FrankJaeger Posted April 3, 2014 ID:812587 Share Posted April 3, 2014 Greetings, My MBAM flagged user32.dll as a threat but I didn't want to delete it since it seems like an integral system file Cheers, Frank Logs: DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: BrowserJavaVersion: 10.51.2Run by Win at 2:10:13 on 2014-04-03Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.16268.11911 [GMT 1:00].AV: Kaspersky Anti-Virus *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}SP: Kaspersky Anti-Virus *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\atieclxx.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exeC:\Program Files\ASRock\XFast LAN\spd.exeC:\Program Files\Intel\iCLS Client\HeciServer.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Windows\SysWOW64\PnkBstrA.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exeC:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\igfxpers.exeC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\System32\StikyNot.exeC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exeC:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exeC:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exeC:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files (x86)\Windows Live\Contacts\wlcomm.exeC:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exeC:\Program Files\CPUID\HWMonitor\HWMonitor.exeC:\Program Files (x86)\Windows Live\Mail\wlmail.exeC:\Users\Win\AppData\Roaming\uTorrent\uTorrent.exeC:\Program Files (x86)\Internet Explorer\IELowutil.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exeC:\Windows\system32\notepad.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\System32\mobsync.exeC:\Windows\SysWOW64\DllHost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\System32\cscript.exe.============== Pseudo HJT Report ===============.mWinlogon: Userinit = userinit.exe,BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dllBHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dllBHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\OnlineBanking\online_banking_bho.dllBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dllBHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\UrlAdvisor\klwtbbho.dlluRun: [ASRockXTU] <no file>mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exemRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunmRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe"mRun: [AdobeCEPServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" -launchedbyloginmRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun: [ContentTransferWMDetector.exe] C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exedRunOnce: [sPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601mPolicies-Explorer: NoActiveDesktop = dword:1mPolicies-Explorer: NoActiveDesktopChanges = dword:1mPolicies-System: ConsentPromptBehaviorAdmin = dword:5mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dllIE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\UrlAdvisor\klwtbbho.dllTCP: NameServer = 194.168.4.100 194.168.8.100TCP: Interfaces\{EEC8F26E-177A-47FC-A71A-1AC89A558E61} : DHCPNameServer = 194.168.4.100 194.168.8.100TCP: Interfaces\{EEC8F26E-177A-47FC-A71A-1AC89A558E61}\244575966496 : DHCPNameServer = 192.168.22.22 192.168.22.23TCP: Interfaces\{EEC8F26E-177A-47FC-A71A-1AC89A558E61}\244575966496D277964786D264F4E4 : DHCPNameServer = 192.168.22.22 192.168.22.23TCP: Interfaces\{EEC8F26E-177A-47FC-A71A-1AC89A558E61}\4514C4B44514C4B4D2231324133303 : DHCPNameServer = 192.168.1.1 192.168.1.1TCP: Interfaces\{EEC8F26E-177A-47FC-A71A-1AC89A558E61}\6796277696E6D65646961633235363236373 : DHCPNameServer = 194.168.4.100 194.168.8.100AppInit_DLLs= C:\Windows\SysWOW64\appinit_dll.dllSSODL: WebCheck - <orphaned>x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dllx64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dllx64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllx64-BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\OnlineBanking\online_banking_bho.dllx64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\UrlAdvisor\klwtbbho.dllx64-Run: [igfxTray] C:\Windows\System32\igfxtray.exex64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exex64-Run: [Persistence] C:\Windows\System32\igfxpers.exex64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetchx64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -sx64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dllx64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\UrlAdvisor\klwtbbho.dllx64-Notify: igfxcui - igfxdev.dllx64-SSODL: WebCheck - <orphaned>Hosts: 127.0.0.1 validation.sls.microsoft.com.================= FIREFOX ===================.FF - ProfilePath - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dllFF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dllFF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dllFF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dllFF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dllFF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dllFF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dllFF - plugin: C:\Users\Win\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dllFF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll.============= SERVICES / DRIVERS ===============.R0 asahci64;asahci64;C:\Windows\System32\drivers\asahci64.sys [2011-9-21 49760]R0 AsrRamDisk;AsrRamDisk;C:\Windows\System32\drivers\AsrRamDisk.sys [2013-6-10 31016]R0 fltsrv;Acronis Storage Filter Management;C:\Windows\System32\drivers\fltsrv.sys [2014-1-25 116000]R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-6-10 16152]R0 tib;Acronis TIB Manager;C:\Windows\System32\drivers\tib.sys [2014-1-25 1120032]R0 tib_mounter;Acronis TIB Mounter;C:\Windows\System32\drivers\tib_mounter.sys [2014-1-25 183224]R0 vididr;Acronis Virtual Disk;C:\Windows\System32\drivers\vididr.sys [2014-1-25 161568]R0 vidsflt;Acronis Disk Storage Filter;C:\Windows\System32\drivers\vidsflt.sys [2014-1-25 117024]R1 AsrAppCharger;AsrAppCharger;C:\Windows\System32\drivers\AsrAppCharger.sys [2013-6-10 17192]R1 FNETURPX;FNETURPX;C:\Windows\System32\drivers\FNETURPX.SYS [2013-6-10 15936]R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2012-8-2 29792]R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2013-1-14 54368]R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2012-8-13 178448]R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-3-29 241152]R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-6-10 13592]R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2013-2-13 731648]R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2013-6-10 131544]R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-6-10 169432]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-8-11 418376]R3 afcdp;afcdp;C:\Windows\System32\drivers\afcdp.sys [2014-1-25 367200]R3 athur;Wireless Network Adapter Service;C:\Windows\System32\drivers\athurx.sys [2013-6-12 1918976]R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-2-14 96768]R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2013-6-10 59392]R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2013-6-10 84608]R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-6-10 331264]R3 ISCT;Intel® Smart Connect Technology Device Driver;C:\Windows\System32\drivers\ISCTD64.sys [2013-1-19 46568]R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-6-10 356120]R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-6-10 787736]R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-5-9 425000]R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\Windows\System32\drivers\klkbdflt.sys [2013-1-14 29280]R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2013-1-14 29280]R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-8-11 25928]R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2013-9-16 32344]R3 VirtuWDDM;VirtuWDDM;C:\Windows\System32\drivers\VirtuWDDM.sys [2014-2-5 75592]R4 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2014-1-25 3873784]R4 syncagentsrv;Acronis Sync Agent Service;C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [2013-8-21 9735112]S2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe [2013-1-14 356128]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-8-11 701512]S3 FNETTBOH_305;FNETTBOH_305;C:\Windows\System32\drivers\FNETTBOH_305.SYS [2013-6-12 32320]S3 ikbevent;Intel Upper keyboard Class Filter Driver;C:\Windows\System32\drivers\ikbevent.sys [2012-2-9 25536]S3 imsevent;Intel Upper Mouse Class Filter Driver;C:\Windows\System32\drivers\imsevent.sys [2012-2-9 25536]S3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2013-2-13 820184]S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-10-14 121416]S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-6-22 19456]S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2014-3-14 31800]S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-2-13 56832]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-6-10 1255736].=============== Created Last 30 ================.2014-03-31 21:58:06 -------- d-----w- C:\Program Files (x86)\Elaborate Bytes2014-03-17 20:27:21 -------- d-----w- C:\Program Files (x86)\Common Files\Sony Shared2014-03-14 13:40:35 -------- d-----w- C:\Users\Win\AppData\Local\VS Revo Group2014-03-14 13:40:31 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys2014-03-14 13:40:31 -------- d-----w- C:\ProgramData\VS Revo Group2014-03-14 13:40:30 -------- d-----w- C:\Program Files\VS Revo Group2014-03-12 18:33:18 484864 ----a-w- C:\Windows\System32\wer.dll2014-03-12 18:33:18 381440 ----a-w- C:\Windows\SysWow64\wer.dll2014-03-12 18:33:17 624128 ----a-w- C:\Windows\System32\qedit.dll2014-03-12 18:33:17 509440 ----a-w- C:\Windows\SysWow64\qedit.dll2014-03-12 18:33:17 3156480 ----a-w- C:\Windows\System32\win32k.sys2014-03-12 18:33:17 228864 ----a-w- C:\Windows\System32\wwansvc.dll2014-03-12 18:32:54 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll2014-03-12 18:32:54 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll.==================== Find3M ====================.2014-03-18 21:23:00 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2014-03-18 21:23:00 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe2014-02-18 22:47:41 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll2014-02-01 09:19:49 2241536 ----a-w- C:\Windows\System32\wininet.dll2014-02-01 09:18:25 3960320 ----a-w- C:\Windows\System32\jscript9.dll2014-02-01 09:18:21 67072 ----a-w- C:\Windows\System32\iesetup.dll2014-02-01 09:18:21 136704 ----a-w- C:\Windows\System32\iesysprep.dll2014-02-01 07:58:31 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll2014-02-01 07:57:20 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll2014-02-01 07:57:16 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll2014-02-01 07:57:16 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll2014-02-01 07:40:43 2706432 ----a-w- C:\Windows\System32\mshtml.tlb2014-02-01 07:34:53 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb2014-01-25 22:21:44 367200 ----a-w- C:\Windows\System32\drivers\afcdp.sys2014-01-25 22:21:42 1464096 ----a-w- C:\Windows\System32\drivers\tdrpman.sys2014-01-25 22:21:41 183224 ----a-w- C:\Windows\System32\drivers\tib_mounter.sys2014-01-25 22:21:41 1120032 ----a-w- C:\Windows\System32\drivers\tib.sys2014-01-25 22:21:38 161568 ----a-w- C:\Windows\System32\drivers\vididr.sys2014-01-25 22:21:36 269600 ----a-w- C:\Windows\System32\drivers\snapman.sys2014-01-25 22:21:36 117024 ----a-w- C:\Windows\System32\drivers\vidsflt.sys2014-01-25 22:21:35 116000 ----a-w- C:\Windows\System32\drivers\fltsrv.sys2014-01-09 02:22:42 5694464 ----a-w- C:\Windows\SysWow64\mstscax.dll2014-01-03 22:44:58 6574592 ----a-w- C:\Windows\System32\mstscax.dll.============= FINISH: 2:10:28.72 =============== .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 UltimateBoot Device: \Device\HarddiskVolume1Install Date: 10/06/2013 13:42:57System Uptime: 02/04/2014 06:29:12 (20 hours ago).Motherboard: ASRock | | Z77 Extreme6Processor: Intel® Core i5-3570K CPU @ 3.40GHz | CPUSocket | 3401/100mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 931 GiB total, 156.204 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}Description: A0NYK206 IDE ControllerDevice ID: ACPI\PNPA000\4&5D18F2DF&0Manufacturer: (Standard mass storage controllers)Name: A0NYK206 IDE ControllerPNP Device ID: ACPI\PNPA000\4&5D18F2DF&0Service: anewdz9q.==== System Restore Points ===================.RP164: 31/03/2014 22:58:13 - Device Driver Package Install: Elaborate Bytes AG Storage controllersRP166: 31/03/2014 23:00:45 - Revo Uninstaller Pro's restore point - Fraps (remove only)RP168: 02/04/2014 17:28:10 - Revo Uninstaller Pro's restore point -.==== Installed Programs ======================.7-Zip 9.20 (x64 edition)Acrobat.comAcronis True Image 2014Adobe AIRAdobe Flash Player 12 PluginAdobe Photoshop CS6Adobe Premiere Pro CCAdobe Reader XI (11.0.06)Adobe Update Management ToolAge of Empires II: HD EditionAge of Empires® III: Complete CollectionAMD Accelerated Video TranscodingAMD APP SDK RuntimeAMD Catalyst Install ManagerAMD Drag and Drop TranscodingAMD Media Foundation DecodersAsmedia ASM106x SATA Host Controller DriverASRock App Charger v1.0.6ASRock eXtreme Tuner v0.1.183ASRock InstantBoot v1.29ASRock Restart to UEFI v1.0.1ASRock XFast RAM v2.0.9µTorrentAudacity 2.0.5Broadcom NetLink ControllerCatalyst Control CenterCatalyst Control Center - BrandingCatalyst Control Center Graphics Previews CommonCatalyst Control Center InstallProxyCatalyst Control Center Localization Allccc-utility64CCC Help Chinese StandardCCC Help Chinese TraditionalCCC Help CzechCCC Help DanishCCC Help DutchCCC Help EnglishCCC Help FinnishCCC Help FrenchCCC Help GermanCCC Help GreekCCC Help HungarianCCC Help ItalianCCC Help JapaneseCCC Help KoreanCCC Help NorwegianCCC Help PolishCCC Help PortugueseCCC Help RussianCCC Help SpanishCCC Help SwedishCCC Help ThaiCCC Help TurkishCCleanerCloneCDContent TransferCPUID HWMonitor 1.24D3DX10DefragglerEmpire EarthEtron USB3.0 Host ControllerFLAC 1.2.1b (remove only)foobar2000 v1.3.1GameRangerGeeks3D.com FurMark 1.9.2HandBrake 0.9.9.1ImgBurnIntel® Control CenterIntel® Manageability Engine Firmware Recovery AgentIntel® Management Engine ComponentsIntel® OpenCL CPU RuntimeIntel® Processor GraphicsIntel® Rapid Storage TechnologyIntel® USB 3.0 eXtensible Host Controller DriverIntel® Trusted Connect Service ClientJava 7 Update 51Java Auto UpdaterJunk Mail filter updateKaspersky Anti-Virus 2013LAME v3.99.3 (for Windows)Live 8.2.2Malwarebytes Anti-Malware version 1.75.0.1300Microsoft .NET Framework 1.1Microsoft .NET Framework 4.5.1Microsoft Age of Empires IIMicrosoft Age of Empires II: The Conquerors ExpansionMicrosoft Application Error ReportingMicrosoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)Microsoft Office 2007 Service Pack 3 (SP3)Microsoft Office Access MUI (English) 2007Microsoft Office Access Setup Metadata MUI (English) 2007Microsoft Office Enterprise 2007Microsoft Office Excel MUI (English) 2007Microsoft Office Groove MUI (English) 2007Microsoft Office Groove Setup Metadata MUI (English) 2007Microsoft Office InfoPath MUI (English) 2007Microsoft Office Office 64-bit Components 2007Microsoft Office OneNote MUI (English) 2007Microsoft Office Outlook MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)Microsoft Office Publisher MUI (English) 2007Microsoft Office Shared 64-bit MUI (English) 2007Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Word MUI (English) 2007Microsoft SilverlightMicrosoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2005 Redistributable (x64)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610Microsoft Visual J# .NET Redistributable Package 1.1Microsoft_VC80_CRT_x86Microsoft_VC90_CRT_x86Monkey's AudioMotioninJoy Gamepad tool 0.7.1001Mozilla Firefox 28.0 (x86 en-US)Mozilla Maintenance ServiceMp3tag v2.57MpcStar 5.4MSVCRTMSVCRT_amd64MSVCRT110MSVCRT110_amd64NeoEE_Open TestOCCT 4.4.0OriginPDF Settings CS6PFPortChecker 1.0.39Photo CommonPunkBuster ServicesRealtek High Definition Audio DriverRevo Uninstaller Pro 3.0.8Rising Storm BetaRising Storm/Red Orchestra 2 MultiplayerRosetta Stone Version 3Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596666) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596785) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596856) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2598041) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2760415) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2760585) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2760591) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2817641) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2827326) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2837615) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2850022) 32-Bit EditionSecurity Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit EditionSecurity Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit EditionSecurity Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit EditionSecurity Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit EditionSecurity Update for Microsoft Office Word 2007 (KB2837617) 32-Bit EditionSpotifySteamTeamSpeak 3 ClientThe Elder Scrolls Online BetaTigerGame Superjoy Box SeriesTotal War: ROME IITP-LINK TL-WN821N_WN822N DriverTwin USB Vibration GamepadUnity Web PlayerUpdate for 2007 Microsoft Office System (KB967642)Update for Microsoft Office 2007 Help for Common Features (KB963673)Update for Microsoft Office 2007 suites (KB2596651) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2767916) 32-Bit EditionUpdate for Microsoft Office Access 2007 Help (KB963663)Update for Microsoft Office Excel 2007 Help (KB963678)Update for Microsoft Office Infopath 2007 Help (KB963662)Update for Microsoft Office OneNote 2007 Help (KB963670)Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit EditionUpdate for Microsoft Office Outlook 2007 Help (KB963677)Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2850085) 32-Bit EditionUpdate for Microsoft Office Powerpoint 2007 Help (KB963669)Update for Microsoft Office Publisher 2007 Help (KB963667)Update for Microsoft Office Script Editor Help (KB963671)Update for Microsoft Office Word 2007 Help (KB963665)UserTesting.com Recorder PluginVIRTU MVP 2.1.114VirtualCloneDriveVisual Studio 2010 x64 RedistributablesWindows Live Communications PlatformWindows Live EssentialsWindows Live ID Sign-in AssistantWindows Live InstallerWindows Live MailWindows Live MIME IFilterWindows Live Photo CommonWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live UX PlatformWindows Live UX Platform Language PackWindows Live WriterWindows Live Writer ResourcesWinPcap 4.1.3XFast LAN v6.61XFastUSB.==== Event Viewer Messages From Past Week ========.02/04/2014 12:21:24, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached whilewaiting for a transaction response from the afcdpsrv service.01/04/2014 23:06:10, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failedto start. Module Path: C:\Windows\system32\athExt.dll Error Code: 12601/04/2014 13:14:13, Error: Service Control Manager [7043] - The Acronis Sync Agent Service service did notshut down properly after receiving a preshutdown control..==== End Of File =========================== Link to post Share on other sites More sharing options...
MrCharlie Posted April 3, 2014 ID:812596 Share Posted April 3, 2014 Welcome to the forum. Please run a Quick Scan with Malwarebytes like this: Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal. Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report. Make sure that everything is checked, and click Remove Selected. If you're using Malwarebytes 2.0, please run a Threat Scan Then....... Please download and run RogueKiller 32 bit to your desktop. RogueKiller<---use this one for 64 bit systems Which system am I using? Quit all running programs. For Windows XP, double-click to start. For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run. Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything! Don't run any other options, they're not all bad!!!!!!! Post back the report which should be located on your desktop. (please don't put logs in code or quotes and use the default font) MrC Note: Please read all of my instructions completely including these. Make sure system restore is turned on and running. Create a new restore point Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive <+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you. <+>The removal of malware isn't instantaneous, please be patient. <+>When we are done, I'll give to instructions on how to cleanup all the tools and logs <+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. ------->Your topic will be closed if you haven't replied within 3 days!<-------- (If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
FrankJaeger Posted April 3, 2014 Author ID:812773 Share Posted April 3, 2014 Thanks for all your kind guidance. When I ran a quick scan It revealed no virus, should I run a full scan instead? Link to post Share on other sites More sharing options...
FrankJaeger Posted April 3, 2014 Author ID:812777 Share Posted April 3, 2014 And is deleted user32.dll a safe option? Even via MBAM? Link to post Share on other sites More sharing options...
MrCharlie Posted April 3, 2014 ID:812810 Share Posted April 3, 2014 Thanks for all your kind guidance. When I ran a quick scan It revealed no virus, should I run a full scan instead? No, can you post one of the logs from MB showing were it's flagging user32.dll And is deleted user32.dll a safe option? Even via MBAM? It depends on where it's located, please run RogueKiller. MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 3, 2014 Author ID:812814 Share Posted April 3, 2014 No, can you post one of the logs from MB showing were it's flagging user32.dll It depends on where it's located, please run RogueKiller.MrC Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2014.03.31.06Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16798Win :: JDTJTRALGW [administrator]Protection: Disabled02/04/2014 21:31:39MBAM-log-2014-04-02 (22-31-15).txtScan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 495420Time elapsed: 59 minute(s), 26 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 1C:\Windows\System32\Microsoft\Dll\user32.dll (Trojan.FakeMS.PGen) -> No action taken.(end) I'll run rouge killer now Link to post Share on other sites More sharing options...
FrankJaeger Posted April 3, 2014 Author ID:812819 Share Posted April 3, 2014 RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Win [Admin rights]Mode : Scan -- Date : 04/03/2014 13:24:21| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 8 ¤¤¤[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Browser Addons : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts127.0.0.1 validation.sls.microsoft.com127.0.0.1 serial.alcohol-soft.com127.0.0.1 www.alcohol-soft.com127.0.0.1 images.alcohol-soft.com127.0.0.1 trial.alcohol-soft.com127.0.0.1 alcohol-soft.com127.0.0.1 activation.acronis.com¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10EZEX-00RKKA0 ATA Device +++++--- User ---[MBR] eba20bc4d564437cd03bb5f2b56b3776[bSP] eb2e8076916d27ee3b936b36be8a24dd : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MBUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_04032014_132421.txt >>RKreport[0]_S_04032014_132014.txt Link to post Share on other sites More sharing options...
MrCharlie Posted April 3, 2014 ID:812822 Share Posted April 3, 2014 Why are these in your host file:127.0.0.1 validation.sls.microsoft.com127.0.0.1 serial.alcohol-soft.com127.0.0.1 www.alcohol-soft.com127.0.0.1 images.alcohol-soft.com127.0.0.1 trial.alcohol-soft.com127.0.0.1 alcohol-soft.com127.0.0.1 activation.acronis.com MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 3, 2014 Author ID:812834 Share Posted April 3, 2014 Why are these in your host file: MrC I don't know. They look like old softwares. I had Alcohol 120% for a while. Should they not be in my host file? Link to post Share on other sites More sharing options...
MrCharlie Posted April 3, 2014 ID:812839 Share Posted April 3, 2014 They are used to crack Alcohol, aka: Piracy Here's the forum policy on it: https://forums.malwarebytes.org/index.php?showtopic=97700 ----------------------------------------------- Please go to the link below, download and run Fixit: http://support.microsoft.com/kb/972034 <---reset host file fixit Rescan with RogueKiller and post the new log, MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 3, 2014 Author ID:812843 Share Posted April 3, 2014 Oh dear, I must say this is a shared PC atm and was belonging to another someone else. Here is my new roguekiller log RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Win [Admin rights]Mode : Scan -- Date : 04/03/2014 14:25:29| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 8 ¤¤¤[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Browser Addons : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10EZEX-00RKKA0 ATA Device +++++--- User ---[MBR] eba20bc4d564437cd03bb5f2b56b3776[bSP] eb2e8076916d27ee3b936b36be8a24dd : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MBUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_04032014_132421.txt >>RKreport[0]_S_04032014_132014.txt Link to post Share on other sites More sharing options...
MrCharlie Posted April 3, 2014 ID:812861 Share Posted April 3, 2014 You can have MB delete this one if found: Files Detected: 1 C:\Windows\System32\Microsoft\Dll\user32.dll (Trojan.FakeMS.PGen) -> No action taken. ------------------------------------------------------- Use your CCleaner to clean out temp files Next....... Start with this: (make sure you have created a new system restore point) Please download AdwCleaner from HERE or HERE to your desktop.Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As AdministratorClick on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.When it's done you'll see: Pending: Please uncheck elements you don't want removed.Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.Look over the log especially under Files/Folders for any program you want to save.If there's a program you may want to save, just uncheck it from AdwCleaner.If you're not sure, post the log for review. (all items found are adware/spyware/foistware)If you're ready to clean it all up.....click the Clean button.After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.Copy and paste the contents of that logfile in your next reply.A copy of that logfile will also be saved in the C:\AdwCleaner folder.Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\QuarantineTo restore an item that has been deleted:Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.Then...... Please run a Quick Scan with Malwarebytes like this: Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal. Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report. Make sure that everything is checked, and click Remove Selected. If you're using Malwarebytes 2.0, please run a Threat Scan Last........ Please download Farbar Recovery Scan Tool (FRST) and save it to a folder. (use correct version for your system.....Which system am I using?) FRST <----for 32 bit systems FRST64 <----for 64 bit systemsDouble-click to run it. When the tool opens click Yes to disclaimer.Press Scan button. (make sure the Addition box is checked)It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.If the logs are large, you can attach them: To attach a log: Bottom right corner of this page. New window that comes up. MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 4, 2014 Author ID:813224 Share Posted April 4, 2014 # AdwCleaner v3.023 - Report created 04/04/2014 at 12:23:12# Updated 01/04/2014 by Xplode# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)# Username : Win - JDTJTRALGW# Running from : C:\Users\Win\Desktop\adwcleaner.exe# Option : Scan***** [ Services ] ********** [ Files / Folders ] *****File Found : C:\Users\Win\AppData\Local\Temp\Uninstall.exeFolder Found C:\ProgramData\boost_interprocessFolder Found C:\ProgramData\DeviceVMFolder Found C:\Users\Win\AppData\Local\CrashRptFolder Found C:\Users\Win\AppData\Roaming\DeviceVM***** [ Shortcuts ] ********** [ Registry ] *****Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}***** [ Browsers ] *****-\\ Internet Explorer v0.0.0.0-\\ Mozilla Firefox v28.0 (en-US)[ File : C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\prefs.js ]*************************AdwCleaner[R0].txt - [1287 octets] - [04/04/2014 12:23:12]########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1347 octets] ########## Ad log. Are these files safe to delete? They seem important but If they are in fact adware I will delete them Link to post Share on other sites More sharing options...
MrCharlie Posted April 4, 2014 ID:813274 Share Posted April 4, 2014 Yes you can delete them...MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 4, 2014 Author ID:813279 Share Posted April 4, 2014 You can have MB delete this one if found:Files Detected: 1C:\Windows\System32\Microsoft\Dll\user32.dll (Trojan.FakeMS.PGen) -> No action taken.-------------------------------------------------------Use your CCleaner to clean out temp filesNext.......Start with this: (make sure you have created a new system restore point)Please download AdwCleaner from HERE or HERE to your desktop.Double click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As AdministratorClick on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.When it's done you'll see: Pending: Please uncheck elements you don't want removed.Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.Look over the log especially under Files/Folders for any program you want to save.If there's a program you may want to save, just uncheck it from AdwCleaner.If you're not sure, post the log for review. (all items found are adware/spyware/foistware)If you're ready to clean it all up.....click the Clean button.After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.Copy and paste the contents of that logfile in your next reply.A copy of that logfile will also be saved in the C:\AdwCleaner folder.Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\QuarantineTo restore an item that has been deleted:Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.Then......Please run a Quick Scan with Malwarebytes like this:Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.Make sure that everything is checked, and click Remove Selected.If you're using Malwarebytes 2.0, please run a Threat ScanLast........Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.(use correct version for your system.....Which system am I using?)FRST <----for 32 bit systemsFRST64 <----for 64 bit systemsDouble-click to run it. When the tool opens click Yes to disclaimer.Press Scan button. (make sure the Addition box is checked)It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.If the logs are large, you can attach them:To attach a log:Bottom right corner of this page.New window that comes up.MrC # AdwCleaner v3.023 - Report created 04/04/2014 at 14:01:57# Updated 01/04/2014 by Xplode# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)# Username : Win - JDTJTRALGW# Running from : C:\Users\Win\Desktop\adwcleaner.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] *****Folder Deleted : C:\ProgramData\boost_interprocessFolder Deleted : C:\ProgramData\DeviceVMFolder Deleted : C:\Users\Win\AppData\Local\CrashRptFolder Deleted : C:\Users\Win\AppData\Roaming\DeviceVMFile Deleted : C:\Users\Win\AppData\Local\Temp\Uninstall.exe***** [ Shortcuts ] ********** [ Registry ] *****Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}***** [ Browsers ] *****-\\ Internet Explorer v0.0.0.0-\\ Mozilla Firefox v28.0 (en-US)[ File : C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\prefs.js ]*************************AdwCleaner[R0].txt - [1435 octets] - [04/04/2014 12:23:12]AdwCleaner[s0].txt - [1376 octets] - [04/04/2014 14:01:57]########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1436 octets] ########## ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014Ran by Win (administrator) on JDTJTRALGW on 04-04-2014 14:11:45Running from C:\Users\Win\IleumWindows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)Internet Explorer Version 10Boot Mode: NormalThe only official download link for FRST:Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/Download link from any site other than Bleeping Computer is unpermitted or outdated.See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/==================== Processes (Whitelisted) =================(AMD) C:\Windows\system32\atiesrxx.exe(AMD) C:\Windows\system32\atieclxx.exe(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe() C:\Windows\SysWOW64\PnkBstrA.exe(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe(Intel Corporation) C:\Windows\System32\igfxpers.exe(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe(Microsoft Corporation) C:\Windows\System32\StikyNot.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe(Sony Corporation) C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exe(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe==================== Registry (Whitelisted) ==================HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\System32\LogiLDA.dll [1832760 2012-09-20] (Logitech, Inc.)HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13513288 2013-03-29] (Realtek Semiconductor)HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472992 2013-03-21] (Adobe Systems Incorporated)HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [518424 2013-07-18] (Acronis)HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)HKLM-x32\...\Run: [uSB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-26] (Intel Corporation)HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-03-28] (Advanced Micro Devices, Inc.)HKLM-x32\...\Run: [AVP] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe [356128 2013-10-10] (Kaspersky Lab ZAO)HKLM-x32\...\Run: [AdobeCEPServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe [1039248 2013-03-13] (Adobe Systems Incorporated)HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)HKLM-x32\...\Run: [ContentTransferWMDetector.exe] - C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exe [583016 2009-11-19] (Sony Corporation)Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)HKU\.DEFAULT\...\RunOnce: [sPReview] - C:\Windows\System32\SPReview\SPReview.exe [301568 2013-06-11] (Microsoft Corporation)HKU\S-1-5-21-2087283677-3193892326-494846436-1000\...\Run: [ASRockXTU] - [X]HKU\S-1-5-21-2087283677-3193892326-494846436-1000\...\Run: [zASRockInstantBoot] - [X]HKU\S-1-5-21-2087283677-3193892326-494846436-1000\...\Run: [AdobeBridge] - [X]HKU\S-1-5-21-2087283677-3193892326-494846436-1000\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)HKU\S-1-5-21-2087283677-3193892326-494846436-1000\...\Run: [ASRockRuefi] - [X]HKU\S-1-5-21-2087283677-3193892326-494846436-1000\...\Policies\system: [DisableLockWorkstation] 0HKU\S-1-5-21-2087283677-3193892326-494846436-1000\...\MountPoints2: {17a2e9d3-d1b3-11e2-ae8d-806e6f6e6963} - D:\ASRSetup.exeAppInit_DLLs: C:\Windows\system32\appinit_dll.dll => C:\Windows\system32\appinit_dll.dll [464200 2012-06-17] (Lucidlogix Inc.)AppInit_DLLs-x32: C:\Windows\SysWOW64\appinit_dll.dll => C:\Windows\SysWOW64\appinit_dll.dll [419144 2012-06-17] (Lucidlogix Inc.)==================== Internet (Whitelisted) ====================HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.search.yahoo.com?type=714647&fr=spigot-yhp-ieHKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehpHKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x95C2AADC8E67CE01HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GBSearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=ASRKSearchScopes: HKCU - {CF0B2B5D-7A14-447e-80B2-267D11F956D5} URL = http://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=5480255188&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=en&q={searchTerms}SearchScopes: HKCU - {FC93E44B-4D0D-4337-8189-959D44DADCC7} URL = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}BHO: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)BHO: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)BHO: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x64\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)BHO-x32: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)BHO-x32: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)BHO-x32: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)BHO-x32: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No FileHosts: There are more than one entry in Hosts. See Hosts section of Addition.txtTcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100FireFox:========FF ProfilePath: C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.defaultFF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()FF Plugin: @microsoft.com/GENUINE - disabled No FileFF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.5.29 - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)FF Plugin-x32: @microsoft.com/GENUINE - disabled No FileFF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)FF Plugin-x32: @videolan.org/vlc,version=2.0.8 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll No FileFF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Win\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)FF SearchPlugin: C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\searchplugins\youtube-video-search.xmlFF Extension: Roomy Bookmarks Toolbar - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\ALone-live@ya.ru [2014-03-19]FF Extension: British English Dictionary (Updated) - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\en-gb@flyingtophat.co.uk [2013-11-25]FF Extension: anonymoX - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\client@anonymox.net.xpi [2014-01-24]FF Extension: QuickMark - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\jid0-QT2VXewB9xzbRlyapSJjA4ebwoU@jetpack.xpi [2014-03-19]FF Extension: YouTube Center - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\jid1-cwbvBTE216jjpg@jetpack.xpi [2014-03-19]FF Extension: English (GB) Language Pack - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\langpack-en-GB@firefox.mozilla.org.xpi [2013-11-25]FF Extension: No Name - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\noverflow@sdrocking.com.xpi [2013-07-15]FF Extension: OmniSidebar - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\osb@quicksaver.xpi [2014-03-19]FF Extension: Multi Dictionary Lookup - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\tfdlookup@nohup.in.xpi [2014-01-31]FF Extension: All-in-One Sidebar - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi [2014-03-19]FF Extension: Quick Translator - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\{5C655500-E712-41e7-9349-CE462F844B19}.xpi [2014-01-31]FF Extension: YouTube High Definition - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi [2014-02-08]FF Extension: Adblock Plus - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-06-12]FF HKLM-x32\...\Firefox\Extensions: [url_advisor@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\url_advisor@kaspersky.comFF Extension: Kaspersky URL Advisor - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\url_advisor@kaspersky.com [2013-08-11]FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\virtual_keyboard@kaspersky.comFF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\virtual_keyboard@kaspersky.com [2013-08-11]FF HKLM-x32\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\content_blocker@kaspersky.comFF Extension: Content Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\content_blocker@kaspersky.com [2013-08-11]==================== Services (Whitelisted) =================R2 AVP; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe [356128 2013-10-10] (Kaspersky Lab ZAO)S4 cFosSpeedS; C:\Program Files\ASRock\XFast LAN\spd.exe [395136 2011-10-19] (cFos Software GmbH)S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-05-15] (Intel Corporation)R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-05-15] (Intel Corporation)R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-11-28] ()S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-03-01] (Riverbed Technology, Inc.)==================== Drivers (Whitelisted) ====================R0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [49760 2011-09-21] (Asmedia Technology)R0 AsrRamDisk; C:\Windows\System32\DRIVERS\AsrRamDisk.sys [31016 2012-01-13] (ASRock Inc.)R3 ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [40648 2007-02-16] (SlySoft, Inc.)R3 ElbyCDFL; C:\Windows\SysWOW64\Drivers\ElbyCDFL.sys [40648 2007-02-16] (SlySoft, Inc.)S3 FNETTBOH_305; C:\Windows\System32\drivers\FNETTBOH_305.SYS [32320 2013-09-25] (FNet Co., Ltd.)R1 FNETURPX; C:\Windows\System32\drivers\FNETURPX.SYS [15936 2013-06-10] (FNet Co., Ltd.)S3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()S3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [46568 2013-01-19] ()R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [458336 2013-12-11] (Kaspersky Lab ZAO)U5 klflt; C:\Windows\System32\Drivers\klflt.sys [90208 2013-08-11] (Kaspersky Lab ZAO)R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [626272 2013-10-10] (Kaspersky Lab ZAO)R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [29792 2013-12-11] (Kaspersky Lab ZAO)R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [29280 2013-10-10] (Kaspersky Lab ZAO)R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [29280 2013-10-10] (Kaspersky Lab ZAO)R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54368 2013-08-11] (Kaspersky Lab ZAO)R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [178448 2013-08-11] (Kaspersky Lab ZAO)R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)S3 s125bus; C:\Windows\System32\DRIVERS\s125bus.sys [108296 2007-04-24] (MCCI Corporation)S3 s125mdfl; C:\Windows\System32\DRIVERS\s125mdfl.sys [19720 2007-04-24] (MCCI Corporation)S3 s125mdm; C:\Windows\System32\DRIVERS\s125mdm.sys [144648 2007-04-24] (MCCI Corporation)R0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2013-09-25] ()R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1120032 2014-01-25] (Acronis International GmbH)R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [183224 2014-01-25] (Acronis)R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [117024 2014-01-25] (Acronis International GmbH)U3 atxxmha0; No ImagePathS3 cpuz136; \??\C:\Users\Win\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X]S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]S3 tsusbhub; system32\drivers\tsusbhub.sys [X]S3 VGPU; System32\drivers\rdvgkmd.sys [X]==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2014-04-04 14:11 - 2014-04-04 14:11 - 00000000 ____D () C:\FRST2014-04-04 12:23 - 2014-04-04 14:01 - 00000000 ____D () C:\AdwCleaner2014-04-04 02:31 - 2014-04-04 02:31 - 01426178 _____ () C:\Users\Win\Desktop\adwcleaner.exe2014-04-03 13:24 - 2014-04-03 13:24 - 00002269 _____ () C:\Users\Win\Desktop\RKreport[0]_S_04032014_132421.txt2014-04-03 13:20 - 2014-04-03 13:20 - 00002236 _____ () C:\Users\Win\Desktop\RKreport[0]_S_04032014_132014.txt2014-04-03 13:17 - 2014-04-03 13:24 - 00000000 ____D () C:\Users\Win\Desktop\RK_Quarantine2014-04-03 11:35 - 2014-04-03 11:35 - 04527616 _____ () C:\Users\Win\Desktop\RogueKillerX64.exe2014-04-03 02:10 - 2014-04-03 02:10 - 00019532 _____ () C:\Users\Win\Desktop\dds.txt2014-04-03 02:10 - 2014-04-03 02:10 - 00009924 _____ () C:\Users\Win\Desktop\attach.txt2014-04-03 02:07 - 2014-04-03 02:07 - 00688992 ____R (Swearware) C:\Users\Win\Desktop\dds.scr2014-03-31 22:58 - 2014-03-31 22:58 - 00001250 _____ () C:\Users\Public\Desktop\Virtual CloneDrive.lnk2014-03-31 22:58 - 2014-03-31 22:58 - 00000000 ____D () C:\Program Files (x86)\Elaborate Bytes2014-03-29 15:06 - 2014-03-29 15:06 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox2014-03-17 21:27 - 2014-03-17 21:27 - 00001035 _____ () C:\Users\Public\Desktop\Content Transfer.lnk2014-03-17 21:27 - 2014-03-17 21:27 - 00000000 ____D () C:\Users\Win\AppData\Roaming\Sony Corporation2014-03-14 14:40 - 2014-03-14 14:40 - 00001077 _____ () C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk2014-03-14 14:40 - 2014-03-14 14:40 - 00000000 ____D () C:\Users\Win\AppData\Local\VS Revo Group2014-03-14 14:40 - 2014-03-14 14:40 - 00000000 ____D () C:\ProgramData\VS Revo Group2014-03-14 14:40 - 2014-03-14 14:40 - 00000000 ____D () C:\Program Files\VS Revo Group2014-03-14 14:40 - 2009-12-30 11:21 - 00031800 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys2014-03-14 02:24 - 2014-03-14 02:24 - 00003502 _____ () C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-JDTJTRALGW-Win2014-03-12 19:33 - 2014-02-07 02:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys2014-03-12 19:33 - 2014-02-04 03:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll2014-03-12 19:33 - 2014-02-04 03:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll2014-03-12 19:33 - 2014-01-29 03:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll2014-03-12 19:33 - 2014-01-29 03:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll2014-03-12 19:33 - 2014-01-28 03:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll2014-03-12 19:32 - 2014-02-04 03:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll2014-03-12 19:32 - 2014-02-04 03:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll==================== One Month Modified Files and Folders =======2014-04-04 14:11 - 2014-04-04 14:11 - 00000000 ____D () C:\FRST2014-04-04 14:11 - 2013-06-12 20:28 - 00000000 ___RD () C:\Users\Win\Ileum2014-04-04 14:10 - 2009-07-14 05:45 - 00014544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02014-04-04 14:10 - 2009-07-14 05:45 - 00014544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02014-04-04 14:09 - 2009-07-14 06:13 - 00795794 _____ () C:\Windows\system32\PerfStringBackup.INI2014-04-04 14:07 - 2013-06-10 13:40 - 01908844 _____ () C:\Windows\WindowsUpdate.log2014-04-04 14:05 - 2013-11-20 20:30 - 00000000 ____D () C:\Users\Win\AppData\Roaming\foobar20002014-04-04 14:04 - 2013-08-11 22:38 - 00000000 ____D () C:\ProgramData\Kaspersky Lab2014-04-04 14:03 - 2013-06-10 14:48 - 00000828 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job2014-04-04 14:03 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT2014-04-04 14:03 - 2009-07-14 05:51 - 00095586 _____ () C:\Windows\setupact.log2014-04-04 14:01 - 2014-04-04 12:23 - 00000000 ____D () C:\AdwCleaner2014-04-04 12:16 - 2013-06-10 14:57 - 00633052 _____ () C:\Windows\PFRO.log2014-04-04 05:56 - 2013-06-17 23:43 - 00000000 ____D () C:\Users\Win\AppData\Roaming\uTorrent2014-04-04 05:37 - 2013-11-29 02:10 - 00000000 ____D () C:\Users\Win\AppData\Roaming\TS3Client2014-04-04 05:33 - 2013-06-23 15:00 - 00000000 ____D () C:\Program Files (x86)\CCleaner2014-04-04 03:13 - 2013-09-04 02:23 - 00000000 ____D () C:\Program Files (x86)\Steam2014-04-04 02:34 - 2013-06-12 18:33 - 00000000 ____D () C:\Users\Win\AppData\Local\Adobe2014-04-04 02:31 - 2014-04-04 02:31 - 01426178 _____ () C:\Users\Win\Desktop\adwcleaner.exe2014-04-04 02:22 - 2013-08-14 12:54 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{3F87E8E1-200E-407F-A5D7-29B290E3424A}2014-04-04 02:13 - 2013-06-10 14:48 - 00000830 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job2014-04-03 13:24 - 2014-04-03 13:24 - 00002269 _____ () C:\Users\Win\Desktop\RKreport[0]_S_04032014_132421.txt2014-04-03 13:24 - 2014-04-03 13:17 - 00000000 ____D () C:\Users\Win\Desktop\RK_Quarantine2014-04-03 13:20 - 2014-04-03 13:20 - 00002236 _____ () C:\Users\Win\Desktop\RKreport[0]_S_04032014_132014.txt2014-04-03 11:35 - 2014-04-03 11:35 - 04527616 _____ () C:\Users\Win\Desktop\RogueKillerX64.exe2014-04-03 02:10 - 2014-04-03 02:10 - 00019532 _____ () C:\Users\Win\Desktop\dds.txt2014-04-03 02:10 - 2014-04-03 02:10 - 00009924 _____ () C:\Users\Win\Desktop\attach.txt2014-04-03 02:07 - 2014-04-03 02:07 - 00688992 ____R (Swearware) C:\Users\Win\Desktop\dds.scr2014-04-02 17:23 - 2013-06-10 15:04 - 00000000 ____D () C:\Users\Win\AppData\Local\CrashDumps2014-03-31 22:58 - 2014-03-31 22:58 - 00001250 _____ () C:\Users\Public\Desktop\Virtual CloneDrive.lnk2014-03-31 22:58 - 2014-03-31 22:58 - 00000000 ____D () C:\Program Files (x86)\Elaborate Bytes2014-03-30 21:11 - 2013-06-12 18:05 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service2014-03-29 15:06 - 2014-03-29 15:06 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox2014-03-27 23:51 - 2013-06-10 13:42 - 00000000 ____D () C:\Users\Win2014-03-26 23:29 - 2014-02-13 13:54 - 00000000 ____D () C:\Users\Win\Documents\UserTesting2014-03-26 23:29 - 2014-02-13 13:53 - 00000000 ____D () C:\Users\Win\AppData\Local\UserTestingPlugin2014-03-23 22:55 - 2009-07-14 06:08 - 00032620 _____ () C:\Windows\Tasks\SCHEDLGU.TXT2014-03-18 22:23 - 2013-06-12 18:33 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2014-03-18 22:23 - 2013-06-12 18:33 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl2014-03-18 11:36 - 2014-01-25 23:57 - 00000000 ____D () C:\Users\Win\AppData\Roaming\tigerplayer2014-03-17 21:27 - 2014-03-17 21:27 - 00001035 _____ () C:\Users\Public\Desktop\Content Transfer.lnk2014-03-17 21:27 - 2014-03-17 21:27 - 00000000 ____D () C:\Users\Win\AppData\Roaming\Sony Corporation2014-03-17 21:27 - 2014-02-20 19:21 - 00000000 ____D () C:\ProgramData\Sony Corporation2014-03-17 21:27 - 2014-02-20 19:21 - 00000000 ____D () C:\Program Files (x86)\Sony2014-03-17 21:26 - 2014-02-20 19:22 - 00000000 ____D () C:\Users\Win\AppData\Local\Downloaded Installations2014-03-14 14:40 - 2014-03-14 14:40 - 00001077 _____ () C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk2014-03-14 14:40 - 2014-03-14 14:40 - 00000000 ____D () C:\Users\Win\AppData\Local\VS Revo Group2014-03-14 14:40 - 2014-03-14 14:40 - 00000000 ____D () C:\ProgramData\VS Revo Group2014-03-14 14:40 - 2014-03-14 14:40 - 00000000 ____D () C:\Program Files\VS Revo Group2014-03-14 03:00 - 2013-06-10 14:59 - 00000000 ____D () C:\ProgramData\Adobe2014-03-14 02:24 - 2014-03-14 02:24 - 00003502 _____ () C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-JDTJTRALGW-Win2014-03-12 19:44 - 2009-07-14 05:45 - 05065240 _____ () C:\Windows\system32\FNTCACHE.DAT2014-03-12 19:43 - 2013-07-20 23:52 - 00000000 ____D () C:\Program Files\Microsoft Silverlight2014-03-12 19:43 - 2013-07-20 23:52 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight2014-03-12 19:38 - 2013-08-14 12:53 - 00000000 ____D () C:\Windows\system32\MRT2014-03-12 19:35 - 2013-06-22 23:30 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe2014-03-12 19:20 - 2013-09-18 17:40 - 00000000 ____D () C:\Users\Win\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games2014-03-07 02:32 - 2013-11-20 20:30 - 00001031 _____ () C:\Users\Public\Desktop\foobar2000.lnk2014-03-07 02:32 - 2013-11-20 20:30 - 00000000 ____D () C:\Program Files (x86)\foobar2000Some content of TEMP:====================C:\Users\Win\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exeC:\Users\Win\AppData\Local\Temp\Lucidlogix VIRTU MVP_2.1.114.22585 Setup_64Bit.exeC:\Users\Win\AppData\Local\Temp\ntdll_dump.dllC:\Users\Win\AppData\Local\Temp\powarc1300b2.exeC:\Users\Win\AppData\Local\Temp\Quarantine.exeC:\Users\Win\AppData\Local\Temp\sfamcc00001.dllC:\Users\Win\AppData\Local\Temp\sfamcc00002.dllC:\Users\Win\AppData\Local\Temp\sfareca00001.dllC:\Users\Win\AppData\Local\Temp\sfextra.dllC:\Users\Win\AppData\Local\Temp\som_fs.exeC:\Users\Win\AppData\Local\Temp\som_mp4_encoder_2.exeC:\Users\Win\AppData\Local\Temp\vlc-2.0.8-win32.exeC:\Users\Win\AppData\Local\Temp\vlc-2.1.2-win32.exeC:\Users\Win\AppData\Local\Temp\{380C5AAD-B874-4DC8-B9E4-9DA7FC637C34}.exeC:\Users\Win\AppData\Local\Temp\{43EE48BB-3BA1-483E-804C-4E47752894AF}.exeC:\Users\Win\AppData\Local\Temp\{8AF35F8A-AF6E-494B-91D5-0C26E1D5A57F}.exeC:\Users\Win\AppData\Local\Temp\{8D1EC27A-13BF-4BDB-B19B-B7A0E9E496C0}.exeC:\Users\Win\AppData\Local\Temp\{98DA6B24-F985-487C-996B-B358F30F40A4}.exeC:\Users\Win\AppData\Local\Temp\{DE54D523-02B3-47B9-A23E-DB23012100D3}.exe==================== Bamital & volsnap Check =================C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\rpcss.dll => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legitLastRegBack: 2014-03-31 04:02==================== End Of Log ============================ Addition.txt Link to post Share on other sites More sharing options...
MrCharlie Posted April 4, 2014 ID:813305 Share Posted April 4, 2014 Use your CCleaner to clean out temp file, but first...download the latest version from the link below. You can install it right over the top of the version you have now:http://www.piriform.com/ccleaner/downloadNow run CCleaner and clean out the temp files.-------------------------------From the scan, your host file shows this, did you add them back: 2009-07-14 03:34 - 2014-01-25 23:22 - 00001064 ____A C:\Windows\system32\Drivers\etc\hosts127.0.0.1 validation.sls.microsoft.com127.0.0.1 serial.alcohol-soft.com127.0.0.1 www.alcohol-soft.com127.0.0.1 images.alcohol-soft.com127.0.0.1 trial.alcohol-soft.com127.0.0.1 alcohol-soft.com127.0.0.1 activation.acronis.com ------------------------------Download the attached fixlist.txt to the same folder as FRST.Run FRST.exe and click Fix only once and waitThe tool will create a log (Fixlog.txt) in the folder, please post it to your reply.MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 4, 2014 Author ID:813310 Share Posted April 4, 2014 Use your CCleaner to clean out temp file, but first...download the latest version from the link below. You can install it right over the top of the version you have now:http://uk.search.yah...r=spigot-yhp-ieSearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://uk.search.yah...&type=714647&p={searchTerms}Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No FileFF Plugin: @microsoft.com/GENUINE - disabled No FileFF Plugin-x32: @microsoft.com/GENUINE - disabled No FileFF Extension: QuickMark - C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\jid0-QT2VXewB9xzbRlyapSJjA4ebwoU@jetpack.xpi [2014-03-19]U3 atxxmha0; No ImagePathS3 cpuz136; \??\C:\Users\Win\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X]C:\Users\Win\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exeC:\Users\Win\AppData\Local\Temp\Lucidlogix VIRTU MVP_2.1.114.22585 Setup_64Bit.exeC:\Users\Win\AppData\Local\Temp\ntdll_dump.dllC:\Users\Win\AppData\Local\Temp\powarc1300b2.exeC:\Users\Win\AppData\Local\Temp\Quarantine.exeC:\Users\Win\AppData\Local\Temp\sfamcc00001.dllC:\Users\Win\AppData\Local\Temp\sfamcc00002.dllC:\Users\Win\AppData\Local\Temp\sfareca00001.dllC:\Users\Win\AppData\Local\Temp\sfextra.dllC:\Users\Win\AppData\Local\Temp\som_fs.exeC:\Users\Win\AppData\Local\Temp\som_mp4_encoder_2.exeC:\Users\Win\AppData\Local\Temp\vlc-2.0.8-win32.exeC:\Users\Win\AppData\Local\Temp\vlc-2.1.2-win32.exeC:\Users\Win\AppData\Local\Temp\{380C5AAD-B874-4DC8-B9E4-9DA7FC637C34}.exeC:\Users\Win\AppData\Local\Temp\{43EE48BB-3BA1-483E-804C-4E47752894AF}.exeC:\Users\Win\AppData\Local\Temp\{8AF35F8A-AF6E-494B-91D5-0C26E1D5A57F}.exeC:\Users\Win\AppData\Local\Temp\{8D1EC27A-13BF-4BDB-B19B-B7A0E9E496C0}.exeC:\Users\Win\AppData\Local\Temp\{98DA6B24-F985-487C-996B-B358F30F40A4}.exeC:\Users\Win\AppData\Local\Temp\{DE54D523-02B3-47B9-A23E-DB23012100D3}.exeAlternateDataStreams: C:\ProgramData\Temp:A59C99D4Task: {24008E60-A5E0-4F05-842F-5FE4A4766943} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline No Task FileTask: {2A26D66D-1010-4A8E-BA6F-4CFEDF9BAF23} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask No Task File*****************HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SPReview => Value deleted successfully.HKU\S-1-5-21-2087283677-3193892326-494846436-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ASRockXTU => Value deleted successfully.HKU\S-1-5-21-2087283677-3193892326-494846436-1000\Software\Microsoft\Windows\CurrentVersion\Run\\zASRockInstantBoot => Value deleted successfully.HKU\S-1-5-21-2087283677-3193892326-494846436-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => Value deleted successfully.HKU\S-1-5-21-2087283677-3193892326-494846436-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ASRockRuefi => Value deleted successfully.HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FC93E44B-4D0D-4337-8189-959D44DADCC7} => Key deleted successfully.HKCR\CLSID\{FC93E44B-4D0D-4337-8189-959D44DADCC7} => Key not found.HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.HKLM\Software\MozillaPlugins\FF Plugin: @microsoft.com/GENUINE - disabled No File => Key not found."FF Plugin: @microsoft.com/GENUINE - disabled No File" => not found.HKLM\Software\Wow6432Node\MozillaPlugins\FF Plugin-x32: @microsoft.com/GENUINE - disabled No File => Key not found.FF Plugin-x32: @microsoft.com/GENUINE - disabled No File not found.C:\Users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\Extensions\jid0-QT2VXewB9xzbRlyapSJjA4ebwoU@jetpack.xpi => Moved successfully.atxxmha0 => Service deleted successfully.cpuz136 => Service stopped successfully.cpuz136 => Service deleted successfully.C:\Users\Win\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\Lucidlogix VIRTU MVP_2.1.114.22585 Setup_64Bit.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.C:\Users\Win\AppData\Local\Temp\powarc1300b2.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\Quarantine.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\sfamcc00001.dll => Moved successfully.C:\Users\Win\AppData\Local\Temp\sfamcc00002.dll => Moved successfully.C:\Users\Win\AppData\Local\Temp\sfareca00001.dll => Moved successfully.C:\Users\Win\AppData\Local\Temp\sfextra.dll => Moved successfully.C:\Users\Win\AppData\Local\Temp\som_fs.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\som_mp4_encoder_2.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\vlc-2.0.8-win32.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\vlc-2.1.2-win32.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\{380C5AAD-B874-4DC8-B9E4-9DA7FC637C34}.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\{43EE48BB-3BA1-483E-804C-4E47752894AF}.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\{8AF35F8A-AF6E-494B-91D5-0C26E1D5A57F}.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\{8D1EC27A-13BF-4BDB-B19B-B7A0E9E496C0}.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\{98DA6B24-F985-487C-996B-B358F30F40A4}.exe => Moved successfully.C:\Users\Win\AppData\Local\Temp\{DE54D523-02B3-47B9-A23E-DB23012100D3}.exe => Moved successfully.C:\ProgramData\Temp => ":A59C99D4" ADS removed successfully.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{24008E60-A5E0-4F05-842F-5FE4A4766943} => Key deleted successfully.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{24008E60-A5E0-4F05-842F-5FE4A4766943} => Key deleted successfully.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline => Key deleted successfully.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2A26D66D-1010-4A8E-BA6F-4CFEDF9BAF23} => Key deleted successfully.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A26D66D-1010-4A8E-BA6F-4CFEDF9BAF23} => Key deleted successfully.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask => Key deleted successfully.==== End of Fixlog ==== Here you go I was positive I deleted them. I've run fixit again to be sure. Link to post Share on other sites More sharing options...
MrCharlie Posted April 4, 2014 ID:813314 Share Posted April 4, 2014 Run RogueKiller again and post the log, MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 4, 2014 Author ID:813316 Share Posted April 4, 2014 Run RogueKiller again and post the log, MrC RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Win [Admin rights]Mode : Scan -- Date : 04/04/2014 15:36:23| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 8 ¤¤¤[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Browser Addons : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10EZEX-00RKKA0 ATA Device +++++--- User ---[MBR] eba20bc4d564437cd03bb5f2b56b3776[bSP] eb2e8076916d27ee3b936b36be8a24dd : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MBUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_04042014_153623.txt >>RKreport[0]_S_04032014_132014.txt;RKreport[0]_S_04032014_132421.txt Link to post Share on other sites More sharing options...
MrCharlie Posted April 4, 2014 ID:813376 Share Posted April 4, 2014 Next: Please read the directions carefully so you don't end up deleting something that is good!! If in doubt about an entry....please ask or choose Skip!!!! Don't Delete anything unless instructed to! If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue If a suspicious object is detected, the default action will be Skip, click on Continue Please note that TDSSKiller can be run in safe mode if needed. Please download the latest version of TDSSKiller from HERE and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked) Put a checkmark beside loaded modules. A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK. Click the Start Scan button. The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue. Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If in doubt about an entry....please ask or choose SkipIf malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options. Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out: If in doubt about an entry....please ask or choose Skip Don't Delete anything unless instructed to! If a suspicious object is detected, the default action will be Skip, click on Continue If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip. If malicious objects are found, they will show in the Scan results and offer three (3) options. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed. ~~~~~~~~~~~~~~~~~~~~ You can attach the logs if they're too long: Bottom right corner of this page. New window that comes up. Then........... Please download and run ComboFix. The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop. Please visit this webpage for download links, and instructions for running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download Please make sure you click download buttons that look similar to this, not "sponsored ad links": Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Information on disabling your malware programs can be found Here. Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed. Please include the C:\ComboFix.txt in your next reply for further review. ---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed. MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 4, 2014 Author ID:813551 Share Posted April 4, 2014 Next:Please read the directions carefully so you don't end up deleting something that is good!!If in doubt about an entry....please ask or choose Skip!!!!Don't Delete anything unless instructed to!If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueIf a suspicious object is detected, the default action will be Skip, click on ContinuePlease note that TDSSKiller can be run in safe mode if needed.Please download the latest version of TDSSKiller from HERE and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)Put a checkmark beside loaded modules.A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK.Click the Start Scan button.The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue.Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If in doubt about an entry....please ask or choose SkipIf malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out:If in doubt about an entry....please ask or choose SkipDon't Delete anything unless instructed to!If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueAny entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.~~~~~~~~~~~~~~~~~~~~You can attach the logs if they're too long:Bottom right corner of this page.New window that comes up.Then...........Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixhttp://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct downloadPlease make sure you click download buttons that look similar to this, not "sponsored ad links":Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop.Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Thanks for the help, this is wonderful I've attached my KSST log for your review Unsigned fileService: Intel ® capability licensing service interfaceService start: Auto (0x2)Files: Program File/Intel/iCLS Cleint/HeciServer.exeLocked fileService: sptdService Type: Kernal Driver (0x1)Service Start: Boot (0x0)File: Windows System 32/drivers/sptd.sys These files flagged us as suspicious in KSST and I was unsure so I posted them here. An adobe switchboard.exe also flagged up. I clicked skip ThanksTDSSKiller.3.0.0.28_04.04.2014_23.58.24_log.txt Link to post Share on other sites More sharing options...
FrankJaeger Posted April 4, 2014 Author ID:813560 Share Posted April 4, 2014 ComboFix 14-04-03.01 - Win 05/04/2014 0:20.1.4 - x64Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.16268.14276 [GMT 1:00]Running from: c:\users\Win\Desktop\ComboFix.exeAV: Kaspersky Anti-Virus *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}SP: Kaspersky Anti-Virus *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\Win\AppData\Roaming\Originc:\users\Win\AppData\Roaming\Origin\local.xmlc:\users\Win\AppData\Roaming\Origin\local_051627926fef6a7f4307b541bf94d733.xml..((((((((((((((((((((((((( Files Created from 2014-03-04 to 2014-04-04 )))))))))))))))))))))))))))))))..2014-04-04 23:26 . 2014-04-04 23:26 -------- d-----w- c:\users\Default\AppData\Local\temp2014-04-04 17:36 . 2014-04-04 17:36 -------- d-----w- c:\programdata\boost_interprocess2014-04-04 13:11 . 2014-04-04 14:25 -------- d-----w- C:\FRST2014-04-04 11:23 . 2014-04-04 13:01 -------- d-----w- C:\AdwCleaner2014-03-31 21:58 . 2014-03-31 21:58 -------- d-----w- c:\program files (x86)\Elaborate Bytes2014-03-17 20:27 . 2014-03-17 20:27 -------- d-----w- c:\users\Win\AppData\Roaming\Sony Corporation2014-03-17 20:27 . 2014-03-17 20:27 -------- d-----w- c:\program files (x86)\Common Files\Sony Shared2014-03-14 13:40 . 2014-03-14 13:40 -------- d-----w- c:\users\Win\AppData\Local\VS Revo Group2014-03-14 13:40 . 2014-03-14 13:40 -------- d-----w- c:\programdata\VS Revo Group2014-03-14 13:40 . 2009-12-30 10:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys2014-03-14 13:40 . 2014-03-14 13:40 -------- d-----w- c:\program files\VS Revo Group2014-03-12 18:33 . 2014-01-29 02:32 484864 ----a-w- c:\windows\system32\wer.dll2014-03-12 18:33 . 2014-01-29 02:06 381440 ----a-w- c:\windows\SysWow64\wer.dll2014-03-12 18:33 . 2014-02-07 01:23 3156480 ----a-w- c:\windows\system32\win32k.sys2014-03-12 18:33 . 2014-02-04 02:32 624128 ----a-w- c:\windows\system32\qedit.dll2014-03-12 18:33 . 2014-02-04 02:04 509440 ----a-w- c:\windows\SysWow64\qedit.dll2014-03-12 18:33 . 2014-01-28 02:32 228864 ----a-w- c:\windows\system32\wwansvc.dll2014-03-12 18:32 . 2014-02-04 02:32 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll2014-03-12 18:32 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2014-03-18 21:23 . 2013-06-12 17:33 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2014-03-18 21:23 . 2013-06-12 17:33 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2014-03-12 18:35 . 2013-06-22 22:30 90015360 ----a-w- c:\windows\system32\MRT.exe2014-02-25 01:49 . 2012-07-17 14:37 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll2014-02-18 22:47 . 2014-02-18 22:47 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll2014-02-01 09:20 . 2014-02-13 14:29 51712 ----a-w- c:\windows\system32\ie4uinit.exe2014-02-01 09:19 . 2014-02-13 14:29 2241536 ----a-w- c:\windows\system32\wininet.dll2014-02-01 09:19 . 2014-02-13 14:29 1365504 ----a-w- c:\windows\system32\urlmon.dll2014-02-01 09:18 . 2014-02-13 14:29 197120 ----a-w- c:\windows\system32\msrating.dll2014-02-01 09:18 . 2014-02-13 14:29 19274240 ----a-w- c:\windows\system32\mshtml.dll2014-02-01 09:18 . 2014-02-13 14:29 603136 ----a-w- c:\windows\system32\msfeeds.dll2014-02-01 09:18 . 2014-02-13 14:29 855552 ----a-w- c:\windows\system32\jscript.dll2014-02-01 09:18 . 2014-02-13 14:29 3960320 ----a-w- c:\windows\system32\jscript9.dll2014-02-01 09:18 . 2014-02-13 14:29 53760 ----a-w- c:\windows\system32\jsproxy.dll2014-02-01 09:18 . 2014-02-13 14:29 67072 ----a-w- c:\windows\system32\iesetup.dll2014-02-01 09:18 . 2014-02-13 14:29 526336 ----a-w- c:\windows\system32\ieui.dll2014-02-01 09:18 . 2014-02-13 14:29 136704 ----a-w- c:\windows\system32\iesysprep.dll2014-02-01 09:18 . 2014-02-13 14:29 2648576 ----a-w- c:\windows\system32\iertutil.dll2014-02-01 09:18 . 2014-02-13 14:29 39936 ----a-w- c:\windows\system32\iernonce.dll2014-02-01 09:18 . 2014-02-13 14:29 15403520 ----a-w- c:\windows\system32\ieframe.dll2014-02-01 07:58 . 2014-02-13 14:29 1767936 ----a-w- c:\windows\SysWow64\wininet.dll2014-02-01 07:57 . 2014-02-13 14:29 2877952 ----a-w- c:\windows\SysWow64\jscript9.dll2014-02-01 07:57 . 2014-02-13 14:29 61440 ----a-w- c:\windows\SysWow64\iesetup.dll2014-02-01 07:57 . 2014-02-13 14:29 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll2014-02-01 07:40 . 2014-02-13 14:29 2706432 ----a-w- c:\windows\system32\mshtml.tlb2014-02-01 07:34 . 2014-02-13 14:29 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb2014-01-25 22:21 . 2014-01-25 22:21 367200 ----a-w- c:\windows\system32\drivers\afcdp.sys2014-01-25 22:21 . 2014-01-25 22:21 1464096 ----a-w- c:\windows\system32\drivers\tdrpman.sys2014-01-25 22:21 . 2014-01-25 22:21 183224 ----a-w- c:\windows\system32\drivers\tib_mounter.sys2014-01-25 22:21 . 2014-01-25 22:21 1120032 ----a-w- c:\windows\system32\drivers\tib.sys2014-01-25 22:21 . 2014-01-25 22:21 161568 ----a-w- c:\windows\system32\drivers\vididr.sys2014-01-25 22:21 . 2014-01-25 22:21 269600 ----a-w- c:\windows\system32\drivers\snapman.sys2014-01-25 22:21 . 2014-01-25 22:21 117024 ----a-w- c:\windows\system32\drivers\vidsflt.sys2014-01-25 22:21 . 2014-01-25 22:21 116000 ----a-w- c:\windows\system32\drivers\fltsrv.sys2014-01-09 02:22 . 2014-02-27 18:33 5694464 ----a-w- c:\windows\SysWow64\mstscax.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-11-29 284440]"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-26 291608]"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-03-28 642656]"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2013-10-10 356128]"AdobeCEPServiceManager"="c:\program files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" [2013-03-13 1039248]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]"ContentTransferWMDetector.exe"="c:\program files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0)"EnableLinkedConnections"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1)"AppInit_DLLs"=c:\windows\SysWOW64\appinit_dll.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001.R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]R3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]R3 cpuz136;cpuz136;c:\users\Win\AppData\Local\Temp\cpuz136_x64.sys;c:\users\Win\AppData\Local\Temp\cpuz136_x64.sys [x]R3 FNETTBOH_305;FNETTBOH_305;c:\windows\system32\drivers\FNETTBOH_305.SYS;c:\windows\SYSNATIVE\drivers\FNETTBOH_305.SYS [x]R3 ikbevent;Intel Upper keyboard Class Filter Driver;c:\windows\system32\DRIVERS\ikbevent.sys;c:\windows\SYSNATIVE\DRIVERS\ikbevent.sys [x]R3 imsevent;Intel Upper Mouse Class Filter Driver;c:\windows\system32\DRIVERS\imsevent.sys;c:\windows\SYSNATIVE\DRIVERS\imsevent.sys [x]R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]R4 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]R4 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys;c:\windows\SYSNATIVE\DRIVERS\asahci64.sys [x]S0 AsrRamDisk;AsrRamDisk;c:\windows\system32\DRIVERS\AsrRamDisk.sys;c:\windows\SYSNATIVE\DRIVERS\AsrRamDisk.sys [x]S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys;c:\windows\SYSNATIVE\Drivers\sptd.sys [x]S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]S0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\DRIVERS\vidsflt.sys;c:\windows\SYSNATIVE\DRIVERS\vidsflt.sys [x]S1 AsrAppCharger;AsrAppCharger;c:\windows\system32\DRIVERS\AsrAppCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AsrAppCharger.sys [x]S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS;c:\windows\SYSNATIVE\drivers\FNETURPX.SYS [x]S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [x]S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]S3 athur;Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athurx.sys;c:\windows\SYSNATIVE\DRIVERS\athurx.sys [x]S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys;c:\windows\SYSNATIVE\Drivers\EtronHub3.sys [x]S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys;c:\windows\SYSNATIVE\Drivers\EtronXHCI.sys [x]S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]S3 ISCT;Intel® Smart Connect Technology Device Driver;c:\windows\system32\DRIVERS\ISCTD64.sys;c:\windows\SYSNATIVE\DRIVERS\ISCTD64.sys [x]S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys [x]S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys [x]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]S3 VirtuWDDM;VirtuWDDM;c:\windows\system32\DRIVERS\VirtuWDDM.sys;c:\windows\SYSNATIVE\DRIVERS\VirtuWDDM.sys [x]..--- Other Services/Drivers In Memory ---.*NewlyCreated* - 67170306*Deregistered* - 67170306.Contents of the 'Scheduled Tasks' folder.2014-04-04 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 12:41].2014-04-04 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 12:41]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]2013-08-07 16:58 2820056 ----a-w- c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]2013-08-07 16:58 2820056 ----a-w- c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]2013-08-07 16:58 2820056 ----a-w- c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2013-03-29 13513288]"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-03-21 472992]"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2013-07-18 518424].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=c:\windows\System32\appinit_dll.dll.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmIE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000TCP: DhcpNameServer = 194.168.4.100 194.168.8.100FF - ProfilePath - c:\users\Win\AppData\Roaming\Mozilla\Firefox\Profiles\3hl3da3n.default\.- - - - ORPHANS REMOVED - - - -.Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exeSafeBoot-67170306.sys...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-2087283677-3193892326-494846436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.Email.1".[HKEY_USERS\S-1-5-21-2087283677-3193892326-494846436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.VCard.1".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2014-04-05 00:27:36ComboFix-quarantined-files.txt 2014-04-04 23:27.Pre-Run: 168,242,470,912 bytes freePost-Run: 173,554,434,048 bytes free.- - End Of File - - 9C1FA1BEB6B0A410A8E8CA1621F5EC39A36C5E4F47E84449FF07ED3517B43A31 COMBOFIX Log Link to post Share on other sites More sharing options...
MrCharlie Posted April 4, 2014 ID:813564 Share Posted April 4, 2014 Looks Good....... Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal. Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report. Make sure that everything is checked, and click Remove Selected. Please let me know how computer is running now, MrC Link to post Share on other sites More sharing options...
FrankJaeger Posted April 6, 2014 Author ID:814557 Share Posted April 6, 2014 Looks Good.......Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.Make sure that everything is checked, and click Remove Selected.Please let me know how computer is running now, MrC Thank you ever so much for your help. It's very rare to be granted such methodical guidance, and with such clarity. The scan returned 0 threats and I think I'm malware free : ) My PC is running a little slower than usual, but I think this is attributed to another issue. Do you reccomend any programs that I can get to keep my PC well maintained and protected? I have CCleaner already. Furthermore, should I keep any of the programs you gave me? Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2014.04.06.10Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16798Win :: JDTJTRALGW [administrator]Protection: Disabled06/04/2014 22:07:05mbam-log-2014-04-06 (22-07-05).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 235141Time elapsed: 2 minute(s), 38 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
MrCharlie Posted April 6, 2014 ID:814568 Share Posted April 6, 2014 I'll go over everything in my next post. Lets check your computers security before you go and we have a little cleanup to do also: Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.If you get Unsupported operating system. Aborting now, just reboot and try again.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
Recommended Posts