Jump to content

Recommended Posts

OK, The above tags are some of the folders contained within the bogus User folders, which all lead to a group of identical files that I suspect to be malicious.

Anyways, Initially I had started searching for a way to remove some adware that continually reinstalls itself after removing it from Chrome extensions.

Later discovered that in IE11, the same extensions were greyed out and unable to be disabled, much less deleted.

found the file location and tried to remove them this way, but seems they're still lurking somewhere.

whilst hunting for these I came across these suss user folders and their contents.

Tried to delete these and have come to realise i've probable made my job harder.

Tried uninstalling things but there wasn't a lot in the way of programs to remove.

Tried Malwarebytes as it came up frequently as supposedly being able to remove the adware I was dealing with.

Removed a bunch of other stuff, but not what I wanted gone, so here I am.

 

Found this post, and admin had said at the end to start a new topic rather than post to the closed thread, but I think it's the same or at least a very similar problem.

 

https://forums.malwarebytes.org/index.php?/topic/148493-rogue-administrator-file-created-has-comodo-etc-and-malware-not-catching-these-in-scan-or/page-5

 

Saved FRST to desktop

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014
Ran by Glenn (administrator) on RHI-PC on 14-08-2014 01:00:49
Running from C:\Users\Glenn\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PIconStartup.exe [111640 2010-05-21] ()
HKLM-x32\...\Run: [soundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-04-23] (Analog Devices, Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421160 2011-01-25] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-02] (Adobe Systems Incorporated)
HKU\S-1-5-21-2707335387-3578575701-2918986647-1000\...\MountPoints2: {dfa39483-9872-11e3-b0fa-0023aea2da75} - F:\RNDISInst.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
SearchScopes: HKLM-x32 - DefaultScope {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = 
SearchScopes: HKCU - DefaultScope {37B7FE30-A1AF-4E33-9D73-D90044FF5459} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {37B7FE30-A1AF-4E33-9D73-D90044FF5459} URL = https://www.google.com/search?q={searchTerms}
BHO: SSearch-NewTaB -> {16F753B1-81A0-BBBD-EA60-BF0A1403B76C} -> C:\Program Files (x86)\SSearch-NewTaB\KcqDa2.x64.dll No File
BHO: sAvvE on -> {218BE2AE-7578-8877-2150-42EA09F63CBD} -> C:\Program Files (x86)\sAvvE on\ZEo2rkZoy.x64.dll No File
BHO: save on -> {7986BAA2-7123-C303-7817-BA93BEF4BA79} -> C:\Program Files (x86)\save on\87pf5TWqV.x64.dll No File
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: savve, oN -> {EA9F5528-1C5E-B3D3-0C2B-97BFB4633174} -> C:\Program Files (x86)\savve, oN\3oR_.x64.dll No File
BHO-x32: SSearch-NewTaB -> {16F753B1-81A0-BBBD-EA60-BF0A1403B76C} -> C:\Program Files (x86)\SSearch-NewTaB\KcqDa2.dll No File
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: sAvvE on -> {218BE2AE-7578-8877-2150-42EA09F63CBD} -> C:\Program Files (x86)\sAvvE on\ZEo2rkZoy.dll No File
BHO-x32: save on -> {7986BAA2-7123-C303-7817-BA93BEF4BA79} -> C:\Program Files (x86)\save on\87pf5TWqV.dll No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: savve, oN -> {EA9F5528-1C5E-B3D3-0C2B-97BFB4633174} -> C:\Program Files (x86)\savve, oN\3oR_.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll No File
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: 
CHR StartupUrls: ""
CHR DefaultSearchKeyword: google.com.au
CHR Extension: (Google Docs) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-21]
CHR Extension: (Google Drive) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-21]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-16]
CHR Extension: (YouTube) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-21]
CHR Extension: (Adblock Plus) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-08-13]
CHR Extension: (Google Search) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-21]
CHR Extension: (sAvvE on) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaccnolnbmkjehlifbnfdfkhmfjoiael [2014-06-16]
CHR Extension: (sAve on) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nijnbakhngcnadiccocmdaaenelcjaha [2014-06-16]
CHR Extension: (Google Wallet) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-21]
CHR Extension: (Gmail) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-21]
CHR Extension: (sAvvE on) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaccnolnbmkjehlifbnfdfkhmfjoiael\2.14 [2014-06-16]
CHR Extension: (sAve on) - C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nijnbakhngcnadiccocmdaaenelcjaha\2.14 [2014-06-16]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2010-05-21] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2071064 2010-05-21] (Intel Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 e1kexpress; C:\Windows\System32\DRIVERS\e1k60x64.sys [220672 2009-06-11] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-08-14] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-14 01:00 - 2014-08-14 01:01 - 00011143 _____ () C:\Users\Glenn\Desktop\FRST.txt
2014-08-14 01:00 - 2014-08-14 01:00 - 00000000 ____D () C:\FRST
2014-08-14 00:52 - 2014-08-14 00:53 - 02100224 _____ (Farbar) C:\Users\Glenn\Desktop\FRST64.exe
2014-08-14 00:48 - 2014-08-14 00:48 - 00518712 _____ () C:\Windows\Minidump\081414-17799-01.dmp
2014-08-14 00:00 - 2014-08-14 00:00 - 00562744 _____ () C:\Windows\Minidump\081414-16660-01.dmp
2014-08-13 23:23 - 2014-08-13 23:23 - 00000720 _____ () C:\Users\Glenn\Documents\error report.txt
2014-08-13 23:20 - 2014-08-13 23:20 - 00565616 _____ () C:\Windows\Minidump\081314-17409-01.dmp
2014-08-13 21:52 - 2014-08-14 00:49 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-13 21:51 - 2014-08-13 21:51 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 21:51 - 2014-08-13 21:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 21:51 - 2014-08-13 21:51 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 21:51 - 2014-08-13 21:51 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 21:51 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-13 21:51 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-08-13 21:51 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-08-13 21:47 - 2014-08-13 21:47 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Glenn\Downloads\mbam-setup-2.0.2.1012.exe
2014-08-13 15:02 - 2014-08-13 15:02 - 00556576 _____ () C:\Windows\Minidump\081314-23758-01.dmp
2014-08-11 02:37 - 2014-08-11 02:37 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2014-08-08 17:02 - 2014-08-08 17:02 - 00562168 _____ () C:\Windows\Minidump\080814-20482-01.dmp
2014-08-08 16:22 - 2014-08-08 16:22 - 00580384 _____ () C:\Windows\Minidump\080814-43883-01.dmp
2014-08-08 13:17 - 2014-08-08 13:17 - 00547344 _____ () C:\Windows\Minidump\080814-18423-01.dmp
2014-08-08 12:55 - 2014-08-08 12:55 - 00553008 _____ () C:\Windows\Minidump\080814-23322-01.dmp
2014-07-31 10:23 - 2014-07-31 10:23 - 00570032 _____ () C:\Windows\Minidump\073114-19890-01.dmp
2014-07-31 08:57 - 2014-07-31 09:01 - 00005423 _____ () C:\Users\Glenn\Downloads\zrt_lookup.html
2014-07-31 08:43 - 2014-07-31 08:43 - 00548280 _____ () C:\Windows\Minidump\073114-20280-01.dmp
2014-07-26 17:45 - 2014-07-26 18:39 - 00000000 ____D () C:\Users\Glenn\Downloads\The.Internship.2013.UNRATED.x264.DTS-WAF
2014-07-21 18:05 - 2014-07-21 18:05 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-07-21 18:01 - 2014-07-21 18:01 - 00572800 _____ () C:\Windows\Minidump\072114-16738-01.dmp
2014-07-21 17:28 - 2014-07-21 17:28 - 00575088 _____ () C:\Windows\Minidump\072114-37237-01.dmp
2014-07-21 17:22 - 2014-07-21 19:05 - 00000000 ____D () C:\Users\Glenn\Downloads\PANTERA 3 Vulgar Videos From Hell (Big Papi) MP4 1999
2014-07-21 17:15 - 2014-07-21 17:17 - 00000000 ____D () C:\Users\Glenn\Downloads\Last.Vegas.2013.BRRip.XviD-RARBG
2014-07-21 13:21 - 2014-06-30 10:09 - 00519168 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-07-21 13:21 - 2014-06-30 10:04 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-07-21 13:21 - 2014-06-18 10:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-07-21 13:21 - 2014-06-18 09:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2014-07-21 13:21 - 2014-06-18 09:10 - 03157504 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-07-21 13:21 - 2014-06-06 18:10 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-07-21 13:21 - 2014-06-06 17:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-07-21 13:21 - 2014-05-30 16:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-07-21 13:21 - 2014-05-30 16:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-07-21 13:21 - 2014-05-30 16:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-07-21 13:21 - 2014-05-30 16:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-07-21 13:21 - 2014-05-30 16:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-07-21 13:21 - 2014-05-30 16:08 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-07-21 13:21 - 2014-05-30 16:08 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-07-21 13:21 - 2014-05-30 15:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-07-21 13:21 - 2014-05-30 15:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-07-21 13:21 - 2014-05-30 15:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-07-21 13:21 - 2014-05-30 15:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-07-21 13:21 - 2014-05-30 15:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-07-21 13:21 - 2014-05-30 15:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-07-21 13:21 - 2014-05-30 15:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-07-21 13:21 - 2014-05-30 14:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-07-21 13:18 - 2014-06-05 22:45 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-07-21 13:18 - 2014-06-05 22:26 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-07-21 13:18 - 2014-06-05 22:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-07-16 14:45 - 2014-07-16 14:45 - 00000000 __SHD () C:\Users\Glenn\AppData\Local\EmieUserList
2014-07-16 14:45 - 2014-07-16 14:45 - 00000000 __SHD () C:\Users\Glenn\AppData\Local\EmieSiteList
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-14 01:01 - 2014-08-14 01:00 - 00011143 _____ () C:\Users\Glenn\Desktop\FRST.txt
2014-08-14 01:00 - 2014-08-14 01:00 - 00000000 ____D () C:\FRST
2014-08-14 00:57 - 2014-03-21 15:20 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-14 00:55 - 2009-07-14 12:45 - 00021088 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-14 00:55 - 2009-07-14 12:45 - 00021088 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-14 00:53 - 2014-08-14 00:52 - 02100224 _____ (Farbar) C:\Users\Glenn\Desktop\FRST64.exe
2014-08-14 00:53 - 2009-07-14 13:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-14 00:51 - 2014-02-15 09:58 - 01952533 _____ () C:\Windows\WindowsUpdate.log
2014-08-14 00:49 - 2014-08-13 21:52 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-14 00:49 - 2014-03-21 15:20 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-14 00:48 - 2014-08-14 00:48 - 00518712 _____ () C:\Windows\Minidump\081414-17799-01.dmp
2014-08-14 00:48 - 2014-03-21 16:43 - 344371915 _____ () C:\Windows\MEMORY.DMP
2014-08-14 00:48 - 2014-03-21 16:43 - 00000000 ____D () C:\Windows\Minidump
2014-08-14 00:48 - 2009-07-14 13:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-14 00:48 - 2009-07-14 12:51 - 00039567 _____ () C:\Windows\setupact.log
2014-08-14 00:21 - 2014-02-20 18:21 - 00000292 _____ () C:\Windows\Tasks\UpdaterEX.job
2014-08-14 00:13 - 2014-02-24 21:25 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-14 00:00 - 2014-08-14 00:00 - 00562744 _____ () C:\Windows\Minidump\081414-16660-01.dmp
2014-08-14 00:00 - 2010-11-21 11:47 - 00040820 _____ () C:\Windows\PFRO.log
2014-08-13 23:23 - 2014-08-13 23:23 - 00000720 _____ () C:\Users\Glenn\Documents\error report.txt
2014-08-13 23:20 - 2014-08-13 23:20 - 00565616 _____ () C:\Windows\Minidump\081314-17409-01.dmp
2014-08-13 22:01 - 2014-06-16 16:45 - 00000000 ____D () C:\ProgramData\savve, oN
2014-08-13 22:01 - 2014-06-16 16:36 - 00000000 ____D () C:\ProgramData\SSearch-NewTaB
2014-08-13 22:01 - 2014-02-20 18:21 - 00000000 ____D () C:\Users\Glenn\AppData\Roaming\UpdaterEX
2014-08-13 21:51 - 2014-08-13 21:51 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 21:51 - 2014-08-13 21:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 21:51 - 2014-08-13 21:51 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 21:51 - 2014-08-13 21:51 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 21:47 - 2014-08-13 21:47 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Glenn\Downloads\mbam-setup-2.0.2.1012.exe
2014-08-13 15:02 - 2014-08-13 15:02 - 00556576 _____ () C:\Windows\Minidump\081314-23758-01.dmp
2014-08-12 00:48 - 2014-02-20 18:37 - 00000000 ____D () C:\Users\Glenn\AppData\Roaming\vlc
2014-08-11 02:37 - 2014-08-11 02:37 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2014-08-08 17:02 - 2014-08-08 17:02 - 00562168 _____ () C:\Windows\Minidump\080814-20482-01.dmp
2014-08-08 16:22 - 2014-08-08 16:22 - 00580384 _____ () C:\Windows\Minidump\080814-43883-01.dmp
2014-08-08 13:17 - 2014-08-08 13:17 - 00547344 _____ () C:\Windows\Minidump\080814-18423-01.dmp
2014-08-08 12:55 - 2014-08-08 12:55 - 00553008 _____ () C:\Windows\Minidump\080814-23322-01.dmp
2014-07-31 10:23 - 2014-07-31 10:23 - 00570032 _____ () C:\Windows\Minidump\073114-19890-01.dmp
2014-07-31 09:01 - 2014-07-31 08:57 - 00005423 _____ () C:\Users\Glenn\Downloads\zrt_lookup.html
2014-07-31 08:43 - 2014-07-31 08:43 - 00548280 _____ () C:\Windows\Minidump\073114-20280-01.dmp
2014-07-31 07:46 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-07-28 22:58 - 2014-03-21 15:40 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-07-28 22:58 - 2014-03-21 15:40 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-07-27 00:36 - 2014-03-21 15:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-07-27 00:35 - 2014-06-16 15:54 - 00000000 ____D () C:\Users\Glenn\AppData\Roaming\uTorrent
2014-07-26 19:09 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\rescache
2014-07-26 18:39 - 2014-07-26 17:45 - 00000000 ____D () C:\Users\Glenn\Downloads\The.Internship.2013.UNRATED.x264.DTS-WAF
2014-07-22 09:07 - 2009-07-14 12:45 - 00417416 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-07-22 09:05 - 2014-06-06 19:49 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-07-22 09:05 - 2010-11-21 15:17 - 00000000 ____D () C:\Program Files\Windows Journal
2014-07-22 09:05 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2014-07-22 09:05 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\system32\Dism
2014-07-21 23:17 - 2014-04-16 10:50 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-07-21 19:05 - 2014-07-21 17:22 - 00000000 ____D () C:\Users\Glenn\Downloads\PANTERA 3 Vulgar Videos From Hell (Big Papi) MP4 1999
2014-07-21 18:05 - 2014-07-21 18:05 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-07-21 18:01 - 2014-07-21 18:01 - 00572800 _____ () C:\Windows\Minidump\072114-16738-01.dmp
2014-07-21 17:28 - 2014-07-21 17:28 - 00575088 _____ () C:\Windows\Minidump\072114-37237-01.dmp
2014-07-21 17:17 - 2014-07-21 17:15 - 00000000 ____D () C:\Users\Glenn\Downloads\Last.Vegas.2013.BRRip.XviD-RARBG
2014-07-21 14:22 - 2014-02-20 18:22 - 00000119 _____ () C:\Users\Glenn\AppData\Roaming\WB.CFG
2014-07-21 13:13 - 2014-02-24 21:25 - 00699056 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-07-21 13:13 - 2014-02-24 21:25 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-07-21 13:13 - 2014-02-24 21:25 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-07-16 14:45 - 2014-07-16 14:45 - 00000000 __SHD () C:\Users\Glenn\AppData\Local\EmieUserList
2014-07-16 14:45 - 2014-07-16 14:45 - 00000000 __SHD () C:\Users\Glenn\AppData\Local\EmieSiteList
 
Some content of TEMP:
====================
C:\Users\Glenn\AppData\Local\Temp\ose00000.exe
C:\Users\Glenn\AppData\Local\Temp\Sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-08-07 23:07
 
==================== End Of Log ============================
 
Addition:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-08-2014
Ran by Glenn at 2014-08-14 01:01:18
Running from C:\Users\Glenn\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKCU\...\uTorrent) (Version: 3.4.2.32126 - BitTorrent Inc.)
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader 9.5.0 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.0 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{EE6097DD-05F4-4178-9719-D3170BF098E8}) (Version: 1.4.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{E5C95CA5-4565-4B9D-97ED-05088D775614}) (Version: 3.3.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C41300B9-185D-475E-BFEC-39EF732F19B1}) (Version: 2.1.2.120 - Apple Inc.)
Bonjour (HKLM\...\{E4F5E48E-7155-4CF9-88CD-7F377EC9AC54}) (Version: 2.0.4.0 - Apple Inc.)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5C78021E-3C8E-4EDF-97EA-E9B8D808FD6D}) (Version:  - Microsoft)
Dell Resource CD (HKLM-x32\...\{42929F0F-CE14-47AF-9FC7-FF297A603021}) (Version: 1.00.0000 - Dell Inc.)
DVD Shrink 3.2 (HKLM-x32\...\DVD Shrink_is1) (Version:  - DVD Shrink)
Extended Update (HKCU\...\UpdaterEX) (Version:  - Extended Update) <==== ATTENTION
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 35.0.1916.114 - Google Inc.)
Google Update Helper (x32 Version: 1.3.24.7 - Google Inc.) Hidden
Intel® Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel® Active Management Technology (HKLM\...\MESOL) (Version:  - Intel Corporation)
iTunes (HKLM\...\{77B8B4A5-EE79-4907-A318-2DA86325B8D7}) (Version: 10.1.2.17 - Apple Inc.)
JB Hi-Fi NOW Video (HKCU\...\4049441117.video.jbhifi.com.au) (Version:  - video.jbhifi.com.au)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
QuickTime (HKLM-x32\...\{57752979-A1C9-4C02-856B-FBB27AC4E02C}) (Version: 7.69.80.9 - Apple Inc.)
Ralink RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.26.0 - Ralink)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version:  - Microsoft) Hidden
SoundMAX (HKLM-x32\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.2.7250 - Analog Devices)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version:  - Microsoft)
Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4ACD847E-547D-493F-9A86-F73EAE1B5174}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F1A20C69-9FE5-40FD-9CD5-84EABC2EF64A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{334FB202-28D7-4BA4-8BC9-4FE4AB233EA0}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B0D672F7-883E-4279-8E75-D97A5445AB46}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B0DB9F71-E0F7-4FE6-8925-35B860CAC0C4}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{C0BDC1DE-C35E-422B-8CBD-C1D555468720}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{089DBFD7-8211-43B2-AAAE-5BDD8C23E3A8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{794A0574-4E2F-4D58-B2A0-D7460ACDC85C}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version:  - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version:  - Microsoft)
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{7B29D8B8-6A87-496C-A65E-B935E740448A}) (Version:  - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{38CF30E4-3348-4BD1-A859-B630C355A56F}) (Version:  - Microsoft)
Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B9B89E01-5B6B-4F73-BC34-B2C0D8ACB4CD}) (Version:  - Microsoft)
VLC media player 2.1.1 (HKLM-x32\...\VLC media player) (Version: 2.1.1 - VideoLAN)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
16-06-2014 14:45:13 Windows Update
17-06-2014 10:09:22 Windows Update
04-07-2014 18:42:47 Windows Update
21-07-2014 05:18:48 Windows Update
21-07-2014 15:14:07 Windows Update
25-07-2014 13:22:38 Windows Update
26-07-2014 16:35:12 Windows Update
30-07-2014 14:50:11 Windows Update
07-08-2014 15:16:07 Windows Update
13-08-2014 01:49:26 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 10:34 - 2009-06-11 05:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {2B71D762-77DC-4DB0-AE88-451FDA7D521C} - System32\Tasks\UpdaterEX => C:\Users\Glenn\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {3FEAA9E6-F035-4CF7-A591-DA199125B34A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {9664631B-1899-4DC0-90AD-85032A988A9A} - System32\Tasks\Games\UpdateCheck_S-1-5-21-2707335387-3578575701-2918986647-1000
Task: {9749C3D0-4CF2-4665-A859-CB6CC5F213D0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {D4503B26-078A-46A0-8DB5-246EF5697434} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-21] (Adobe Systems Incorporated)
Task: {D4BC3C22-12BC-4A28-817B-EE118BCB0001} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2009-10-22] (Apple Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Glenn\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
 
==================== Loaded Modules (whitelisted) =============
 
2010-11-17 13:16 - 2010-11-17 13:16 - 00067872 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-14 18:09 - 2010-05-21 13:14 - 00077824 _____ () C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\DTMessageLib.dll
2014-06-04 12:29 - 2014-05-14 07:40 - 00716616 _____ () C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\libglesv2.dll
2014-06-04 12:29 - 2014-05-14 07:40 - 00126280 _____ () C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\libegl.dll
2014-06-04 12:29 - 2014-05-14 07:40 - 04217672 _____ () C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\pdf.dll
2014-06-04 12:29 - 2014-05-14 07:40 - 00414536 _____ () C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\ppGoogleNaClPluginChrome.dll
2014-06-04 12:29 - 2014-05-14 07:40 - 01732424 _____ () C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\ffmpegsumo.dll
2014-07-21 17:01 - 2014-07-08 08:18 - 14663856 _____ () C:\Users\Glenn\AppData\Local\Google\Chrome\User Data\PepperFlash\14.0.0.145\pepflashplayer.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/14/2014 00:49:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/14/2014 00:02:24 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 11:30:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 11:22:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 10:04:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 08:56:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 07:58:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 03:04:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 01:45:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 09:49:11 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: WSARecvMsg failed (10038)
 
 
System errors:
=============
Error: (08/14/2014 00:50:34 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error: 
%%2
 
Error: (08/14/2014 00:48:14 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x00000116 (0xfffffa8005bed4e0, 0xfffff8800403acb0, 0x0000000000000000, 0x0000000000000002)C:\Windows\MEMORY.DMP081414-17799-01
 
Error: (08/14/2014 00:48:09 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 12:46:35 AM on ‎8/‎14/‎2014 was unexpected.
 
Error: (08/14/2014 00:03:04 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error: 
%%2
 
Error: (08/14/2014 00:00:43 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x00000116 (0xfffffa8003fe9010, 0xfffff88004025cb0, 0x0000000000000000, 0x0000000000000002)C:\Windows\MEMORY.DMP081414-16660-01
 
Error: (08/14/2014 00:00:40 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:58:40 PM on ‎8/‎13/‎2014 was unexpected.
 
Error: (08/13/2014 11:31:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error: 
%%2
 
Error: (08/13/2014 11:22:00 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/13/2014 11:21:47 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (08/13/2014 11:21:47 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
 
Microsoft Office Sessions:
=========================
Error: (08/14/2014 00:49:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/14/2014 00:02:24 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 11:30:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 11:22:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 10:04:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 08:56:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 07:58:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 03:04:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 01:45:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/13/2014 09:49:11 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: WSARecvMsg failed (10038)
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core2 Duo CPU E7400 @ 2.80GHz
Percentage of memory in use: 58%
Total physical RAM: 3931.61 MB
Available physical RAM: 1614.91 MB
Total Pagefile: 7861.4 MB
Available Pagefile: 5324.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:148.91 GB) (Free:102.91 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: 73C473C4)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
Hope this helps
Cheers
 
Riddz
 
Link to post
Share on other sites

UPDATE

 

Ok, so I've managed to stop the adware popping up after showing hidden folders and going through User's App Data etc, following path and removing what I believed to be the malicious files, but I'm concerned that it's still listed as being in C:\Program Files (x86) by IE's add on manager. I use Chrome anyway, but surely my concern is valid?

I've virtually made this up as I've gone along and have very little tech knowhow, so would be massively appreciated if somebody could review the diagnostics above and explain to me if there are any other perhaps dormant issues, as the computer has also been resetting seemingly at random, and it took me a hell of a long time to just get OP up.

 

Thanks again! any help would be massively appreciated, I'm quite anxious as it feels like a false sense of security; more like I've merely stemmed the bleeding but not yet stitched the wound.

Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
    
 
    
Before we start please read and note the following:
    
Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
Do not paste the logs in your posts, attachments make my work easier. There is a Attach Files option below which you can use to attach your reports. Always attach reports from all tools.
Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
Note that we may live in totally different time zones, what may cause some delays between answers.
Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
    
icon_idea.gif I can't foresee everything, so if anything unexpected happens, please stop and inform me!
icon_idea.gif There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
 
P2P/Piracy Warning:

  • If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
  • Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

 

 

 

First, go and remove Extended Update from Control Panel.
 
 
 
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.
 
 
 
 

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware
 
Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.
 
 
 
 

adwcleaner_new.png Fix with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.
  • Please include the contents of that file in your reply.

fixlist.txt

Link to post
Share on other sites

Hey THE cheers for getting back to me,

Only just seen your reply, haven't really had time to check lately, but seems things have gotten worse behind the scenes.

Malwarebytes has stopped launching. Uninstalled it, and then during re-installation the following error messages appeared.

 

Internal error: Expression error 'Runtime Error (at 79:177): External exception E06D7363
 
Runtime Error (at 69:252): External exception E06D7363.
 
Internal error: Expression error 'Runtime error (at 45:89): External exception E06D7363
 
Extended Update was uninstalled
Fixlog was run,
 
had to skip malware scan, downloaded and ran AdwCleaner which found a heap of stuff I thought was already deleted.
 
Files attached as requested. Only posted full logs earlier as that's what I'd seen done in the linked thread from op.
 
Hope this is useful and that I've successfully followed instructions correctly.. have saved all this to desktop for easy access and to ensure same location etc.

Fixlog.txt

AdwCleanerS0.txt

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.