infectthis Posted June 2, 2014 ID:837087 Share Posted June 2, 2014 I accidentally clicked on a text box that appeared on a shady site and realized what I did immediately after. Also noticed severe google redirect immediately after as a result. Ran malwarebytes quick scan (no issues), then full scan (threats detected) and thought the issue was over. However, over the next few days I noticed a few links off google were redirecting, it seemed to be the 1st and some random number link after the first link would redirect to sites relating to whatever I searched on google, obviously not the actual URL. Here is FRST logs: I would draw your attention first to registry as there is an issue there. I will also note I ran TDSSKiller and found nothing as does Malwarebytes currently Thank you!infectthis FRST.txtAddition.txt Link to post Share on other sites More sharing options...
infectthis Posted June 5, 2014 Author ID:838262 Share Posted June 5, 2014 Hi, I just realized I had missed the instructions to uninstall BitTorrent and etc. That has been done and here is another scan of FRST logs attaches with BitTorrent gone. Also to note it that my machine is slowing down substantially and firefox is worse than IE for redirects. I have to manually refresh the page to get it to load the correct URL, FWIW. TDSSKiller also is now detecting multiple threats. Thanks in advance!FRST.txtAddition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted June 5, 2014 ID:838269 Share Posted June 5, 2014 Hello and P2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST and press the Fix button just once and wait.The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on Scan Once the scan is done, click on the Clean button. You will get a prompt asking to close all programs. Click OK. Click OK again to reboot your computer. A text file will open after the restart. Please post the content of that logfile in your reply. You can also find the logfile at C:\AdwCleaner[sn].txt. Next, Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message. Next, Malwarebytes ver: 1.75 "Quick scan" Run Malwarebytes, Open: Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal. Please Update and run a Quick scan Make sure that everything is checked, and click Remove Selected on any found items. Post the produced log.. Next, Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/ Quit all running programs.For Windows XP, double-click to start.For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.Read and accept the EULA (End User Licene Agreement)Click Scan to scan the system.When the scan completes Close the program > Don't Fix anything!Post back the report which should be located on your desktop. Let me see those logs, also give an update on any remaining issues or concerns... Kevin fixlist.txt Link to post Share on other sites More sharing options...
infectthis Posted June 6, 2014 Author ID:838320 Share Posted June 6, 2014 Hi Kevin, here are the logs. And it seems the redirect issue is fixed and my machine is running faster. I'll add that windows defender did find a worm after running all of the above that was quarantined. Please let me know if there's more to follow.Fixlog.txtAdwCleanerS0.txtJRT.txtmbam-log-2014-06-05 (16-45-57).txtRKreport_SCN_06052014_165826.log Link to post Share on other sites More sharing options...
kevinf80 Posted June 6, 2014 ID:838441 Share Posted June 6, 2014 We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete: Run Eset Online Scanner **Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scan click on the Run ESET Online Scanner button Tick the box next to YES, I accept the Terms of Use.Click Start When asked, allow the add/on to be installedClick Start Make sure that the option "Remove found threats" is UNticked Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click Scan wait for the virus definitions to be downloaded Wait for the scan to finish When the scan is complete If no threats were found put a checkmark in "Uninstall application on close" close program report to me that nothing was found If threats were found click on "list of threats found" click on "export to text file" and save it as ESET SCAN and save to the desktop Click on back put a checkmark in "Uninstall application on close" click on finish close program Copy and paste the report in next reply. Thanks, Kevin Link to post Share on other sites More sharing options...
infectthis Posted June 6, 2014 Author ID:838621 Share Posted June 6, 2014 Here is the ESETSCAN file as txt. For some reason I cannot copy paste the file contents directly into this reply. ESETSCAN.txt Link to post Share on other sites More sharing options...
infectthis Posted June 6, 2014 Author ID:838632 Share Posted June 6, 2014 I'll note that I just got a redirect from google. Particularly nasty infection. Link to post Share on other sites More sharing options...
kevinf80 Posted June 6, 2014 ID:838656 Share Posted June 6, 2014 Download TDSSKiller and save it to your Desktop. Make sure TDSSKiller.exe is on the Desktop itself, not within a folder on the desktop. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.If Malicious objects are found, do NOT select Delete or Cure. Change the action to Skip, When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Link to post Share on other sites More sharing options...
infectthis Posted June 7, 2014 Author ID:838748 Share Posted June 7, 2014 The contents of TDSSKiller, the scan came up with nothing obvious.TDSSKiller.txt Link to post Share on other sites More sharing options...
infectthis Posted June 7, 2014 Author ID:838751 Share Posted June 7, 2014 I did note there were a few of these however off the TDSS report. 19:19:21.0054 0x0ca4 [ 686045905787B68D829CE647A6DFAD2B, 09B925A3E02B3BA45D5D408B59A279D3255AC854B3B696E243DCD14EF18CEC92 ] Blackberry Device Manager C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe19:19:21.0070 0x0ca4 Blackberry Device Manager - detected UnsignedFile.Multi.Generic ( 1 ) 19:19:24.0135 0x0ca4 [ BB1FC298BE53AAB1E110F6E786BD8AC5, C2DA2C3CE96D5F8B50013063B5EF7BED7478636896C709A7AF34855B2E69B9F1 ] HP Support Assistant Service C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe19:19:24.0151 0x0ca4 HP Support Assistant Service - detected UnsignedFile.Multi.Generic ( 1 )19:19:24.0151 0x0ca4 Detect skipped due to KSN trusted 19:19:32.0466 0x0ca4 [ 97F839E8AEC48EE271509BF4BC764C24, 7B9B791E987ADC8991C128CD52CB253F295E41DF502BF8933DF388994E84560D ] STacSV C:\Program Files\IDT\WDM\STacSV64.exe19:19:32.0482 0x0ca4 STacSV - detected UnsignedFile.Multi.Generic ( 1 )19:19:32.0482 0x0ca4 Detect skipped due to KSN trusted 19:19:35.0763 0x0ca4 [ 330FE83760F95FC8BEA17F1BADE7AC6E, CB1AD4258E25B1942204DB0D6099AB1396819C09B876AE0C0A76161CBC5E5C89 ] wampstackApache C:\BitNami\WAMPST~1.16-\apache2\bin\httpd.exe19:19:35.0763 0x0ca4 wampstackApache - detected UnsignedFile.Multi.Generic ( 1 )19:19:35.0763 0x0ca4 Detect skipped due to KSN trusted19:19:35.0763 0x0ca4 wampstackApache - ok 19:19:38.0654 0x0ca4 [ 49BD5663071AA799AC0B1E6B48EB9257, 39364B7E08C87545B4E48264509D73800FE5B0A76E34E0B169DA489895820B22 ] C:\Program Files\IDT\WDM\beats64.exe19:19:38.0670 0x0ca4 BeatsOSDApp - detected UnsignedFile.Multi.Generic ( 1 )19:19:38.0670 0x0ca4 Detect skipped due to KSN trusted19:19:38.0670 0x0ca4 BeatsOSDApp - ok19:19:38.0717 0x0ca4 [ 94BFCE236D6340011721470E394056E3, 42A7808F6C53C268354E9E47F0689FE2B4717F61E97CBAA0ABF33E0275B908EF ] C:\Program Files\IDT\WDM\sttray64.exe19:19:38.0748 0x0ca4 SysTrayApp - detected UnsignedFile.Multi.Generic ( 1 )19:19:38.0748 0x0ca4 Detect skipped due to KSN trusted19:19:38.0748 0x0ca4 SysTrayApp - ok Link to post Share on other sites More sharing options...
kevinf80 Posted June 7, 2014 ID:838807 Share Posted June 7, 2014 TDSSKiller log is clean, unsigned files although suspicious does not always mean malicious. I see nothing obviously wrong with that log. Is the redirect happening in a specific Browser or more that one Browser, if so let me know which one(s) Kevin Link to post Share on other sites More sharing options...
infectthis Posted June 7, 2014 Author ID:838941 Share Posted June 7, 2014 Redirect happens on both IE and FF, I don't use others. It occurs every once in awhile, could it be a site based issue (not my machine) although I've never heard of that? My machine is running significantly better from when I started this thread, would you deem this over? And if so, uninstall the tools or flat out delete/remove them? Thank you for everything! Link to post Share on other sites More sharing options...
kevinf80 Posted June 7, 2014 ID:838979 Share Posted June 7, 2014 We can easily remove the tools when we are certain the system is clean, run the following scan please: Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save the zip file to your Desktop. Double click zip file and extract to your Desktop: you will now have 3 versions of the tool on the Desktop: http://i121.photobucket.com/albums/o239/kevinf80/Zoek%20Scanner/Capture.png[/img] Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/] Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open: Copy and paste the following script from the code box and paste into the field. standardsearch;autoclean;emptyclsid;emptyalltemp;FFdefaults;iedefaults; Select the "Run Script" tab. The following window will open: Please be patient and do not use the PC when the scan is in progress. When complete you maybe asked to re-boot your PC, if so please do Post the produced log in your next reply, also let me know if the redirects cease after that scan.... Kevin Link to post Share on other sites More sharing options...
infectthis Posted June 8, 2014 Author ID:839024 Share Posted June 8, 2014 Here is the zoek log and I will notify immediately if I encounter a redirect: Zoek.exe v5.0.0.0 Updated 02-June-2014Tool run by Admin on 2014-06-07 at 17:43:52.46.Microsoft Windows 8.1 6.3.9600 x64Running in: Normal Mode Internet Access DetectedLaunched: C:\Users\Admin\Desktop\zoek\zoek.com [scan all users] [script inserted]==== System Restore Info ======================2014-06-07 5:45:36 PM Zoek.exe System Restore Point Created Succesfully.==== Deleting CLSID Registry Keys ========================== Deleting CLSID Registry Values ========================== Running Processes ======================C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exeC:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUAService.exeC:\BitNami\WAMPST~1.16-\apache2\bin\httpd.exeC:\BitNami\wampstack-5.4.16-0\mysql\bin\mysqld.exeC:\BitNami\WAMPST~1.16-\apache2\bin\httpd.exeC:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exeC:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUAMain.exeC:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\SysWOW64\cmd.exe==== Deleting Services ========================== FireFox Fix ======================Deleted from C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vgw6qd4m.default\prefs.js:user_pref("browser.startup.homepage", "www.google.com");Added to C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vgw6qd4m.default\prefs.js:user_pref("browser.startup.homepage", "http://www.google.com");user_pref("browser.search.defaulturl", "http://www.google.com/search?btnG=Google+Search&q=");user_pref("browser.newtab.url", "http://www.google.com/");user_pref("browser.search.defaultengine", "Google");user_pref("browser.search.defaultenginename", "Google");user_pref("browser.search.selectedEngine", "Google");user_pref("browser.search.order.1", "Google");user_pref("keyword.URL", "http://www.google.com/search?btnG=Google+Search&q=");user_pref("browser.search.suggest.enabled", true);user_pref("browser.search.useDBForOrder", true);ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vgw6qd4m.defaultuser.js not found---- FireFox user.js and prefs.js backups ----prefs__0554_.backup==== Deleting Files \ Folders ======================C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deletedC:\PROGRA~2\Wondershare deletedC:\PROGRA~3\SoundResearch deletedC:\Users\Admin\AppData\Local\CRE deletedC:\Users\Admin\AppData\Local\Wondershare deletedC:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyFree Codec deletedC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare deletedC:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vgw6qd4m.default\CT3225826 deleted==== System Specs ======================Windows: Windows Version 6.2 (Build 9200)Memory (RAM): 5528 MBCPU Info: AMD A6-5400K APU with Radeon HD GraphicsCPU Speed: 3677.5 MHzSound Card: Speakers / Headphones (IDT High |Digital Output (S/PDIF) (IDT Hi |Display Adapters: AMD Radeon HD 7540D | AMD Radeon HD 7540D | AMD Radeon HD 7540D | AMD Radeon HD 7540DMonitors: 1x; HP 2011x LED Backlit LCD Monitor |Screen Resolution: 1600 X 900 - 32 bitNetwork: Network PresentNetwork Adapters: Microsoft Wi-Fi Direct Virtual Adapter | Qualcomm Atheros AR8161 PCI-E Gigabit Ethernet Controller (NDIS 6.30) | Ralink RT5390R 802.11bgn Wi-Fi AdapterCD / DVD Drives: 1x (F: | ) F: hp DVD A DH16ACSHRPorts: COM3 | COM4 LPT Port NOT Present.Mouse: 3 Button Wheel Mouse PresentHard Disks: C: 910.3GB | D: 19.4GBHard Disks - Free: C: 820.7GB | D: 2.4GBManufacturer *: AMIBIOS Info: AT/AT COMPATIBLE | | HPQOEM - 1072009Time Zone: Pacific Standard TimeMotherboard *: MSI 2AE0Country: CanadaLanguage: ENC==== System Specs (Software) ======================Anti-Virus: Panda Cloud Antivirus On-access scanning disabled (Outdated)Anti-Virus: Windows Defender On-access scanning disabled (Outdated)Anti-Spyware: Windows Defender disabled (Outdated)Anti-Spyware: Panda Cloud Antivirus disabled (Outdated)Firewall: Cloud Antivirus Firewall disabledInternet Explorer Version: 11.0.9600.17107Mozilla Firefox version: 29.0.1 (x86 en-US)Google Chrome version: 35.0.1916.114Adobe Reader version: 11.0.07.79Sun Java version: 1.7.0_55 (32-bit)Flash Player version: 13.0.0.214==== Files Recently Created / Modified ============================ C:\WINDOWS ========== C:\Users\Admin\AppData\Local\Temp ====2014-06-07 20:03:56 5634C601025C31032A0AF1590B4C0CA6 43008 ----a-w- C:\Users\Admin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpyzsjsa.dll2014-06-05 23:27:51 2E0323A94915FAAB10A25F3BABF82584 157696 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\erunt\ERUNT.EXE====== Java Cache =====2014-06-02 17:38:41 AD81EA67917FF10A41F74D95F24CD810 527 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\7fd3b8cf-eb349aba1342b280f6b850c1fc0552e15437aab97071249d0d8dbd074339ccf9-6.0.lap2014-06-05 10:45:15 51D8791678132258921AD23583594318 2339109 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\286dc293-3d1c05282014-05-23 05:36:48 99C772151944605A717EF0481343F454 37 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\415dbd96-557cb7c865bb1753c4bedad5ddf7e1fbe9d61c5631f806c5ce11873850c4e7e0-6.0.lap2014-05-27 00:52:34 A850FB3EEFB29ECC891ECDDCEDAC2648 37 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\7bd4539f-d1ca8583acb58847cfd6aa68e5fa0c1cbe08eccf2562ced7597941155aafd509-6.0.lap2014-06-06 04:25:57 41A296ED12C3ADBBD1121CCFB51A979A 2340152 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\57b393a2-141e1dab2014-06-05 10:45:01 2755337A78E7AD49E11552A80DBD8311 43538466 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\552f80e3-39754a9e2014-06-02 17:38:42 50D166C0E1012B2C231E4C1B07A4DA13 1051670 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\307437a5-4b44dfba2014-06-05 10:44:37 31AACD539CEF400DA196FB261EAD4253 1135106 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\ac1a7ea-6c61779c2014-06-05 10:44:36 24E8FADDDE028A13CB19DF394427404D 2726 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\3c04e76b-69de4bc22014-06-05 10:44:36 67274383AFCA3D9CD5467A019E38E0B4 531 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\3c04e76b-7c00bf8b5a44f172380d92410244ce54154062faf63377295f935751674059cd-6.0.lap2014-05-09 18:55:17 C4FF7B3BEE56782F569DAC01CE551679 37 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\530ad972-0899d2a3ccc49c544e7d32f3878e3dec4ccfa40514532af3b9ecdea5694c46c7-6.0.lap2014-05-19 22:33:27 12AEE4D230FE50A8B78FD7A2A3CE9538 37 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\700652f3-af124d58bd147db19a382e51178bdaf8b663f0464d0ebf843bccf17311838915-6.0.lap2014-06-02 17:38:46 11BB1A0409332188872D47B72E5B70BF 61766 ----a-w- C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\5216bd7d-7ea4c86c====== C:\WINDOWS\SysWOW64 =====2014-06-05 23:16:35 0DC5AF80D059DEC792B665ED598C6567 536576 ----a-w- C:\WINDOWS\SysWOW64\sqlite3.dll====== C:\WINDOWS\SysWOW64\drivers =========== C:\WINDOWS\Sysnative =========== C:\WINDOWS\Sysnative\drivers =====2014-06-05 19:06:52 CD51E1D0D638F1E07A6EDC98CD7F5DDA 91352 ----a-w- C:\WINDOWS\Sysnative\drivers\mbamchameleon.sys2014-05-14 17:24:53 019CC610AD95FF47EAD7C08B7A683B96 257880 ----a-w- C:\WINDOWS\Sysnative\drivers\WdFilter.sys2014-05-14 17:24:52 6CC1BB8F6851A262E2E824F0E92D5EEF 123224 ----a-w- C:\WINDOWS\Sysnative\drivers\WdNisDrv.sys2014-05-14 17:24:51 F5D4FA3E1F4879C361FFF3855259D2C2 35856 ----a-w- C:\WINDOWS\Sysnative\drivers\WdBoot.sys====== C:\WINDOWS\Tasks ======2014-06-05 21:02:06 0804124FB0DC7C8FAD3E2CDAF8F8B89F 3144 ----a-w- C:\WINDOWS\Sysnative\Tasks\{8485538B-30BA-4168-872B-37A274A7A11A}====== C:\WINDOWS\Temp ============= C:\Program Files =====2014-05-28 01:46:33 -------- d-----w- C:\Program Files\Microsoft Silverlight======= C:\PROGRA~2 =====2014-05-28 01:46:33 -------- d-----w- C:\PROGRA~2\Microsoft Silverlight2014-05-17 23:26:25 -------- d-----w- C:\PROGRA~2\BlueJ======= C: =====2014-06-06 20:55:06 0FCB3CF8C363BA7B1FB2CAA09F0557C4 437594 ----a-w- C:\TDSSKiller.txt====== C:\Users\Admin\AppData\Roaming ======2014-06-06 16:25:29 -------- d-----w- C:\Users\Admin\AppData\Local\CrashDumps2014-05-17 23:26:42 -------- d-----w- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BlueJ2014-05-17 06:43:12 -------- d-----w- C:\Users\Admin\AppData\Roaming\DropboxMaster====== C:\Users\Admin ======2014-06-07 20:52:26 645A0B49A27FFAD48492210262171778 4996210 ----a-w- C:\Users\Admin\Downloads\FileZilla_3.8.1_win32-setup.exe2014-06-06 20:52:39 94E3A2D6251A35ED69DB3221329E8584 4181856 ----a-w- C:\Users\Admin\Desktop\tdsskiller.exe2014-06-05 23:53:31 -------- d-----w- C:\ProgramData\RogueKiller2014-06-05 23:50:51 4F6D5EACA52ECF078D90E814AE53EB7D 4686336 ----a-w- C:\Users\Admin\Desktop\RogueKiller.exe2014-06-05 23:27:19 CA630DBADEB5B6101531F986ADFE46C9 1016261 ----a-w- C:\Users\Admin\Desktop\JRT.exe2014-06-05 23:15:40 42F24559E8C472F6FF745BB7C5465FB2 1333465 ----a-w- C:\Users\Admin\Desktop\AdwCleaner.exe2014-06-02 19:54:56 CFC758F31992B77D676B968B4961EA1A 2068992 ----a-w- C:\Users\Admin\Desktop\FRST64.exe2014-05-28 01:47:31 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight2014-05-23 08:30:00 -------- d-----w- C:\WINDOWS\serviceprofiles\Localservice\winhttp2014-05-17 23:26:56 -------- d-----w- C:\Users\Admin\bluej====== C: exe-files ==2014-06-07 20:52:26 645A0B49A27FFAD48492210262171778 4996210 ----a-w- C:\Users\Admin\Downloads\FileZilla_3.8.1_win32-setup.exe2014-06-06 20:52:39 94E3A2D6251A35ED69DB3221329E8584 4181856 ----a-w- C:\Users\Admin\Desktop\tdsskiller.exe2014-06-05 23:50:51 4F6D5EACA52ECF078D90E814AE53EB7D 4686336 ----a-w- C:\Users\Admin\Desktop\RogueKiller.exe2014-06-05 23:27:51 2E0323A94915FAAB10A25F3BABF82584 157696 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\erunt\ERUNT.EXE2014-06-05 23:27:19 CA630DBADEB5B6101531F986ADFE46C9 1016261 ----a-w- C:\Users\Admin\Desktop\JRT.exe2014-06-05 23:15:40 42F24559E8C472F6FF745BB7C5465FB2 1333465 ----a-w- C:\Users\Admin\Desktop\AdwCleaner.exe2014-06-05 21:03:08 28A8279449BD2F7906F19146F87F33DD 1242704 ----a-w- C:\FRST\Quarantine\C\Users\Admin\AppData\Roaming\BitTorrent\updates\7.9.1_31141.exe2014-06-05 20:07:44 2A5C035308BCBFB8511D22FAA392C2E5 4176736 ----a-w- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6EHSO72T\tdsskiller.exe2014-06-05 19:03:25 99D69C3E87FE1556B76886F778480E2D 12589848 ----a-w- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZWLX58X\mbar-1.07.0.1009.exe2014-06-02 19:54:56 CFC758F31992B77D676B968B4961EA1A 2068992 ----a-w- C:\Users\Admin\Desktop\FRST64.exe2014-06-02 19:54:38 CFC758F31992B77D676B968B4961EA1A 2068992 ----a-w- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F4OYWPFC\FRST64.exe=== C: other files ==2014-06-05 23:27:51 DD1E4D974B1672ABD09EFFB225791C4A 1230 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\TDL4.bat2014-06-05 23:27:51 AD2F52DC72B10AF331692E4A4DD80DFC 18670 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\medfos.bat2014-06-05 23:27:51 A87CD1BAC46CAC0EEEDB571F07077032 8104 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\modules.bat2014-06-05 23:27:51 8E6020C14F982CF11B3FE7DBB0CB8EDE 24738 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\searchlnk.bat2014-06-05 23:27:51 86707BCE5CBB65D9B1C41E249B4423BA 152733 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\firefox.bat2014-06-05 23:27:51 83F691D8398F0E37E71E9355BF730DB9 719 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\ev_clear.bat2014-06-05 23:27:51 7D8282EB94B5D639B7378811C1924A8F 9516 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\runvalues.bat2014-06-05 23:27:51 654E9FE74B930A454EE5BDE165794B65 85 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\delorphans.bat2014-06-05 23:27:51 5B92615B0CEA08D6BA1217C08CBB1443 15919 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\get.bat2014-06-05 23:27:51 5B71358F97544D9DE58A9A0893079506 39458 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\prelim.bat2014-06-05 23:27:51 53B191266B30D57F2F835ABBF54C68C5 13963 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\chrome.bat2014-06-05 23:27:51 3BC04DEBBE9027060D51901133F60101 154678 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\misc.bat2014-06-05 23:27:51 38A0BDF322ACCC968B0A824C38D50157 29635 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\ask.bat2014-06-05 23:27:51 335DFF8F23E5EC02B5426362F0F8509B 31401 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\iexplore.bat2014-06-05 23:27:51 2F80D807DB405C8F6E0F3706B9FED710 10161 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\JRT.bat2014-06-05 23:27:51 0D08FBD2E6F6C6AC6A504712C4CE6CE3 1226 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\FWPolicy.bat2014-06-05 23:27:51 0C4649A62845AB5D5DBCC4998477FF6D 1813 ----a-w- C:\Users\Admin\AppData\Local\Temp\jrt\delfolders.bat2014-06-05 21:00:57 FA8A3EA2F3D2160DDF20CFA81613949B 101 ----a-w- C:\Users\Admin\AppData\Local\Temp\utt609D.tmp.bat2014-06-05 19:06:52 CD51E1D0D638F1E07A6EDC98CD7F5DDA 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys==== Startup Registry Enabled ======================[HKEY_USERS\S-1-5-21-1506617307-1634978489-513733805-1001\Software\Microsoft\Windows\CurrentVersion\Run]@="C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"StartCCC"="c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun""CLMLServer_For_P2G8"="c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe""CLVirtualDrive"="c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe /R""Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe""APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe""KiesTrayAgent"="C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe""RIMBBLaunchAgent.exe"="C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe""Wondershare Helper Compact.exe"="C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe""PSUAMain"="C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUAMain.exe /LaunchSysTray""iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe""SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]@="C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe"==== Startup Registry Enabled x64 ======================[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"BeatsOSDApp"="C:\Program Files\IDT\WDM\beats64.exe""SysTrayApp"="C:\Program Files\IDT\WDM\sttray64.exe"==== Startup Folders ======================2013-04-24 18:47:50 1108 ----a-w- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk==== Task Scheduler Jobs ======================C:\WINDOWS\tasks\Adobe Flash Player Updater.job --a-------- C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-05-13 11:17 AM]C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job --a-------- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-28 12:49 AM]C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job --a-------- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-28 12:49 AM]C:\WINDOWS\tasks\HPCeeScheduleForAdmin.job --a-------- C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 10:15 PM]==== Other Scheduled Tasks ======================"C:\WINDOWS\SysNative\tasks\Adobe Flash Player Updater" [C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe]"C:\WINDOWS\SysNative\tasks\GoogleUpdateTaskMachineCore" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]"C:\WINDOWS\SysNative\tasks\GoogleUpdateTaskMachineUA" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]"C:\WINDOWS\SysNative\tasks\HPCeeScheduleForAdmin" [C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe]"C:\WINDOWS\SysNative\tasks\User_Feed_Synchronization-{95E9E0FD-F593-4FE9-8ADA-A78FA4982EB2}" [C:\WINDOWS\system32\msfeedssync.exe]"C:\WINDOWS\SysNative\tasks\Apple\AppleSoftwareUpdate" [C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe]==== Firefox Extensions Registry ======================[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]"{8D150B8F-EFE8-45a3-A4A3-053020F48FAC}"="C:\Program Files (x86)\Wondershare\Video Converter Ultimate\SVRFirefoxExt" [][HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]"{8D150B8F-EFE8-45a3-A4A3-053020F48FAC}"="C:\Program Files (x86)\Wondershare\Video Converter Ultimate\SVRFirefoxExt" []==== Firefox Extensions ======================ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vgw6qd4m.default- PSFactoryBuffer - %ProfilePath%\extensions\{10E08FEA-8F29-3E48-A61B-2A080C733898}AppDir: C:\Program Files (x86)\Mozilla Firefox- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}==== Firefox Plugins ======================Profilepath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vgw6qd4m.defaultA58DE0A570148AF5FF3512B2A340D09F - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll - Shockwave FlashE3B4EA121F7BDEB0F6366E2BA9608CB5 - C:\Users\Admin\AppData\Local\Citrix\Plugins\104\npappdetector.dll - Citrix Online Web Deployment Plugin 1.0.0.104==== Chrome Look ======================PSFactoryBuffer - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodlaGoogle Docs - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokakeGoogle Drive - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalfGoogle Voice Search Hotword (Beta) - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfnYouTube - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeoGoogle Search - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpfGoogle Wallet - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmiedaGmail - Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia==== Set IE to Default ======================Old Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://www.google.com/"[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"New Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://www.google.com/"[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"==== All HKCU SearchScopes ======================HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"{38D62C15-C926-42E0-825D-0F0DE98CD235} Unknown Url="Not_Found"{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}"{D944BB61-2E34-4DBF-A683-47E505C587DC} Unknown Url="Not_Found"==== Deleting CLSID Registry Keys ======================HKEY_USERS\S-1-5-21-1506617307-1634978489-513733805-1001\Software\Microsoft\Internet Explorer\SearchScopes\{38D62C15-C926-42E0-825D-0F0DE98CD235} deleted successfullyHKEY_USERS\S-1-5-21-1506617307-1634978489-513733805-1001\Software\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} deleted successfully==== Deleting CLSID Registry Values ======================HKEY_USERS\S-1-5-21-1506617307-1634978489-513733805-1001\Software\Mozilla\Firefox\Extensions\{8D150B8F-EFE8-45a3-A4A3-053020F48FAC} deleted successfullyHKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\{8D150B8F-EFE8-45a3-A4A3-053020F48FAC} deleted successfully==== HijackThis Entries ======================F2 - REG:system.ini: UserInit=userinit.exe,O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dllO4 - HKLM\..\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [CLMLServer_For_P2G8] "c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe"O4 - HKLM\..\Run: [CLVirtualDrive] "c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" /RO4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"O4 - HKLM\..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exeO4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exeO4 - HKLM\..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exeO4 - HKLM\..\Run: [PSUAMain] "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" /LaunchSysTrayO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"O4 - HKCU\..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exeO4 - Startup: Dropbox.lnk = Admin\AppData\Roaming\Dropbox\bin\Dropbox.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllO11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphicsO16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client/WBXclient-T29L10NSP2-23/event/ieatgpc1.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLLO18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllO23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeO23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeO23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)O23 - Service: AMD External Events Utility - Unknown owner - C:\WINDOWS\system32\atiesrxx.exe (file missing)O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeO23 - Service: Blackberry Device Manager - Research In Motion Limited - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exeO23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exeO23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exeO23 - Service: HP Connected Remote Service (HPConnectedRemote) - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeO23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exeO23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\WINDOWS\system32\IEEtwCollector.exe (file missing)O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeO23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exeO23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Panda Product Service (PSUAService) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUAService.exeO23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exeO23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exeO23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\WINDOWS\system32\UI0Detect.exe (file missing)O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)O23 - Service: wampstackApache - Apache Software Foundation - C:\BitNami\WAMPST~1.16-\apache2\bin\httpd.exeO23 - Service: wampstackMySQL - Unknown owner - C:\BitNami\wampstack-5.4.16-0\mysql\bin\mysqld.exeO23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)==== Empty IE Cache ======================C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfullyC:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully==== Empty FireFox Cache ======================C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vgw6qd4m.default\Cache emptied successfully==== Empty Chrome Cache ======================C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully==== Empty All Flash Cache ======================Flash Cache Emptied Successfully==== Empty All Java Cache ======================Java Cache cleared successfully==== C:\zoek_backup content ======================C:\zoek_backup (files=933 folders=73 202314006 bytes)==== Empty Temp Folders ======================C:\Users\Admin\AppData\Local\Temp will be emptied at rebootC:\Users\Default\AppData\Local\Temp emptied successfullyC:\Users\Default User\AppData\Local\Temp emptied successfullyC:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfullyC:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfullyC:\WINDOWS\Temp will be emptied at reboot==== After Reboot ========================== Empty Temp Folders ======================C:\WINDOWS\Temp successfully emptiedC:\Users\Admin\AppData\Local\Temp successfully emptied==== Empty Recycle Bin ======================C:\$RECYCLE.BIN successfully emptied==== EOF on 2014-06-07 at 18:16:53.86 ====================== Link to post Share on other sites More sharing options...
kevinf80 Posted June 8, 2014 ID:839079 Share Posted June 8, 2014 What is the current status, any remaining issues or concerns? Link to post Share on other sites More sharing options...
infectthis Posted June 8, 2014 Author ID:839217 Share Posted June 8, 2014 None thus far. It would seem all is well again. Do you see anything that would give you cause for concern? Is there a particular way I should remove the tools from desktop? And most importantly, thank you Kevin! Link to post Share on other sites More sharing options...
kevinf80 Posted June 8, 2014 ID:839262 Share Posted June 8, 2014 You`re very welcome, it was a pleasure to work with you. Run the following to clean up..... Download "Delfix by Xplode" and save it to your desktop. "Delfix link mirror" Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Activate UAC Remove disinfection tools Create registry backup Purge System Restore Reset system settings Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Part of the routine will be to create a registry back up with ERUNT, the back up will be created here: C:\Windows\ERUNT When all is known to be well with your system you can delete that back up folder if you consider it as not needed... Next, Read the following link to fully understand PC security and best practices, you may find it useful.... http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629 Let me know if we are ok to close out.... Kevin.. Link to post Share on other sites More sharing options...
infectthis Posted June 9, 2014 Author ID:839400 Share Posted June 9, 2014 Done and done. Thanks again for everything! Hope you don't take this wrong way, but I hope never to have to chat with yourself again! Link to post Share on other sites More sharing options...
kevinf80 Posted June 9, 2014 ID:839463 Share Posted June 9, 2014 Yep, sounds good to me. take care and surf safe... Kevin.... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 18, 2014 Root Admin ID:842973 Share Posted June 18, 2014 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts