x86)\Java
2013-10-06 20:57 - 2012-12-03 10:10 - 00868264 _____ (Oracle Corporation) C:\windows\SysWOW64\npdeployJava1.dll
2013-10-06 20:57 - 2011-12-10 16:47 - 00790440 _____ (Oracle Corporation) C:\windows\SysWOW64\deployJava1.dll
2013-10-06 20:55 - 2013-10-06 20:55 - 00000000 ____D C:\ProgramData\McAfee
2013-10-06 10:39 - 2013-10-06 10:39 - 00003006 _____ C:\windows\System32\Tasks\{2093BC98-F915-4AE4-BA06-040A471CC9B7}
2013-10-05 16:32 - 2013-09-23 16:55 - 00012472 _____ C:\Users\Charlotte\Downloads\Copie de prog annuelle term.xlsx
2013-10-05 12:43 - 2013-10-05 12:43 - 00000000 _____ C:\Users\Charlotte\AppData\Local\yxefexgn.log
2013-10-05 12:43 - 2013-10-05 12:43 - 00000000 _____ C:\Users\Charlotte\AppData\Local\fdppcbsf.log
2013-10-05 12:42 - 2013-10-05 12:42 - 00000064 _____ C:\ProgramData\qyjbnmeu.log
2013-10-05 12:42 - 2011-12-10 22:42 - 00000000 ___RD C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-28 12:56 - 2013-09-28 12:56 - 00000000 ____D C:\Users\Charlotte\Documents\TES2
2013-09-28 12:55 - 2013-09-28 12:46 - 00020561 _____ C:\Users\Charlotte\Downloads\Lacroissance (1).odt
2013-09-26 21:41 - 2013-09-26 21:41 - 00021164 _____ C:\Users\Charlotte\Downloads\Lacroissance.odt
2013-09-23 17:20 - 2013-09-23 17:20 - 00086528 _____ C:\Users\Charlotte\Downloads\Croiss.endogène.ppt
2013-09-23 17:18 - 2013-09-23 17:18 - 02716160 _____ C:\Users\Charlotte\Downloads\1(SourcesCroissance).ppt
2013-09-23 17:18 - 2013-09-23 17:17 - 02407750 _____ C:\Users\Charlotte\Downloads\Source de la C.documents cours 2013.pptx
2013-09-23 00:28 - 2013-10-13 15:50 - 01767936 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2013-09-23 00:28 - 2013-10-13 15:50 - 01141248 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 14335488 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 13761024 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 02876928 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 02048512 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 00493056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 00391168 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 00109056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 00061440 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 00039424 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2013-09-23 00:27 - 2013-10-13 15:50 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2013-09-22 23:55 - 2013-10-13 15:50 - 02241024 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2013-09-22 23:55 - 2013-10-13 15:50 - 01365504 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2013-09-22 23:55 - 2013-10-13 15:50 - 00051712 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2013-09-22 23:54 - 2013-10-13 15:50 - 19252224 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 15404544 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 03959296 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 02647552 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 00855552 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 00603136 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 00136704 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 00067072 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 00053248 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2013-09-22 23:54 - 2013-10-13 15:50 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2013-09-21 04:38 - 2013-10-13 15:50 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2013-09-21 04:30 - 2013-10-13 15:50 - 02706432 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2013-09-21 03:48 - 2013-10-13 15:50 - 00089600 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
2013-09-21 03:39 - 2013-10-13 15:50 - 00071680 _____ (Microsoft Corporation) C:\windows\SysWOW64\RegisterIEPKEYs.exe
2013-09-16 17:29 - 2013-09-16 17:29 - 00218419 _____ C:\Users\Charlotte\Downloads\etude-fonction-avec-exp-cor.odt
2013-09-15 13:25 - 2011-12-10 22:42 - 00000000 ___RD C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-14 02:10 - 2013-10-13 13:22 - 00497152 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys
 
Some content of TEMP:
====================
C:\Users\Charlotte\AppData\Local\Temp\twmiybhg.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-10-13 14:38
 
==================== End Of Log ============================
Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST/FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

fixlist.txt

Link to post
Share on other sites

Thanks Kevin, here we go:

---------------------------------------------------------

 

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013

Ran by Charlotte at 2013-10-15 00:53:01 Run:1

Running from C:\Users\Charlotte\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

Start

HKCU\...\Run: [CroKwyfw] - C:\Users\Charlotte\AppData\Local\tlwxmyvg\crokwyfw.exe [228864 2013-10-05] ()

C:\Users\Charlotte\AppData\Local\tlwxmyvg

U2 CLKMSVC10_3A60B698; 

U2 CLKMSVC10_C3B3B687; 

U2 DriverService; 

U2 IAStorDataMgrSvc; 

U2 idealife Update Service; 

U3 IGRS; 

U2 IviRegMgr; 

U2 Oasis2Service; 

U2 PCCarerServic; 

U2 ReadyComm.DirectRouter; 

U2 RichVideo; 

U2 SoftwareService; 

U2 Stereo Service; 

2013-10-06 09:34 - 2013-10-14 13:05 - 00000000 _____ C:\Users\Charlotte\AppData\Local\bmnyeuxg.log

2013-10-05 12:44 - 2013-10-14 10:36 - 00822356 _____ C:\Users\Charlotte\AppData\Local\rgsevmpk.log

2013-10-05 12:44 - 2013-10-14 10:36 - 00003407 _____ C:\Users\Charlotte\AppData\Local\pnchjnih.log

2013-10-05 12:44 - 2013-10-14 10:36 - 00003288 _____ C:\Users\Charlotte\AppData\Local\vultbvmi.log

2013-10-05 12:43 - 2013-10-14 13:00 - 00047436 _____ C:\Users\Charlotte\AppData\Local\flxjjfkh.log

2013-10-05 12:43 - 2013-10-14 10:36 - 00005370 _____ C:\Users\Charlotte\AppData\Local\ievbrqql.log

2013-10-05 12:43 - 2013-10-12 16:55 - 00000004 _____ C:\Users\Charlotte\AppData\Local\onvwxpte.log

2013-10-05 12:43 - 2013-10-05 12:43 - 00000000 _____ C:\Users\Charlotte\AppData\Local\yxefexgn.log

2013-10-05 12:43 - 2013-10-05 12:43 - 00000000 _____ C:\Users\Charlotte\AppData\Local\fdppcbsf.log

2013-10-05 12:42 - 2013-10-14 13:05 - 00000028 _____ C:\Users\Charlotte\AppData\Local\dxbgpxat.log

2013-10-05 12:42 - 2013-10-12 16:55 - 00220864 _____ C:\Users\Charlotte\AppData\Local\eoitluhq.log

2013-10-05 12:42 - 2013-10-05 12:42 - 00000064 _____ C:\ProgramData\qyjbnmeu.log

2013-10-12 16:55 - 2013-10-05 12:43 - 00000004 _____ C:\Users\Charlotte\AppData\Local\onvwxpte.log

2013-10-12 16:55 - 2013-10-05 12:42 - 00220864 _____ C:\Users\Charlotte\AppData\Local\eoitluhq.log

C:\Users\Charlotte\AppData\Local\Temp\twmiybhg.exe

End

 

*****************

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\CroKwyfw => Value deleted successfully.

C:\Users\Charlotte\AppData\Local\tlwxmyvg => Moved successfully.

CLKMSVC10_3A60B698 => Service deleted successfully.

CLKMSVC10_C3B3B687 => Service deleted successfully.

DriverService => Service deleted successfully.

IAStorDataMgrSvc => Service deleted successfully.

idealife Update Service => Service deleted successfully.

IGRS => Service deleted successfully.

IviRegMgr => Service deleted successfully.

Oasis2Service => Service deleted successfully.

PCCarerServic => Service deleted successfully.

ReadyComm.DirectRouter => Service deleted successfully.

RichVideo => Service deleted successfully.

SoftwareService => Service deleted successfully.

Stereo Service => Service deleted successfully.

C:\Users\Charlotte\AppData\Local\bmnyeuxg.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\rgsevmpk.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\pnchjnih.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\vultbvmi.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\flxjjfkh.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\ievbrqql.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\onvwxpte.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\yxefexgn.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\fdppcbsf.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\dxbgpxat.log => Moved successfully.

C:\Users\Charlotte\AppData\Local\eoitluhq.log => Moved successfully.

C:\ProgramData\qyjbnmeu.log => Moved successfully.

"C:\Users\Charlotte\AppData\Local\onvwxpte.log" => File/Directory not found.

"C:\Users\Charlotte\AppData\Local\eoitluhq.log" => File/Directory not found.

C:\Users\Charlotte\AppData\Local\Temp\twmiybhg.exe => Moved successfully.

 

==== End of Fixlog ====

 

 

--------------------------------

The mbar  run clean first time no items cleaned or fixed etc

 

mbar log

 


Malwarebytes Anti-Rootkit BETA 1.07.0.1007

www.malwarebytes.org

 

Database version: v2013.10.14.13

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16721

Charlotte :: CHARLOTTELENOVO [administrator]

 

15/10/2013 00:59:17

mbar-log-2013-10-15 (00-59-17).txt

 

Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: 

Objects scanned: 246259

Time elapsed: 28 minute(s), 39 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

Physical Sectors Detected: 0

(No malicious items detected)

 

(end)

 

 

 

---------------------------------------system log

 


--------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1007

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 10.0.9200.16721

 

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.195000 GHz

Memory total: 8499937280, free: 6007271424

 

Downloaded database version: v2013.10.14.13

Downloaded database version: v2013.10.11.02

=======================================

Initializing...

------------ Kernel report ------------

     10/15/2013 00:59:11

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\compbatt.sys

\SystemRoot\system32\drivers\BATTC.SYS

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\iaStor.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\DRIVERS\MpFilter.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\system32\DRIVERS\nvpciflt.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\DRIVERS\LhdX64.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\fbfmon.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\drivers\BPntDrv.sys

\SystemRoot\system32\drivers\BOOTVID.dll

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\igdkmd64.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\athrx.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\AcpiVpc.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\clwvd.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\serscan.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\DRIVERS\btwampfl.sys

\SystemRoot\System32\Drivers\BTHUSB.sys

\SystemRoot\System32\Drivers\bthport.sys

\SystemRoot\System32\Drivers\RtsUVStor.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\System32\Drivers\vm331avs.sys

\SystemRoot\System32\Drivers\STREAM.SYS

\SystemRoot\System32\Drivers\vmuvcflt.sys

\SystemRoot\system32\DRIVERS\rfcomm.sys

\SystemRoot\system32\drivers\BthEnum.sys

\SystemRoot\system32\DRIVERS\bthpan.sys

\SystemRoot\system32\DRIVERS\bthmodem.sys

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\drivers\btwavdt.sys

\SystemRoot\system32\drivers\btwaudio.sys

\SystemRoot\system32\DRIVERS\btwl2cap.sys

\SystemRoot\system32\DRIVERS\btwrchid.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\drivers\luafv.sys

\??\C:\windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\DRIVERS\vwifimp.sys

\SystemRoot\system32\DRIVERS\NisDrvWFP.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WSDPrint.sys

\??\C:\windows\system32\drivers\mbamchameleon.sys

\??\C:\windows\system32\drivers\MBAMSwissArmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\iertutil.dll

\Windows\System32\setupapi.dll

\Windows\System32\wininet.dll

\Windows\System32\imm32.dll

\Windows\System32\msctf.dll

\Windows\System32\gdi32.dll

\Windows\System32\urlmon.dll

\Windows\System32\oleaut32.dll

\Windows\System32\usp10.dll

\Windows\System32\clbcatq.dll

\Windows\System32\imagehlp.dll

\Windows\System32\shlwapi.dll

\Windows\System32\msvcrt.dll

\Windows\System32\advapi32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\sechost.dll

\Windows\System32\ole32.dll

\Windows\System32\difxapi.dll

\Windows\System32\comdlg32.dll

\Windows\System32\ws2_32.dll

\Windows\System32\psapi.dll

\Windows\System32\normaliz.dll

\Windows\System32\kernel32.dll

\Windows\System32\lpk.dll

\Windows\System32\Wldap32.dll

\Windows\System32\user32.dll

\Windows\System32\nsi.dll

\Windows\System32\shell32.dll

\Windows\System32\devobj.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll

\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll

\Windows\System32\comctl32.dll

\Windows\System32\wintrust.dll

\Windows\System32\KernelBase.dll

\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll

\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll

\Windows\System32\crypt32.dll

\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

Done!

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80096b1060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xfffffa8007b5e050

Lower Device Driver Name: \Driver\iaStor\

<<<2>>>

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80096b1060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80096b1b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80096b2040, DeviceName: Unknown, DriverName: \Driver\LHDmgr\

DevicePointer: 0xfffffa80096b1060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8007b5e050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\

------------ End ----------

Alternate DeviceName: Unknown, DriverName: \Driver\LHDmgr\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

<<<2>>>

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 607FD847

 

Partition information:

 

    Partition 0 type is Primary (0x7)

    Partition is ACTIVE.

    Partition starts at LBA: 2048  Numsec = 409600

    Partition file system is NTFS

    Partition is bootable

 

    Partition 1 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 411648  Numsec = 1372989440

 

    Partition 2 type is Extended with LBA (0xf)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 1373401088  Numsec = 60821504

 

    Partition 3 type is Other (0x12)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 1434222592  Numsec = 30926576

 

Disk Size: 750156374016 bytes

Sector size: 512 bytes

 

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1465129168-1465149168)...

Done!

Scan finished

=======================================

 

 

Removal queue found; removal started

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...

Removal finished

 

 

-----------------------------------------------

 

 

will now try to do a system shut down restart to see if the issues have disappeared - will let you know in a few minutes


 

Link to post
Share on other sites

Thanks for the update, best way forward is to run an offline tool... Create and run Kaspersky Rescue CD....

 

Kaspersky Rescue CD

STEP A:

 

Download and create a bootable Kaspersky Rescue Disk CD

 

1. Download the Kaspersky Rescue Disk ISOimage from below.

 

 KASPERSKY RESCUE DISK DOWNLOAD LINK (This link will open a new page from where you can download Kaspersky Rescue Disk ISO)

 

2. Download ImgBurn, a software that will help us create this bootable disk. (If you already have necessary software, use that)

 

 IMGBURN DOWNLOAD LINK (This link will open a new page from where you can download ImgBurn)

3. You can now insert your blank DVD/CD in your burner.

 

4. Install ImgBurn by following the prompts and then start this program.

 

5. Click on the Write image file to disc button.

 

6. Under 'Source' click on the Browse for file button, then browse to the location where you previously saved the Kaspersky Rescue Disk ISO file.(kav_rescue_10.iso)

 

7. Click on the big Write button.

 

8. The disc creation process will now start and it will take around 5-10 minutes to complete.

 

 

STEP B:

 

Configure the computer to boot from CD-ROM

 

On some machines,if you restart the computer and repeatedly tap the F11 key it should bring up the Boot Menu, from there you can select to boot from the CD.

IF this doesn't happen then you'll need to configure your computer to boot for a CD like you'll see below.

 

 Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:

 

1. Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:

 

2. In your PC BIOS settings select the Boot menu and set CD/DVD-ROM as a primary boot device.

 

3. Insert your Kaspersky Rescue Disk and restart your computer.

 

STEP C:

 

Boot your computer from Kaspersky Rescue Disk

 

1. Your computer will now boot from the Kaspersky Rescue Disk,and you'll be asked to press any key to proceed with this process

 

 

Kasp1-1.png

 

 

2. In the start up wizard window that will open, select your language using the cursor moving keys. Press the ENTER key on the keyboard.

 

 

Kasp2-1.png

 

 

3. On the next screen, select Kaspersky Rescue Disk. Graphic Mode then press ENTER.

 

 

Kasp3-1.png

 

 

4. The End User License Agreement of Kaspersky Rescue Disk will be displayed on the screen. Read carefully the agreement then press the C button on your keyboard.

 

5. Once the actions described above have been performed, the Kasprsky operating system will start.

 

STEP D:

 

Launch Kaspersky WindowsUnlocker to remove the malicious registry changes

 

This ransomware trojan has modified your Windows system registry so that when you're trying to boot your computer it will instead launch his lock screen.To remove this malicious registry changes we need to use the Kasersky WindowsUnlocker from Kaspersky Rescue Disk.

 

1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky WindowsUnlocker.

 

 

Kasp5-1.png

 

 

IF you can't find the WindowsUnlocker button, you can select Terminal and in the command prompt type windowsunlocker and then press Enter on the keyboard.

 

2. A white colored console window will appear and will automatically start loading the registry files for scanning and disinfection. The whole process will take only a couple of seconds and after this process you should be able to boot your computer in normal mode.

 

 

Kasp6-1.png

 

 

STEP E:

 

Scan your system with Kaspersky Rescue Disk

 

1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky Rescue Disk then click on My Update Center and press Start update.

 

 

Kasp7-1.png

 

 

2. When the update process has completed, the light at the top of the window will turn green, and the databases release date will be updated.

 

 

Kasp8-1.png

 

 

3. Click on the Objects Scan tab, then click Start Objects Scanto begin the scan.

 

 

Kasp9-1.png

 

 

4. If any malicious items are found, the default settings are to prompt you for action with a red popup window on the bottom right. Delete is the recommended action in most cases but we strongly recommend that you try first to disinfect , and if it doesn't work chose to quarantine the infected files just to be on the safe side.

 

 

Kasp10-1.png

 

 

5. When all detected items have been processed and removed, the light in the window will turn green and the scan will show as completed.

 

 

Kasp11-1.png

 

 

6. When done you can close the Kaspersky Rescue Disk window and use the Start Menu to Restart the computer.

 

7. When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.

Link to post
Share on other sites

Thank you Kevin,

 

Done all of the above and please to tell you that it appears that kaspery cleaned a few things and after restart was able to launch chrome and Malwarebytes - so some good progress

 

Here is the Scan Object

 

Objects Scan: completed <1 minute ago   (events: 78, objects: 618122, time: 01:35:13)
10/15/13 3:52 PM Task completed
10/15/13 3:52 PM Deleted: Trojan.Win32.Nimnul.bkl C:/_OTM/MovedFiles/10142013_125659/C_Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 3:52 PM Detected: Trojan.Win32.Nimnul.bkl C:/_OTM/MovedFiles/10142013_125659/C_Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 3:52 PM Deleted: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcr100.dll
10/15/13 3:52 PM Detected: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcr100.dll
10/15/13 3:52 PM Deleted: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcp100.dll
10/15/13 3:52 PM Detected: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcp100.dll
10/15/13 3:52 PM Deleted: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 3:51 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 3:51 PM Deleted: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 3:51 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 3:51 PM Deleted: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe
10/15/13 3:50 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe
10/15/13 3:50 PM Deleted: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll
10/15/13 3:50 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll
10/15/13 3:50 PM Deleted: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll
10/15/13 3:50 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll
10/15/13 3:50 PM Deleted: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/twmiybhg.exe
10/15/13 3:50 PM Detected: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/twmiybhg.exe
10/15/13 3:50 PM Deleted: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/tlwxmyvg/crokwyfw.exe
10/15/13 3:50 PM Detected: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/tlwxmyvg/crokwyfw.exe
10/15/13 3:50 PM Deleted: Trojan.Win32.Staser.fv C:/AdwCleaner/Quarantine/C/ProgramData/eSafe/eGdpSvc.exe.vir
10/15/13 3:34 PM Detected: Trojan.Win32.Staser.fv C:/AdwCleaner/Quarantine/C/ProgramData/eSafe/eGdpSvc.exe.vir
10/15/13 3:34 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe Postponed
10/15/13 3:34 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 3:28 PM Untreated: Trojan.Win32.Nimnul.bkl C:/_OTM/MovedFiles/10142013_125659/C_Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe Postponed
10/15/13 3:28 PM Detected: Trojan.Win32.Nimnul.bkl C:/_OTM/MovedFiles/10142013_125659/C_Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 3:10 PM Untreated: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcr100.dll Postponed
10/15/13 3:10 PM Detected: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcr100.dll
10/15/13 3:10 PM Untreated: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcp100.dll Postponed
10/15/13 3:10 PM Detected: not-a-virus:AdWare.Win32.D365.a C:/Windows/SysWOW64/msvcp100.dll
10/15/13 3:00 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe Postponed
10/15/13 3:00 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 2:54 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe Postponed
10/15/13 2:54 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 2:54 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe Postponed
10/15/13 2:54 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe
10/15/13 2:49 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe Postponed
10/15/13 2:49 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 2:48 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe Postponed
10/15/13 2:48 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 2:47 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe Postponed
10/15/13 2:47 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 2:47 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe Postponed
10/15/13 2:47 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe
10/15/13 2:47 PM Untreated: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll Postponed
10/15/13 2:47 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll
10/15/13 2:47 PM Untreated: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll Postponed
10/15/13 2:47 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll
10/15/13 2:38 PM Untreated: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/tlwxmyvg/crokwyfw.exe Postponed
10/15/13 2:38 PM Detected: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/tlwxmyvg/crokwyfw.exe
10/15/13 2:38 PM Untreated: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/twmiybhg.exe Postponed
10/15/13 2:38 PM Detected: Trojan.Win32.Nimnul.bkl C:/FRST/Quarantine/twmiybhg.exe
10/15/13 2:37 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe Postponed
10/15/13 2:37 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 2:31 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe Postponed
10/15/13 2:31 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 2:31 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe Postponed
10/15/13 2:31 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe
10/15/13 2:26 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe Postponed
10/15/13 2:26 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 2:26 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe Postponed
10/15/13 2:26 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/crokwyfw.exe
10/15/13 2:25 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe Postponed
10/15/13 2:25 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/tlwxmyvg/crokwyfw.exe
10/15/13 2:25 PM Untreated: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe Postponed
10/15/13 2:25 PM Detected: Trojan.Win32.Nimnul.bkl C:/Users/Charlotte/AppData/Local/Temp/twmiybhg.exe
10/15/13 2:25 PM Untreated: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll Postponed
10/15/13 2:25 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll
10/15/13 2:25 PM Untreated: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll Postponed
10/15/13 2:25 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll
10/15/13 2:23 PM Untreated: Trojan.Win32.Staser.fv C:/AdwCleaner/Quarantine/C/ProgramData/eSafe/eGdpSvc.exe.vir Postponed
10/15/13 2:23 PM Detected: Trojan.Win32.Staser.fv C:/AdwCleaner/Quarantine/C/ProgramData/eSafe/eGdpSvc.exe.vir
10/15/13 2:20 PM Untreated: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll Postponed
10/15/13 2:20 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{4382C9B5-0B04-4E6A-AC81-43269861EB43}/Custom.dll
10/15/13 2:20 PM Untreated: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll Postponed
10/15/13 2:20 PM Detected: not-a-virus:AdWare.Win32.Agent.aeph C:/ProgramData/InstallMate/{375320D7-5392-4103-A3E8-1BB0ECB00221}/Custom.dll
10/15/13 2:17 PM Task started
 
 
 
Following this and as it was working, I run a quick scan on malwarebytes -  it discovered other things - will look for that log now
 
 
 
 
 
Link to post
Share on other sites

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those two logs, also tell me if there are any remaining issues or concerns...

 

Kevin

Link to post
Share on other sites

Here is the security check 

 

 

Results of screen317's Security Check version 0.99.74 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 40 
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
 Google Chrome 30.0.1599.101 
 Google Chrome 30.0.1599.69 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

 

 

 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

and the eset scan which uncover a few items still:

 

C:\AdwCleaner\Quarantine\C\ProgramData\BetterSoft\OptimizerPro\OptimizerPro.exe.vir Win32/GenUpdater application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\eSafe\temp_000.exe.vir a variant of Win32/ELEX.O application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\eSafe\_eUpdate_13.3.2.2700.exe.vir a variant of Win32/ELEX.O application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\eSafe\_eUpdate_2.exe.vir a variant of Win32/ELEX.O application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkgnlkeipedppaechmallifepjfjdkbe\1\51fbc388f2b1f6.40344346.js.vir Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Charlotte\AppData\Roaming\eIntaller\05DA13AF73E84ee4A1F8807ADB1DEF1E\eXQ.exe.vir a variant of Win32/ELEX.D application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\CHARLO~1\AppData\Local\Temp\eIntaller\F86EB4ACA9FD40af802F48A63F1206C8\eXQ.exe.vir a variant of Win32/ELEX.D application cleaned by deleting - quarantined
C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\amfclgbdpgndipgoegfpkkgobahigbcl\1.4_0\GoogleChromeRemotePlugin.dll Win32/Toolbar.Linkury.D application cleaned by deleting - quarantined
C:\Users\Charlotte\AppData\Local\Temp\smartbar\Installer.msi multiple threats deleted - quarantined
C:\Users\Charlotte\Downloads\WinZip175.exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined
C:\Windows\Installer\529b3.msi multiple threats deleted - quarantined

 

 

---------------------------------------------------------------

 

 

otherwise computer seems healthier - Thanks Kevin

Link to post
Share on other sites

Well ESET has removed the entries, so nothing to worry about. OK do the following:

 

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Delete FRST.exe from your Desktop, navigate to and delete its folder C:\FRST

 

Next,

 

Remove ESET online scanner  (Only If installed):

 


Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

 

Next,

 

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

 

Any tools/logs remaining on the Desktop or downloads folder can be deleted.

 

Next,

 

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

 

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

 

Untick the option for any security scanner or toolbar if offered.

 

Download and install.

 

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Next,

 

Download and install CCleaner from here:

 

http://www.piriform.com/ccleaner/builds    Ensure to select Slim version. (No Toolbar)

 

 Then select the items you wish to clean up.

 

In the Windows Tab:

 


    Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
    Clean all the entries in the "Windows Explorer" section.
    Clean all entries in the "System" section.
    Clean all entries in the "Advanced" section.
    Clean any others that you choose.
    Make sure "Wipe free space" is unticked, this will dramatically increase scan time if selected.

 

 

In the Applications Tab


     Clean all except cookies in the Firefox/Mozilla section if you use it.
     Clean all in the Opera section if you use it.
     Clean Sun Java in the Internet Section.
     Clean any others that you choose.    

 

4. Click the "Run Cleaner" button.

5. A pop up box will appear advising this process will permanently delete files from your system.

6. Click "OK" and it will scan and clean your system.

7. Click "exit" when done.

 

CCleaner is an excellent Utility and well worth keeping, bottom left hand corner of main interface is link "Online Help" use that link to get the full instructions for this very handy application.

 

Finally,

 

Create a new restore point:

 

   1. Right-click on Computer and go to Properties.

   2. Next click on the System Protection link.

   3. The System Properties dialog screen opens up and you will want to click on Create.

   4. Type in a description for the restore point which will help you remember the point at which it was created. Click on create.

   5. You should see the message "The restore point was created successfully

 

To remove all but the most recent restore point do the following:

 

   1.      Open Disk Cleanup by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33.jpg. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.

   2.      If prompted, select the drive that you want to clean up, and then click OK.

   3.      In the Disk Cleanup for (usually C:\) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

   4.      If prompted, select the drive that you want to clean up, and then click OK.

   5.      Click the More Options tab, under System Restore and Shadow Copies, click Clean up.

   6.      In the Disk Cleanup dialog box, click Delete.

   7.      Click Delete Files, and then click OK. Re-Boot your PC.

 

Let me know if those steps complete Ok, also if any remaining issues or concerns..

 

Kevin

 

 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013

Ran by Charlotte at 2013-10-17 16:09:33 Run:2

Running from C:\Users\Charlotte\Desktop\Virus fighting kit

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

Start

DeleteQuarantine:

End

 

*****************

 

C:\FRST\Quarantine => Removed successfully.

 

==== End of Fixlog ====

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.