Jump to content

Help with an infection


Recommended Posts

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.


MrC


Note:
Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly


Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive


<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.


<+>The removal of malware isn't instantaneous, please be patient.


<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs


<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.


------->Your topic will be closed if you haven't replied within 3 days!<--------
(If I don't respond within 24 hours, please send me a PM)

 

 

BHO: Instair: {0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} - C:\Program Files\Instair\Instair.dll

 

 

 

Link to post
Share on other sites

Quick reply thanks! Here's the log for Roguekiller

 

RogueKiller V8.7.8 _x64_ [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : simone [Admin rights]
Mode : Scan -- Date : 11/14/2013 11:29:11
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.34 ofep34.sabre.com # Nortel SSL-VPN
127.0.0.23 ofep23.sabre.com # Nortel SSL-VPN
127.0.0.12 ofep12.sabre.com # Nortel SSL-VPN
127.0.0.36 fos.sabre.com # Nortel SSL-VPN
127.0.0.8 ofep08.sabre.com # Nortel SSL-VPN
127.0.0.19 ofep19.sabre.com # Nortel SSL-VPN
127.0.0.21 ofep21.sabre.com # Nortel SSL-VPN
127.0.0.32 ofep32.sabre.com # Nortel SSL-VPN
127.0.0.1 res.sabre.com # Nortel SSL-VPN
127.0.0.44 access.certd.sabre.com # Nortel SSL-VPN
127.0.0.36 frt.sabre.com # Nortel SSL-VPN
127.0.0.10 ofep10.sabre.com # Nortel SSL-VPN
127.0.0.28 ofep28.sabre.com # Nortel SSL-VPN
127.0.0.17 ofep17.sabre.com # Nortel SSL-VPN
127.0.0.30 ofep30.sabre.com # Nortel SSL-VPN
127.0.0.6 ofep06.sabre.com # Nortel SSL-VPN
127.0.0.41 access.tstsa.sabre.com # Nortel SSL-VPN
127.0.0.26 ofep26.sabre.com # Nortel SSL-VPN
127.0.0.1 hsspconfig.sabre.com # Nortel SSL-VPN
127.0.0.15 ofep15.sabre.com # Nortel SSL-VPN
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST500DM002-1BD142 +++++
--- User ---
[MBR] 36e7c34a8f756c827c3d1514d57c4905
[bSP] ddabf53c372c0dd556a76d3ca18ea848 : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 913e86dda2d88b7fae5d7e06113c9e83
[bSP] 9eaa053444c8e0caa8b1de435e0270e6 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 Mo

Finished : << RKreport[0]_S_11142013_112911.txt >>

 

 

Link to post
Share on other sites

See if there's an uninstaller in this folder C:\Program Files\Instair

If so please run it to uninstall Instair

BHO: Instair: {0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} - C:\Program Files\Instair\Instair.dll

 

If not...don't worry about it right now.

---------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

Link to post
Share on other sites

Couldn't find an uninstaller for instair.

 

Here's the FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-11-2013
Ran by simone (administrator) on FREEDESK-THINK on 14-11-2013 12:01:45
Running from C:\Users\simone\Desktop\frst
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Amadeus) C:\Program Files (x86)\Automatic Update\AutoUpdate.exe
(Lenovo) C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(IBM) C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(IBM Corp) C:\Program Files (x86)\IBM\Lotus\Notes\ntmulti.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
() C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(LITEON) C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skdh8821.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(AMADEUS) C:\Program Files (x86)\Automatic Update\AutoUpdateGUI.exe
(Ulead Systems, Inc.) C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(LITE-ON TECHNOLOGY CORP.) C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skd8821.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
(Lenovo) C:\Program Files (x86)\Lenovo\PowerMgr\PWMDBSVC.EXE
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\PowerMgr\SCHTASK.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\VIP Access Client\VIPUIManager.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Lenovo) C:\Program Files (x86)\Lenovo\message center plus\mcplaunch.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Sun Microsystems, Inc.) C:\Users\simone\AppData\Local\Sabre Red Workspace\Common\binary\com.sun.java.jre.win32.x86_1.6.0.012\bin\javaw.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12343400 2012-01-10] (Realtek Semiconductor)
HKLM\...\Run: [skd8821] - C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skd8821.exe [384512 2011-03-22] (LITE-ON TECHNOLOGY CORP.)
HKLM\...\Run: [LENOVO.TPKNRRES] - C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe [289648 2012-05-24] (Lenovo Group Limited)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
MountPoints2: {2f6776c4-7fc9-11e2-87be-806e6f6e6963} - Q:\LenovoQDrive.exe
HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Fastboot] - C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe [1091376 2012-01-17] (Lenovo)
HKLM-x32\...\Run: [intel AppUp(SM) center] - C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-12] (Intel Corporation)
HKLM-x32\...\Run: [Lenovo Registration] - C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe [4351712 2011-07-13] (Lenovo, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [brMfcWnd] - C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] - C:\Program Files (x86)\Brother\ControlCenter3\BrCtrCen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Power Manager Startup Utility] - C:\Program Files (x86)\Lenovo\PowerMgr\DPMHost.exe [27464 2013-04-24] ()
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKU\Default\...\RunOnce: [Lenovo.ShowBand] - C:\Program Files\Lenovo\SimpleTap DeskBand\ShowBand.exe [52584 2013-08-08] (Lenovo)
HKU\Default\...\RunOnce: [] - [x]
HKU\Default\...\RunOnce: [Lenovoautoqdrive] - C:\Program Files (x86)\Common Files\Lenovo\LenovoDrive\LenovoAutoRunReg.exe [159744 2011-12-14] ()
HKU\Default User\...\RunOnce: [Lenovo.ShowBand] - C:\Program Files\Lenovo\SimpleTap DeskBand\ShowBand.exe [52584 2013-08-08] (Lenovo)
HKU\Default User\...\RunOnce: [] - [x]
HKU\Default User\...\RunOnce: [Lenovoautoqdrive] - C:\Program Files (x86)\Common Files\Lenovo\LenovoDrive\LenovoAutoRunReg.exe [159744 2011-12-14] ()
Startup: C:\Users\simone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CleanupNortelVPN.bat ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.bing.com/search?FORM=UP74DF&PC=UP74&dt=082313&q={searchTerms}&src=IE-SearchBox&rlz=1I7LENP_enUS531US531
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Symantec VIP Access Add-On - {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll (Symantec Corporation)
BHO-x32: Instair - {0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} - C:\Program Files\Instair\Instair.dll ()
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Symantec VIP Access Add-On - {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll (Symantec Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: HKLM-x32 {051FE707-9706-11D5-A836-000102A7C938}
DPF: HKLM-x32 {3839EEB1-774E-40AC-BB55-1FFF0F09FFBC} http://extranets.us.amadeus.com/techservices/documents/SoftwareDistribution/Amadeus-CS-MIA/AmadeusRailKeyAgent/v1001/install.cab
DPF: HKLM-x32 {5CCB8990-66EF-4466-B051-CD27FA3821DF} http://content.amadeus.com/Scripts/AmadeusNALibrary/V2.0.0/install.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://sabreholdings.webex.com/client/WBXclient-T28L10NSP12_CP1-16851/training/ieatgpc1.cab
DPF: HKLM-x32 {F96020DD-C373-44A0-82B6-064EF0AEEAE3} http://certificates.amadeusvista.com/sgwadmin/RegSiteTools.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1007
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\simone\AppData\Roaming\Mozilla\Firefox\Profiles\tnib2p0f.default
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\simone\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Extension: Instair - C:\Users\simone\AppData\Roaming\Mozilla\Firefox\Profiles\tnib2p0f.default\Extensions\contact@instair.net
FF HKLM-x32\...\Firefox\Extensions: [VIP2X@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client\
FF Extension: Symantec VIP Access Add-On - C:\Program Files (x86)\Symantec\VIP Access Client\

Chrome:
=======


CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Nitro PDF Plug-In) - C:\Program Files (x86)\Nitro PDF\Professional 7\npnitromozilla.dll No File
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll No File
CHR Extension: (Google Docs) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Instair) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\caodggjhipefhiblmgbchfkehoofabbh\1.1.1_0
CHR Extension: (Google Search) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Google Wallet) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR Extension: (Gmail) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM-x32\...\Chrome\Extension: [caodggjhipefhiblmgbchfkehoofabbh] - C:\Program Files\Instair\Instair.crx

==================== Services (Whitelisted) =================

R2 Amadeus Automatic Update; C:\Program Files (x86)\Automatic Update\AutoUpdate.exe [210344 2010-09-14] (Amadeus)
R2 FastbootService; C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [169776 2012-01-17] (Lenovo)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2011-12-15] (Intel Corporation)
R2 Lotus Notes Diagnostics; C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe [3417480 2011-07-11] (IBM)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [30184 2013-08-08] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R3 Power Manager DBC Service; C:\Program Files (x86)\Lenovo\PowerMgr\PWMDBSVC.EXE [63816 2013-04-24] (Lenovo)
S3 PwmEWSvc; C:\Program Files (x86)\Lenovo\PowerMgr\PWMEWSVC.EXE [186696 2013-04-24] (Lenovo Group Limited)
R2 Sks8821; C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe [137216 2010-05-04] ()
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [22376 2013-06-26] ()
R2 VIPAppService; C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [84080 2012-04-19] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

R0 Fastboot; C:\Windows\System32\DRIVERS\Fastboot.sys [70416 2012-01-17] (Windows ® Win 7 DDK provider)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [40248 2011-05-29] (Lenovo Information Product(ShenZhen China) Inc.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-14 12:01 - 2013-11-14 12:01 - 00000000 ____D C:\FRST
2013-11-14 12:00 - 2013-11-14 12:01 - 00000000 ____D C:\Users\simone\Desktop\frst
2013-11-14 11:29 - 2013-11-14 11:29 - 00003262 _____ C:\Users\simone\Desktop\RKreport[0]_S_11142013_112911.txt
2013-11-14 11:27 - 2013-11-14 11:29 - 00000000 ____D C:\Users\simone\Desktop\RK_Quarantine
2013-11-14 11:26 - 2013-11-14 11:26 - 04161024 _____ C:\Users\simone\Desktop\RogueKillerX64.exe
2013-11-14 11:16 - 2013-11-14 11:16 - 00000000 ____D C:\ProgramData\Oracle
2013-11-14 11:15 - 2013-11-14 11:15 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-11-14 11:15 - 2013-11-14 11:15 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-11-14 11:15 - 2013-11-14 11:15 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-11-14 11:15 - 2013-11-14 11:15 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-11-14 11:15 - 2013-11-14 11:15 - 00000000 ____D C:\ProgramData\Sun
2013-11-14 11:15 - 2013-11-14 11:15 - 00000000 ____D C:\Program Files (x86)\Java
2013-11-14 11:07 - 2013-11-14 11:07 - 00000000 ____D C:\ProgramData\McAfee
2013-11-14 11:06 - 2013-11-14 11:06 - 00915368 _____ (Oracle Corporation) C:\Users\simone\Downloads\jxpiinstall.exe
2013-11-14 09:55 - 2013-11-14 09:55 - 00021447 _____ C:\Users\simone\Desktop\dds.txt
2013-11-14 09:55 - 2013-11-14 09:55 - 00011455 _____ C:\Users\simone\Desktop\attach.txt
2013-11-14 09:52 - 2013-11-14 09:52 - 00688992 ____R (Swearware) C:\Users\simone\Desktop\dds.scr
2013-11-14 03:23 - 2013-11-14 11:40 - 00073075 _____ C:\Windows\WindowsUpdate.log
2013-11-14 03:20 - 2013-11-14 03:20 - 00001844 _____ C:\Windows\PFRO.log
2013-11-14 03:03 - 2013-10-12 03:45 - 02241536 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-11-14 03:03 - 2013-10-12 03:45 - 01364992 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-11-14 03:03 - 2013-10-12 03:45 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-11-14 03:03 - 2013-10-12 03:43 - 19269632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 03959808 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 02648576 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-11-14 03:03 - 2013-10-12 03:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-11-14 03:03 - 2013-10-12 02:03 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-11-14 03:03 - 2013-10-12 02:03 - 01138176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 14355968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 02049024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-11-14 03:03 - 2013-10-12 02:02 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-11-14 03:03 - 2013-10-12 01:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-11-14 03:03 - 2013-10-12 01:08 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-11-14 03:03 - 2013-10-12 00:44 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-11-14 03:03 - 2013-10-12 00:15 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-11-13 08:46 - 2013-10-11 21:30 - 00830464 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2013-11-13 08:46 - 2013-10-11 21:29 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2013-11-13 08:46 - 2013-10-11 21:29 - 00324096 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2013-11-13 08:46 - 2013-10-11 21:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2013-11-13 08:46 - 2013-10-11 21:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL
2013-11-13 08:46 - 2013-10-05 15:25 - 01474048 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-11-13 08:46 - 2013-10-05 14:57 - 01168384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-11-13 08:46 - 2013-10-03 21:28 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\SmartcardCredentialProvider.dll
2013-11-13 08:46 - 2013-10-03 21:25 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\credui.dll
2013-11-13 08:46 - 2013-10-03 21:24 - 01930752 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2013-11-13 08:46 - 2013-10-03 20:58 - 00152576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SmartcardCredentialProvider.dll
2013-11-13 08:46 - 2013-10-03 20:56 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-11-13 08:46 - 2013-10-03 20:56 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credui.dll
2013-11-13 08:46 - 2013-10-02 21:23 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2013-11-13 08:46 - 2013-10-02 21:00 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2013-11-13 08:46 - 2013-09-27 20:09 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2013-11-13 08:46 - 2013-09-24 21:26 - 00154560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2013-11-13 08:46 - 2013-09-24 21:26 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2013-11-13 08:46 - 2013-09-24 21:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2013-11-13 08:46 - 2013-09-24 21:23 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2013-11-13 08:46 - 2013-09-24 21:23 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2013-11-13 08:46 - 2013-09-24 21:22 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2013-11-13 08:46 - 2013-09-24 21:21 - 01447936 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2013-11-13 08:46 - 2013-09-24 21:21 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2013-11-13 08:46 - 2013-09-24 20:58 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2013-11-13 08:46 - 2013-09-24 20:57 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2013-11-13 08:46 - 2013-09-24 20:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2013-11-13 08:46 - 2013-09-24 20:56 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-11-13 08:46 - 2013-09-24 20:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2013-11-13 08:46 - 2013-07-04 07:18 - 00458712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2013-11-11 12:52 - 2013-11-14 11:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-11-08 15:26 - 2013-11-14 09:51 - 00000672 _____ C:\Windows\setupact.log
2013-11-08 15:26 - 2013-11-08 15:26 - 00000000 _____ C:\Windows\setuperr.log
2013-11-08 14:27 - 2013-11-08 14:27 - 00003162 _____ C:\Windows\System32\Tasks\JetCleanLoginCheckUpdate
2013-11-08 14:27 - 2013-11-08 14:27 - 00000000 ____D C:\Users\simone\AppData\Roaming\BlueSprig
2013-11-08 14:27 - 2013-11-08 14:27 - 00000000 ____D C:\Program Files\Instair
2013-11-08 14:27 - 2013-11-08 14:27 - 00000000 ____D C:\Program Files (x86)\BlueSprig
2013-11-08 13:44 - 2013-11-08 13:44 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-10-31 08:28 - 2013-10-31 08:28 - 00000000 ____D C:\Users\simone\AppData\Roaming\XulTest
2013-10-31 08:28 - 2013-10-31 08:28 - 00000000 ____D C:\Users\simone\AppData\Local\XulTest
2013-10-29 11:07 - 2013-10-29 11:07 - 00000000 ____D C:\Program Files (x86)\Acro Software
2013-10-29 11:07 - 2013-10-23 14:24 - 00087600 _____ C:\Windows\system32\cpwmon64.dll
2013-10-29 11:01 - 2013-10-29 11:06 - 02003672 _____ (Acro Software Inc.                                          ) C:\Users\simone\Downloads\CuteWriter.exe
2013-10-28 08:33 - 2013-10-28 08:33 - 00001124 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-28 08:33 - 2013-10-28 08:33 - 00000000 ____D C:\Users\simone\AppData\Roaming\Malwarebytes
2013-10-28 08:33 - 2013-10-28 08:33 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-28 08:32 - 2013-10-28 08:33 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-28 08:32 - 2013-04-04 13:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

==================== One Month Modified Files and Folders =======

2013-11-14 12:01 - 2013-11-14 12:01 - 00000000 ____D C:\FRST
2013-11-14 12:01 - 2013-11-14 12:00 - 00000000 ____D C:\Users\simone\Desktop\frst
2013-11-14 11:40 - 2013-11-14 03:23 - 00073075 _____ C:\Windows\WindowsUpdate.log
2013-11-14 11:40 - 2012-11-14 11:26 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-14 11:30 - 2009-07-13 23:45 - 00034432 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-14 11:30 - 2009-07-13 23:45 - 00034432 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-14 11:29 - 2013-11-14 11:29 - 00003262 _____ C:\Users\simone\Desktop\RKreport[0]_S_11142013_112911.txt
2013-11-14 11:29 - 2013-11-14 11:27 - 00000000 ____D C:\Users\simone\Desktop\RK_Quarantine
2013-11-14 11:26 - 2013-11-14 11:26 - 04161024 _____ C:\Users\simone\Desktop\RogueKillerX64.exe
2013-11-14 11:16 - 2013-11-14 11:16 - 00000000 ____D C:\ProgramData\Oracle
2013-11-14 11:15 - 2013-11-14 11:15 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-11-14 11:15 - 2013-11-14 11:15 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-11-14 11:15 - 2013-11-14 11:15 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-11-14 11:15 - 2013-11-14 11:15 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-11-14 11:15 - 2013-11-14 11:15 - 00000000 ____D C:\ProgramData\Sun
2013-11-14 11:15 - 2013-11-14 11:15 - 00000000 ____D C:\Program Files (x86)\Java
2013-11-14 11:07 - 2013-11-14 11:07 - 00000000 ____D C:\ProgramData\McAfee
2013-11-14 11:06 - 2013-11-14 11:06 - 00915368 _____ (Oracle Corporation) C:\Users\simone\Downloads\jxpiinstall.exe
2013-11-14 11:05 - 2013-11-11 12:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-11-14 11:05 - 2013-08-22 02:10 - 00000000 ____D C:\Users\simone\AppData\Local\Mozilla
2013-11-14 11:05 - 2013-04-16 02:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-11-14 11:04 - 2013-09-20 14:09 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-14 10:05 - 2013-08-22 03:19 - 00007351 _____ C:\Users\simone\sslvpn-client.log
2013-11-14 10:05 - 2013-08-22 03:19 - 00001684 _____ C:\Users\simone\sslvpn-client-out-err.log
2013-11-14 10:05 - 2013-08-22 03:19 - 00000094 _____ C:\Users\simone\sslvpn-config.properties
2013-11-14 10:05 - 2013-08-22 01:44 - 00000000 ___RD C:\Users\simone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-11-14 10:05 - 2013-04-18 02:11 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.bak
2013-11-14 10:05 - 2013-04-18 02:11 - 00000000 _____ C:\Windows\system32\Drivers\etc\lmhosts.bak
2013-11-14 10:05 - 2013-04-18 02:09 - 00000235 _____ C:\Windows\SABRE.INI
2013-11-14 09:56 - 2009-07-14 00:13 - 00730448 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-14 09:55 - 2013-11-14 09:55 - 00021447 _____ C:\Users\simone\Desktop\dds.txt
2013-11-14 09:55 - 2013-11-14 09:55 - 00011455 _____ C:\Users\simone\Desktop\attach.txt
2013-11-14 09:52 - 2013-11-14 09:52 - 00688992 ____R (Swearware) C:\Users\simone\Desktop\dds.scr
2013-11-14 09:51 - 2013-11-08 15:26 - 00000672 _____ C:\Windows\setupact.log
2013-11-14 09:51 - 2012-11-14 11:26 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-14 09:51 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-14 09:45 - 2013-09-09 14:42 - 00003954 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{D0673518-588E-4724-8A28-0AD8D5721D34}
2013-11-14 09:45 - 2013-08-22 03:26 - 00000000 ____D C:\Windows\system32\MRT
2013-11-14 08:50 - 2013-08-22 05:27 - 00000000 ____D C:\Program Files (x86)\Automatic Update
2013-11-14 03:20 - 2013-11-14 03:20 - 00001844 _____ C:\Windows\PFRO.log
2013-11-14 03:03 - 2013-04-17 07:18 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-11-14 03:02 - 2013-08-22 01:43 - 00000000 ____D C:\Users\simone
2013-11-14 03:01 - 2013-04-11 01:35 - 82896128 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-11-13 08:45 - 2013-08-23 11:39 - 00002194 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-11-08 15:26 - 2013-11-08 15:26 - 00000000 _____ C:\Windows\setuperr.log
2013-11-08 14:27 - 2013-11-08 14:27 - 00003162 _____ C:\Windows\System32\Tasks\JetCleanLoginCheckUpdate
2013-11-08 14:27 - 2013-11-08 14:27 - 00000000 ____D C:\Users\simone\AppData\Roaming\BlueSprig
2013-11-08 14:27 - 2013-11-08 14:27 - 00000000 ____D C:\Program Files\Instair
2013-11-08 14:27 - 2013-11-08 14:27 - 00000000 ____D C:\Program Files (x86)\BlueSprig
2013-11-08 13:44 - 2013-11-08 13:44 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-10-31 08:28 - 2013-10-31 08:28 - 00000000 ____D C:\Users\simone\AppData\Roaming\XulTest
2013-10-31 08:28 - 2013-10-31 08:28 - 00000000 ____D C:\Users\simone\AppData\Local\XulTest
2013-10-29 11:07 - 2013-10-29 11:07 - 00000000 ____D C:\Program Files (x86)\Acro Software
2013-10-29 11:06 - 2013-10-29 11:01 - 02003672 _____ (Acro Software Inc.                                          ) C:\Users\simone\Downloads\CuteWriter.exe
2013-10-28 10:47 - 2013-08-23 00:58 - 00000000 ____D C:\flights
2013-10-28 08:54 - 2012-11-14 11:31 - 00000000 ____D C:\ProgramData\Norton
2013-10-28 08:41 - 2013-08-28 23:55 - 00000000 ____D C:\Users\simone\AppData\Roaming\Ewoxgy
2013-10-28 08:33 - 2013-10-28 08:33 - 00001124 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-28 08:33 - 2013-10-28 08:33 - 00000000 ____D C:\Users\simone\AppData\Roaming\Malwarebytes
2013-10-28 08:33 - 2013-10-28 08:33 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-28 08:33 - 2013-10-28 08:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-25 16:13 - 2012-11-14 10:59 - 00000000 ____D C:\mfg
2013-10-24 09:55 - 2013-08-22 01:43 - 00000000 ____D C:\Users\simone\AppData\Roaming\Macromedia
2013-10-23 15:37 - 2013-09-23 09:59 - 00000000 __SHD C:\Users\simone\Documents\cache
2013-10-23 14:24 - 2013-10-29 11:07 - 00087600 _____ C:\Windows\system32\cpwmon64.dll
2013-10-23 14:13 - 2013-09-23 09:59 - 00000000 ____D C:\Users\simone\AppData\Roaming\webex
2013-10-23 08:10 - 2013-08-22 23:06 - 00000000 ____D C:\ldiag
2013-10-22 12:05 - 2013-08-22 05:30 - 00000000 ____D C:\Users\simone\AppData\Roaming\Amadeus
2013-10-21 14:26 - 2013-09-23 15:24 - 00000193 _____ C:\Windows\wordpad.INI
2013-10-16 07:35 - 2012-11-14 11:26 - 00003908 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-16 07:35 - 2012-11-14 11:26 - 00003656 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-15 13:00 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-10-15 10:22 - 2013-08-22 05:02 - 00000000 ____D C:\Users\simone\AppData\Roaming\TeamViewer

Some content of TEMP:
====================
C:\Users\freedesk\AppData\Local\Temp\JNISupport6583525498094114715.dll
C:\Users\freedesk\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\simone\AppData\Local\Temp\JNISupport9211336205669693426.dll
C:\Users\simone\AppData\Local\Temp\ntdll_dump.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-11-04 13:23

==================== End Of Log ============================

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-11-2013
Ran by simone at 2013-11-14 12:02:11
Running from C:\Users\simone\Desktop\frst
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

64 Bit HP BiDi Channel Components Installer (Version: 1.2.0.2)
Adobe AIR (x32 Version: 3.9.0.1030)
Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.117)
Adobe Reader X (10.1.8) MUI (x32 Version: 10.1.8)
Amadeus NA Library (x32 Version: 2.0.0)
Amadeus RailKey Agent (x32 Version: 1.0.0.0)
Brother MFL-Pro Suite MFC-8460N (x32 Version: 1.0.0.0)
Burn.Now 4.5 (x32 Version: 4.5.0)
Cisco WebEx Meetings (x32)
Citrix Online Launcher (x32 Version: 1.0.122)
Corel Burn.Now Lenovo Edition (x32 Version: 4.5.0)
Corel DVD MovieFactory 7 (x32 Version: 7.0.0)
Corel DVD MovieFactory Lenovo Edition (x32 Version: 7.0.0)
Create Recovery Media (x32 Version: 1.20.0.00)
CutePDF Writer 3.0 (Version:  3.0)
D3DX10 (x32 Version: 15.4.2368.0902)
Direct DiscRecorder (x32 Version: 1.00.0000)
Evernote v. 4.2.3 (x32 Version: 4.2.3.15)
Google Chrome (x32 Version: 31.0.1650.48)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0)
Google Toolbar for Internet Explorer (x32 Version: 7.5.4601.54)
Google Update Helper (x32 Version: 1.3.21.165)
GoToMeeting 5.4.0.1082 (HKCU Version: 5.4.0.1082)
Intel AppUp(SM) center (x32 Version: 3.6.1.33057.10)
Intel® Control Center (x32 Version: 1.2.1.1007)
Intel® Management Engine Components (x32 Version: 8.0.0.1351)
Intel® OpenCL CPU Runtime (x32)
Intel® Processor Graphics (x32 Version: 9.17.10.2932)
Intel® Rapid Storage Technology (x32 Version: 11.1.0.1006)
Intel® Trusted Connect Service Client (Version: 1.23.216.0)
Java 7 Update 45 (x32 Version: 7.0.450)
Java Auto Updater (x32 Version: 2.1.9.8)
JetClean (x32 Version: 1.5.0)
Junk Mail filter update (x32 Version: 15.4.3502.0922)
Lenovo Patch Utility 64 bit (Version: 1.3.0.9)
Lenovo Patch Utility 64 bit (Version: 1.4.0.4)
Lenovo Registration (x32 Version: 1.0.4)
Lenovo SimpleTap (Version: 3.2.0004.00)
Lenovo Slim USB Keyboard (Version: 1.10)
Lenovo Solution Center (Version: 2.2.002.00)
Lenovo System Update (x32 Version: 5.02.0018)
Lenovo User Guide (x32 Version: 1.0.0008.00)
Lenovo Welcome (x32 Version: 3.1.0020.00)
Lotus Notes 8.5.2 (Basic) (x32 Version: 8.52.10222)
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300)
Mesh Runtime (x32 Version: 15.4.5722.2)
Message Center Plus (Version: 3.1.0004.00)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office (x32 Version: 14.0.6120.5004)
Microsoft Office 2007 Service Pack 3 (SP3) (x32)
Microsoft Office Access MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (x32 Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (x32)
Microsoft Office Publisher MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (x32 Version: 10.0.30319)
Mozilla Firefox 25.0 (x86 en-US) (x32 Version: 25.0)
Mozilla Maintenance Service (x32 Version: 25.0)
MSVCRT (x32 Version: 15.4.2862.0708)
MSVCRT_amd64 (x32 Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0)
MySabreScripts 1.0 (x32)
Nalpeiron License Management (x32 Version: 6.3.9.1)
Power Manager (x32 Version: 3.01.0006)
RapidBoot HDD Accelerator (x32 Version: 1.00.0802)
Realtek Ethernet Controller All-In-One Windows Driver (x32 Version: 1.12.0016)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6543)
Sabre VPN (HKCU)
SugarSync Manager (x32 Version: 1.9.61.90905)
TeamViewer 8 (x32 Version: 8.0.20202)
ThinkVantage Communications Utility (Version: 3.0.30.0)
Update for 2007 Microsoft Office System (KB967642) (x32)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (x32 Version: 3)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (x32)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (x32)
Update for Microsoft Office Access 2007 Help (KB963663) (x32)
Update for Microsoft Office Excel 2007 Help (KB963678) (x32)
Update for Microsoft Office Infopath 2007 Help (KB963662) (x32)
Update for Microsoft Office OneNote 2007 Help (KB963670) (x32)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (x32)
Update for Microsoft Office Outlook 2007 Help (KB963677) (x32)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2825642) 32-Bit Edition (x32)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (x32)
Update for Microsoft Office Publisher 2007 Help (KB963667) (x32)
Update for Microsoft Office Script Editor Help (KB963671) (x32)
Update for Microsoft Office Word 2007 Help (KB963665) (x32)
View Management Utility (Version: 3.0.12.0329)
View Management Utility (x32 Version: 3.0.12.0329)
VIP Access (x32 Version: 2.0.5.13)
VPNPatch_
Windows Driver Package - Intel Corporation (igfx) Display  (03/19/2012 8.15.10.2696) (Version: 03/19/2012 8.15.10.2696)
Windows Driver Package - Intel hdc  (09/10/2010 9.2.0.1011) (Version: 09/10/2010 9.2.0.1011)
Windows Driver Package - Intel System  (08/26/2011 9.3.0.1011) (Version: 08/26/2011 9.3.0.1011)
Windows Driver Package - Intel System  (09/10/2010 9.2.0.1011) (Version: 09/10/2010 9.2.0.1011)
Windows Driver Package - Intel System  (11/20/2010 9.2.0.1016) (Version: 11/20/2010 9.2.0.1016)
Windows Driver Package - Intel USB  (12/21/2010 9.2.0.1021) (Version: 12/21/2010 9.2.0.1021)
Windows Driver Package - Realtek (RTL8167) Net  (11/23/2011 7.050.1123.2011) (Version: 11/23/2011 7.050.1123.2011)
Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (01/03/2012 6.0.1.6543) (Version: 01/03/2012 6.0.1.6543)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (x32 Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Mail (x32 Version: 15.4.3502.0922)
Windows Live Mesh (x32 Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (x32 Version: 15.4.5722.2)
Windows Live Messenger (x32 Version: 15.4.3538.0513)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (x32 Version: 15.4.3502.0922)
Windows Live Photo Common (x32 Version: 15.4.3502.0922)
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922)
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (x32 Version: 15.4.3502.0922)
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922)
Windows Live UX Platform (x32 Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109)
Windows Live Writer (x32 Version: 15.4.3502.0922)
Windows Live Writer Resources (x32 Version: 15.4.3502.0922)

==================== Restore Points  =========================

28-10-2013 18:40:37 Scheduled Checkpoint
30-10-2013 12:39:26 Windows Update
05-11-2013 13:40:48 Windows Update
08-11-2013 19:04:21 Malwarebytes Anti-Rootkit Restore Point
12-11-2013 09:33:07 Windows Update
14-11-2013 08:00:23 Windows Update
14-11-2013 16:14:57 Installed Java 7 Update 45

==================== Hosts content: ==========================

2009-07-13 21:34 - 2013-11-14 10:05 - 00003085 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.34 ofep34.sabre.com # Nortel SSL-VPN
127.0.0.23 ofep23.sabre.com # Nortel SSL-VPN
127.0.0.12 ofep12.sabre.com # Nortel SSL-VPN
127.0.0.36 fos.sabre.com # Nortel SSL-VPN
127.0.0.8 ofep08.sabre.com # Nortel SSL-VPN
127.0.0.19 ofep19.sabre.com # Nortel SSL-VPN
127.0.0.21 ofep21.sabre.com # Nortel SSL-VPN
127.0.0.32 ofep32.sabre.com # Nortel SSL-VPN
127.0.0.1 res.sabre.com # Nortel SSL-VPN
127.0.0.44 access.certd.sabre.com # Nortel SSL-VPN
127.0.0.36 frt.sabre.com # Nortel SSL-VPN
127.0.0.10 ofep10.sabre.com # Nortel SSL-VPN
127.0.0.28 ofep28.sabre.com # Nortel SSL-VPN
127.0.0.17 ofep17.sabre.com # Nortel SSL-VPN
127.0.0.30 ofep30.sabre.com # Nortel SSL-VPN
127.0.0.6 ofep06.sabre.com # Nortel SSL-VPN
127.0.0.41 access.tstsa.sabre.com # Nortel SSL-VPN
127.0.0.26 ofep26.sabre.com # Nortel SSL-VPN
127.0.0.1 hsspconfig.sabre.com # Nortel SSL-VPN
127.0.0.15 ofep15.sabre.com # Nortel SSL-VPN
127.0.0.4 ofep04.sabre.com # Nortel SSL-VPN
127.0.0.35 ofep35.sabre.com # Nortel SSL-VPN
127.0.0.24 ofep24.sabre.com # Nortel SSL-VPN
127.0.0.37 lb1.sabre.com # Nortel SSL-VPN
127.0.0.13 ofep13.sabre.com # Nortel SSL-VPN
127.0.0.39 tsts.sabre.com # Nortel SSL-VPN
127.0.0.1 access.sabre.com # Nortel SSL-VPN
127.0.0.39 access.tsts.sabre.com # Nortel SSL-VPN
127.0.0.33 ofep33.sabre.com # Nortel SSL-VPN

There are 19 more lines.

==================== Scheduled Tasks (whitelisted) =============

Task: {0CE011D6-96F1-4868-BB9D-A3FFA70DF2E2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-11-14] (Google Inc.)
Task: {10E48C83-881E-432E-A513-062DC0DC3DBD} - System32\Tasks\TVT\TVSUUpdateTask => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [2013-06-26] ()
Task: {19CA79E3-5B47-441B-A541-7E84E69684BF} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCService.exe [2013-08-08] (Lenovo)
Task: {284DC7C4-69DB-4034-91AB-6F44CBA73B89} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2013-08-08] ()
Task: {30E40443-4D73-4A5F-A5FF-EBCE5A48F1A0} - System32\Tasks\PMTask => C:\Program Files (x86)\Lenovo\PowerMgr\PWMIDTSV.exe [2013-04-24] (Lenovo Group Limited)
Task: {35C4E030-C222-443C-913A-6193AB878DCC} - System32\Tasks\Lenovo\SimpleTap\Start SimpleTap for freedesk-THINK.simone => C:\Program Files\Lenovo\SimpleTap\SimpleTap.exe [2012-05-15] (Lenovo)
Task: {45678B38-8255-4D4A-8DB3-05C71A1FE28D} - System32\Tasks\Microsoft\Windows\PLA\LSC Memory => C:\Windows\System32\pla.dll [2010-11-20] (Microsoft Corporation)
Task: {6E037E1F-B42F-4F53-8533-A8B76DA5AEF1} - System32\Tasks\JetCleanLoginCheckUpdate => C:\Program Files (x86)\BlueSprig\JetClean\AutoUpdate.exe [2013-05-14] (BlueSprig)
Task: {7B29C05F-392D-4AE5-9838-8C33FF2B1983} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-11-14] (Google Inc.)
Task: {91F52D62-30B2-488F-A904-1F12367E80BD} - System32\Tasks\MCP => C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe [2012-05-15] (Lenovo)
Task: {B7974F13-7661-42E1-8666-AB07234288FE} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2013-08-08] (Lenovo)
Task: {C1649A3E-2EDF-41DF-B411-8A5C9FC80653} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-09] (Adobe Systems Incorporated)
Task: {F3CC05E8-6A85-48EF-826F-FEAB1756BE50} - System32\Tasks\Lenovo\Message Center Plus Launcher => C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe [2012-05-15] (Lenovo)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2012-11-14 11:01 - 2012-03-19 02:09 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-09-18 07:08 - 2013-04-24 08:23 - 00035656 _____ () C:\Program Files (x86)\Lenovo\PowerMgr\US\PWMRT64V.DLL
2012-11-14 11:24 - 2012-01-17 01:29 - 00030512 _____ () C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBServiceps.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00891392 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtNetwork4.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 02281984 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtCore4.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00322048 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\log4cplus.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00339456 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtXml4.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00400384 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\sqlite3.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00016896 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\featureController.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00062976 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\osEvents.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00195584 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\libgsoap.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00062464 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\zlib1.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00446976 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\deviceProfile.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00019456 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\eventsSender.dll
2012-11-14 11:27 - 2012-07-12 07:59 - 00062976 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\serviceManagerStarter.dll
2013-08-23 02:44 - 2009-02-27 18:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2013-09-17 09:46 - 2013-09-17 09:46 - 00172032 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\67f2d87ba056e1075fce76a8c50bb57e\IsdiInterop.ni.dll
2012-11-14 11:14 - 2012-02-01 19:25 - 00059904 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2012-11-14 11:13 - 2011-12-15 21:39 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2013-08-22 03:19 - 2013-08-22 03:19 - 00053248 _____ () C:\Users\simone\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1587a8fe-4b0a3a72-n\TrayMon.dll
2013-11-14 10:05 - 2013-11-14 10:05 - 00057344 _____ () C:\Users\simone\AppData\Local\Temp\JNISupport9211336205669693426.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\Windows:nlsPreferences

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (11/14/2013 09:51:31 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/14/2013 03:22:07 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/14/2013 03:00:34 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Exception code: 0xc0000005
Fault offset: 0x0000cef6
Faulting process id: 0x9f14
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (11/12/2013 10:40:25 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Exception code: 0xc0000005
Fault offset: 0x0000cef6
Faulting process id: 0x1f54
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (11/11/2013 09:13:05 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Exception code: 0xc0000005
Fault offset: 0x000049ea
Faulting process id: 0xd38
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (11/08/2013 02:06:17 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/08/2013 01:43:18 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/08/2013 01:29:41 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/06/2013 09:48:37 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x5228e13b
Exception code: 0xc0000005
Fault offset: 0x0000cef6
Faulting process id: 0x948
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (11/05/2013 08:49:51 AM) (Source: Application Hang) (User: )
Description: The program NLNOTES.EXE version 8.5.23.11191 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 10d8

Start Time: 01ceda2c4b152d75

Termination Time: 16

Application Path: C:\Program Files (x86)\IBM\Lotus\Notes\NLNOTES.EXE

Report Id: 1e384695-4621-11e3-9539-d43d7e5f8ef5

System errors:
=============
Error: (11/14/2013 09:51:30 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (11/14/2013 09:51:07 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain TEXNT2000 due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (11/14/2013 08:30:46 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain TEXNT2000 due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (11/14/2013 03:21:28 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (11/14/2013 03:20:48 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain TEXNT2000 due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (11/14/2013 03:19:08 AM) (Source: DCOM) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Error: (11/14/2013 03:00:11 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Power Manager DBC Service service.

Error: (11/14/2013 03:00:12 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain TEXNT2000 due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (11/13/2013 00:32:57 PM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain TEXNT2000 due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (11/13/2013 10:30:31 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 38%
Total physical RAM: 3917.78 MB
Available physical RAM: 2407.8 MB
Total Pagefile: 7833.74 MB
Available Pagefile: 6180.29 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB

==================== Drives ================================

Drive c: (Windows7_OS) (Fixed) (Total:445.06 GB) (Free:401.48 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive q: (Lenovo_Recovery) (Fixed) (Total:19.53 GB) (Free:9.66 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 7CD025F7)
Partition 1: (Active) - (Size=1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=445 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=20 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Here's the log after cleaning with adwcleaner

 

# AdwCleaner v3.012 - Report created 14/11/2013 at 12:58:33
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : simone - FREEDESK-THINK
# Running from : C:\Users\simone\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Partner

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736

-\\ Mozilla Firefox v25.0 (en-US)

[ File : C:\Users\freedesk\AppData\Roaming\Mozilla\Firefox\Profiles\s04ybm38.default\prefs.js ]

[ File : C:\Users\simone\AppData\Roaming\Mozilla\Firefox\Profiles\tnib2p0f.default\prefs.js ]

-\\ Google Chrome v31.0.1650.48

[ File : C:\Users\freedesk\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [1423 octets] - [14/11/2013 12:53:57]
AdwCleaner[s0].txt - [1356 octets] - [14/11/2013 12:58:33]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1416 octets] ##########

 

Malwarebytes log

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.14.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
simone :: FREEDESK-THINK [administrator]

Protection: Enabled

11/14/2013 1:02:13 PM
mbam-log-2013-11-14 (13-02-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232359
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} (Adware.ISeekDeals) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} (Adware.ISeekDeals) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Sorry I forgot to post the log.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-11-2013
Ran by simone at 2013-11-14 12:26:59 Run:1
Running from C:\Users\simone\Desktop\frst
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
BHO-x32: Instair - {0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} - C:\Program Files\Instair\Instair.dll ()
HKU\Default\...\RunOnce: [] - [x]
HKU\Default User\...\RunOnce: [] - [x]
FF Extension: Instair - C:\Users\simone\AppData\Roaming\Mozilla\Firefox\Profiles\tnib2p0f.default\Extensions\contact@instair.net
CHR HKLM-x32\...\Chrome\Extension: [caodggjhipefhiblmgbchfkehoofabbh] - C:\Program Files\Instair\Instair.crx
CHR Extension: (Instair) - C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\caodggjhipefhiblmgbchfkehoofabbh\1.1.1_0
C:\Program Files\Instair

*****************

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0D778FDC-FAD7-4B1D-AB88-7A76A562D65C} => Key deleted successfully.
HKU\Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => Value deleted successfully.
HKU\Default User\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => Value not found.
C:\Users\simone\AppData\Roaming\Mozilla\Firefox\Profiles\tnib2p0f.default\Extensions\contact@instair.net => Moved successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\caodggjhipefhiblmgbchfkehoofabbh => Key deleted successfully.
C:\Program Files\Instair\Instair.crx => Moved successfully.
C:\Users\simone\AppData\Local\Google\Chrome\User Data\Default\Extensions\caodggjhipefhiblmgbchfkehoofabbh => Moved successfully.
C:\Program Files\Instair => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

OK, I want to run some additional scans because of your IP saying  that my ip is sending out malicious emails:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

OK...Clean, Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Looks Good, that's all the scans for malware I want to run.

If everything is OK......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

logs for  Security Check.

 

Results of screen317's Security Check version 0.99.77 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 45 
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
 Mozilla Firefox (25.0)
 Google Chrome 30.0.1599.101 
 Google Chrome 31.0.1650.48 
````````Process Check: objlist.exe by Laurent```````` 
 ESET NOD32 Antivirus egui.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adobe Reader 10.1.8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.