Jump to content

Recommended Posts

I first noticed the issue about a month ago after I installed the beta for "Strife" and then noticed something much bigger was going on about a week ago after I uninstalled it. The instances of dllhost.exe is enough to cause a blue screen or push the "CPU Usage" on the task manager to 100% constantly but they go away when the WiFi is off. I moved most of my files (tax records, pictures, etc.) to removable hard drives. I would appreciate any assistance I have not had a virus since 2001 and whatever is wrong is undetectable by Avira, Norton cleaner or whatever it is called and Malwarebytes.

 

Thank you!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-10-2014 01
Ran by Derp (administrator) on NETWORK-BACKUP on 06-10-2014 18:21:52
Running from C:\Users\Derp\Desktop
Loaded Profile: Derp (Available profiles: Derp)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Windows\System32\GFNEXSrv.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
(Chris Pietschmann (http://pietschsoft.com)) C:\Program Files (x86)\Virtual Router\VirtualRouterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TECO\TecoService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TECO\Teco.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(InterVideo) C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [566696 2011-03-02] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [967544 2011-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11775592 2011-01-12] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2186856 2011-01-10] (Realtek Semiconductor)
HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1544104 2011-04-07] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710040 2010-12-08] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [711576 2011-04-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597928 2011-03-04] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38304 2011-03-30] (TOSHIBA Corporation)
HKLM\...\Run: [itype] => c:\Program Files\Microsoft IntelliType Pro\itype.exe [1873256 2011-08-10] (Microsoft Corporation)
HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-04-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [252792 2010-06-04] (TOSHIBA)
HKLM-x32\...\Run: [ToshibaServiceStation] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1294712 2010-11-29] (TOSHIBA Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] => C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] => C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe [3218792 2010-08-17] (Toshiba)
HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKU\S-1-5-21-1020647697-4144810973-723673556-1000\...\Run: [GoogleChromeAutoLaunch_A6ACDD3A2DEDDF84FDD4A98DD16E7437] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [852808 2014-09-22] (Google Inc.)
HKU\S-1-5-21-1020647697-4144810973-723673556-1000\...\Run: [Google Update] => C:\Users\Derp\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-01-08] (Google Inc.)
HKU\S-1-5-21-1020647697-4144810973-723673556-1000\...\MountPoints2: {50eba8fd-ce5c-11e1-a57f-3860775f460a} - E:\TL_Bootstrap.exe
HKU\S-1-5-21-1020647697-4144810973-723673556-1000\...\MountPoints2: {5d1d4cd5-47fe-11e1-a574-3860775f460a} - E:\LaunchU3.exe -a
HKU\S-1-5-21-1020647697-4144810973-723673556-1000\...\MountPoints2: {8a34c394-3d3c-11e3-a176-3860775f460a} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-1020647697-4144810973-723673556-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\Users\Derp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://employees.www.uprr.com/emp/index.shtml
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.toshiba.com/g/
SearchScopes: HKLM - DefaultScope {3C28E7DA-2BEC-4D34-A403-579D495755C6} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {3C28E7DA-2BEC-4D34-A403-579D495755C6} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKLM-x32 - DefaultScope {3876FAFB-CE22-4D91-A662-47D00D6CB1CB} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {3876FAFB-CE22-4D91-A662-47D00D6CB1CB} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKCU - DefaultScope {2CCA942A-0C99-4880-BD73-A1FCFF84D644} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}
SearchScopes: HKCU - {26CB93F9-426C-4D7E-B414-95BACC3E341B} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF_enUS459
SearchScopes: HKCU - {2CCA942A-0C99-4880-BD73-A1FCFF84D644} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=714647&p={searchTerms}
SearchScopes: HKCU - {3876FAFB-CE22-4D91-A662-47D00D6CB1CB} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKCU - {3C28E7DA-2BEC-4D34-A403-579D495755C6} URL =
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {037790A6-1576-11D6-903D-00105AABADD3} https://www.montanarail.com/newbz/controls/sglw2hcm.ocx
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1

FireFox:
========
FF ProfilePath: C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default
FF Homepage: https://www.google.com/
FF Keyword.URL: hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=714647&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin -> C:\Users\Derp\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin -> C:\Users\Derp\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 -> C:\Users\Derp\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 -> C:\Users\Derp\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Derp\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Derp\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF SearchPlugin: C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\searchplugins\imdb.xml
FF SearchPlugin: C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\searchplugins\urban-dictionary.xml
FF SearchPlugin: C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\searchplugins\yahoo_ff.xml
FF SearchPlugin: C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\searchplugins\youtube-video-search.xml
FF Extension: Avira Browser Safety - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\abs@avira.com [2014-09-30]
FF Extension: LavaFox V2-Blue - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\djziggy@gmail.com [2014-09-23]
FF Extension: LavaFox V2 - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\info@djzig.com [2014-09-20]
FF Extension: BlackFox V2-Blue - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\zigboom.designs@gmail.com [2014-09-20]
FF Extension: Flashblock - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2013-04-25]
FF Extension: PitchDark - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\{c1dffba0-628e-11d9-9669-0800200c9a66} [2013-07-20]
FF Extension: DivX Web Player - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\DivXWebPlayer@divx.com.xpi [2012-09-08]
FF Extension: NoScript - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2011-11-09]
FF Extension: Greasemonkey - C:\Users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013-11-05]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-09-24]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-09-24]

Chrome:
=======
CHR DefaultSearchURL: Default -> https://mail.google.com/mail/?extsrc=mailto&url=%s
CHR Profile: C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-26]
CHR Extension: (YouTube) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-19]
CHR Extension: (Google Cast) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2014-01-09]
CHR Extension: (Useful Periodic Table) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\chachkegffmilnmdlonllkhkfkakghie [2014-02-13]
CHR Extension: (Entanglement) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmnpffgfpcohhpoddjankjanolcekbni [2014-02-13]
CHR Extension: (Google Search) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-19]
CHR Extension: (core) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcoojmkkmhoffbpikgbfljmbbhdpjjcc [2014-02-13]
CHR Extension: (Avira Browser Safety) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-09-23]
CHR Extension: (Pixlr Express) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\hojmjpdlmjopaeginhldhiokeidchjid [2014-07-23]
CHR Extension: (German Flashcards) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijecamokjmiajijbajfnlbkfknpplkdf [2014-02-13]
CHR Extension: (Little Alchemy) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\knkapnclbofjjgicpkfoagdjohlfjhpd [2014-02-13]
CHR Extension: (Skype Click to Call) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2012-05-04]
CHR Extension: (Hangouts) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-01-08]
CHR Extension: (Google Wallet) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Scientific Calculator) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\npoipmeppdioagbkigdlnpmjphnolaog [2014-02-13]
CHR Extension: (Coding the Web) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbinfbikhndabcdlabpcbhggkcdakgfg [2014-02-13]
CHR Extension: (Late Night) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgbdhkpacgdhfabeceekiafonfkipohm [2011-11-22]
CHR Extension: (Gmail) - C:\Users\Derp\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-19]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 GFNEXSrv; C:\Windows\System32\GFNEXSrv.exe [162824 2010-09-09] ()
R2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe [126392 2011-02-03] (Symantec Corporation)
R2 Virtual Router; C:\Program Files (x86)\Virtual Router\VirtualRouterService.exe [12288 2013-02-10] (Chris Pietschmann (http://pietschsoft.com)) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 BtHidBus; C:\Windows\System32\Drivers\BtHidBus.sys [24840 2009-08-26] (IVT Corporation.)
S3 btnetBUs; C:\Windows\System32\Drivers\btnetBus.sys [34440 2009-08-26] ()
S3 IvtBtBUs; C:\Windows\System32\Drivers\IvtBtBus.sys [30344 2009-08-26] (IVT Corporation.)
R3 RTWlanE; C:\Windows\System32\DRIVERS\rtwlane.sys [1514568 2013-05-02] (Realtek Semiconductor Corporation                           )
S3 vzandnetadb; C:\Windows\System32\Drivers\lgvzandnetadb.sys [31744 2011-08-03] (Google Inc)
S3 vzandnetdiag; C:\Windows\System32\DRIVERS\lgvzandnetdiag64.sys [29696 2011-08-03] (LG Electronics Inc.)
S3 vzandnetdiag2; C:\Windows\System32\DRIVERS\lgvzandnetdiag264.sys [29696 2011-08-03] (LG Electronics Inc.)
S3 vzandnetmodem; C:\Windows\System32\DRIVERS\lgvzandnetmdm64.sys [36864 2011-08-03] (LG Electronics Inc.)
S3 vzandnetndis; C:\Windows\System32\DRIVERS\lgvzandnetndis64.sys [90624 2011-08-03] (LG Electronics Inc.)
S3 BT; system32\DRIVERS\btnetdrv.sys [X]
S3 Btcsrusb; System32\Drivers\btcusb.sys [X]
S3 easytether; system32\DRIVERS\easytthr.sys [X]
S3 TDEIO; \??\C:\Windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [X]
S3 VComm; system32\DRIVERS\VComm.sys [X]
S3 VcommMgr; System32\Drivers\VcommMgr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-06 18:21 - 2014-10-06 18:22 - 00024134 _____ () C:\Users\Derp\Desktop\FRST.txt
2014-10-06 18:21 - 2014-10-06 18:21 - 00000000 ____D () C:\FRST
2014-10-06 18:18 - 2014-10-06 18:18 - 02109952 _____ (Farbar) C:\Users\Derp\Desktop\FRST64.exe
2014-10-05 01:03 - 2014-10-05 01:04 - 00642296 _____ () C:\windows\Minidump\100514-60512-01.dmp
2014-10-04 13:23 - 2014-10-04 13:23 - 01701056 _____ () C:\windows\Minidump\100414-45068-01.dmp
2014-10-04 03:32 - 2014-10-04 03:32 - 00373824 _____ () C:\windows\Minidump\100414-44912-01.dmp
2014-10-03 09:00 - 2014-10-03 09:00 - 00508056 _____ () C:\windows\Minidump\100314-50700-01.dmp
2014-10-03 02:06 - 2014-10-03 02:06 - 00373848 _____ () C:\windows\Minidump\100314-47502-01.dmp
2014-10-03 01:43 - 2014-10-03 01:43 - 00911904 _____ () C:\windows\Minidump\100314-57205-01.dmp
2014-10-03 00:57 - 2014-10-06 13:52 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-03 00:55 - 2014-10-03 00:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-03 00:55 - 2014-10-03 00:55 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-03 00:55 - 2014-10-03 00:55 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-03 00:55 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-10-03 00:55 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2014-10-03 00:55 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2014-10-03 00:28 - 2014-10-03 00:29 - 00000000 ____D () C:\NPE
2014-10-03 00:23 - 2014-10-03 00:34 - 00000000 ____D () C:\Users\Derp\AppData\Local\NPE
2014-10-02 12:21 - 2014-10-02 12:21 - 01447632 _____ () C:\windows\Minidump\100214-51636-01.dmp
2014-10-02 11:52 - 2014-10-02 11:52 - 00910776 _____ () C:\windows\Minidump\100214-43929-01.dmp
2014-10-02 05:41 - 2014-10-05 01:03 - 00000000 ____D () C:\windows\Minidump
2014-10-02 05:41 - 2014-10-02 05:41 - 01701056 _____ () C:\windows\Minidump\100214-46550-01.dmp
2014-10-02 05:40 - 2014-10-05 01:03 - 489135346 _____ () C:\windows\MEMORY.DMP
2014-10-01 13:53 - 2014-10-01 13:53 - 00003302 _____ () C:\windows\System32\Tasks\{76975F91-715E-4890-B65C-8F1D17D4F75F}
2014-10-01 00:11 - 2014-09-24 20:08 - 00371712 _____ (Microsoft Corporation) C:\windows\system32\qdvd.dll
2014-10-01 00:11 - 2014-09-24 19:40 - 00519680 _____ (Microsoft Corporation) C:\windows\SysWOW64\qdvd.dll
2014-09-24 23:56 - 2014-09-24 23:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-09-23 11:19 - 2014-09-09 16:11 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2014-09-23 11:19 - 2014-09-09 15:47 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2014-09-12 03:10 - 2014-08-19 12:05 - 00374968 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-09-12 03:10 - 2014-08-19 11:39 - 00327872 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-09-12 03:10 - 2014-08-18 17:01 - 23591424 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-09-12 03:10 - 2014-08-18 16:29 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-09-12 03:10 - 2014-08-18 16:29 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-09-12 03:10 - 2014-08-18 16:26 - 17455104 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-09-12 03:10 - 2014-08-18 16:20 - 02793984 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-09-12 03:10 - 2014-08-18 16:19 - 05833728 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-09-12 03:10 - 2014-08-18 16:15 - 00547328 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-09-12 03:10 - 2014-08-18 16:15 - 00066048 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-09-12 03:10 - 2014-08-18 16:14 - 00083968 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-09-12 03:10 - 2014-08-18 16:14 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-09-12 03:10 - 2014-08-18 16:08 - 04232704 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-09-12 03:10 - 2014-08-18 16:08 - 00051200 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-09-12 03:10 - 2014-08-18 16:08 - 00033792 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-09-12 03:10 - 2014-08-18 16:05 - 00596480 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-09-12 03:10 - 2014-08-18 16:03 - 00758272 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-09-12 03:10 - 2014-08-18 16:03 - 00139264 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-09-12 03:10 - 2014-08-18 16:03 - 00111616 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-09-12 03:10 - 2014-08-18 15:57 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-09-12 03:10 - 2014-08-18 15:56 - 00940032 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-09-12 03:10 - 2014-08-18 15:51 - 00446464 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-09-12 03:10 - 2014-08-18 15:46 - 00454656 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-09-12 03:10 - 2014-08-18 15:45 - 00072704 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-09-12 03:10 - 2014-08-18 15:45 - 00061952 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-09-12 03:10 - 2014-08-18 15:44 - 00061952 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-09-12 03:10 - 2014-08-18 15:44 - 00051200 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-09-12 03:10 - 2014-08-18 15:42 - 02185728 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-09-12 03:10 - 2014-08-18 15:40 - 00195584 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-09-12 03:10 - 2014-08-18 15:39 - 00085504 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-09-12 03:10 - 2014-08-18 15:39 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-09-12 03:10 - 2014-08-18 15:39 - 00032768 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-09-12 03:10 - 2014-08-18 15:38 - 00289280 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-09-12 03:10 - 2014-08-18 15:37 - 00440320 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-09-12 03:10 - 2014-08-18 15:36 - 00112128 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-09-12 03:10 - 2014-08-18 15:35 - 00597504 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-09-12 03:10 - 2014-08-18 15:27 - 00365056 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-09-12 03:10 - 2014-08-18 15:25 - 00727040 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-09-12 03:10 - 2014-08-18 15:25 - 00707072 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-09-12 03:10 - 2014-08-18 15:23 - 02104832 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-09-12 03:10 - 2014-08-18 15:23 - 01249280 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-09-12 03:10 - 2014-08-18 15:22 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-09-12 03:10 - 2014-08-18 15:19 - 00164864 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-09-12 03:10 - 2014-08-18 15:17 - 00243200 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-09-12 03:10 - 2014-08-18 15:17 - 00069632 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-09-12 03:10 - 2014-08-18 15:16 - 13588480 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-09-12 03:10 - 2014-08-18 15:15 - 11769856 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-09-12 03:10 - 2014-08-18 15:15 - 02310656 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-09-12 03:10 - 2014-08-18 15:09 - 00603136 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-09-12 03:10 - 2014-08-18 15:08 - 02014208 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-09-12 03:10 - 2014-08-18 15:07 - 01068032 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-09-12 03:10 - 2014-08-18 14:55 - 01447424 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-09-12 03:10 - 2014-08-18 14:46 - 01812992 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-09-12 03:10 - 2014-08-18 14:38 - 01190400 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-09-12 03:10 - 2014-08-18 14:38 - 00775168 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-09-12 03:10 - 2014-08-18 14:36 - 00678400 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-09-12 03:01 - 2014-06-26 20:08 - 02777088 _____ (Microsoft Corporation) C:\windows\system32\msmpeg2vdec.dll
2014-09-12 03:01 - 2014-06-26 19:45 - 02285056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msmpeg2vdec.dll
2014-09-11 22:06 - 2014-08-01 05:53 - 01031168 _____ (Microsoft Corporation) C:\windows\system32\TSWorkspace.dll
2014-09-11 22:06 - 2014-08-01 05:35 - 00793600 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSWorkspace.dll
2014-09-11 22:00 - 2014-07-06 20:06 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2014-09-11 22:00 - 2014-07-06 20:06 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2014-09-11 22:00 - 2014-07-06 19:40 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2014-09-11 22:00 - 2014-07-06 19:40 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2014-09-11 22:00 - 2014-07-06 19:39 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2014-09-11 22:00 - 2014-06-23 21:29 - 02565120 _____ (Microsoft Corporation) C:\windows\system32\d3d10warp.dll
2014-09-11 22:00 - 2014-06-23 20:59 - 01987584 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3d10warp.dll
2014-09-11 21:59 - 2014-09-04 20:10 - 00578048 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-09-11 21:59 - 2014-09-04 20:05 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-09-10 15:04 - 2014-09-10 15:04 - 00000000 ____D () C:\Users\Derp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Strife
2014-09-10 15:04 - 2014-09-10 15:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Strife
2014-09-10 15:04 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAudio2_7.dll
2014-09-10 15:04 - 2010-06-02 04:55 - 00518488 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_7.dll
2014-09-10 15:04 - 2010-06-02 04:55 - 00239960 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_7.dll
2014-09-10 15:04 - 2010-06-02 04:55 - 00176984 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_7.dll
2014-09-10 15:04 - 2010-06-02 04:55 - 00077656 _____ (Microsoft Corporation) C:\windows\system32\XAPOFX1_5.dll
2014-09-10 15:04 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAPOFX1_5.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 02526056 _____ (Microsoft Corporation) C:\windows\system32\D3DCompiler_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 02401112 _____ (Microsoft Corporation) C:\windows\system32\D3DX9_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DCompiler_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 01998168 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DX9_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 01907552 _____ (Microsoft Corporation) C:\windows\system32\d3dcsx_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 01868128 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dcsx_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 00511328 _____ (Microsoft Corporation) C:\windows\system32\d3dx10_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 00470880 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dx10_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 00276832 _____ (Microsoft Corporation) C:\windows\system32\d3dx11_43.dll
2014-09-10 15:04 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dx11_43.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00530776 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_6.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00528216 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAudio2_6.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00238936 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_6.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00176984 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_6.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00078680 _____ (Microsoft Corporation) C:\windows\system32\XAPOFX1_4.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00074072 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAPOFX1_4.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00024920 _____ (Microsoft Corporation) C:\windows\system32\X3DAudio1_7.dll
2014-09-10 15:04 - 2010-02-04 10:01 - 00022360 _____ (Microsoft Corporation) C:\windows\SysWOW64\X3DAudio1_7.dll
2014-09-10 15:04 - 2009-09-04 17:44 - 00517960 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_5.dll
2014-09-10 15:04 - 2009-09-04 17:44 - 00238936 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_5.dll
2014-09-10 15:04 - 2009-09-04 17:44 - 00176968 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_5.dll
2014-09-10 15:04 - 2009-09-04 17:44 - 00073544 _____ (Microsoft Corporation) C:\windows\system32\XAPOFX1_3.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 05554512 _____ (Microsoft Corporation) C:\windows\system32\d3dcsx_42.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 05501792 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dcsx_42.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 02582888 _____ (Microsoft Corporation) C:\windows\system32\D3DCompiler_42.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 02475352 _____ (Microsoft Corporation) C:\windows\system32\D3DX9_42.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 01974616 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DCompiler_42.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 01892184 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DX9_42.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 00285024 _____ (Microsoft Corporation) C:\windows\system32\d3dx11_42.dll
2014-09-10 15:04 - 2009-09-04 17:29 - 00235344 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dx11_42.dll
2014-09-10 15:04 - 2009-03-16 14:18 - 00521560 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_4.dll
2014-09-10 15:04 - 2009-03-16 14:18 - 00517448 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAudio2_4.dll
2014-09-10 15:04 - 2009-03-16 14:18 - 00235352 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_4.dll
2014-09-10 15:04 - 2009-03-16 14:18 - 00174936 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_4.dll
2014-09-10 15:04 - 2009-03-16 14:18 - 00024920 _____ (Microsoft Corporation) C:\windows\system32\X3DAudio1_6.dll
2014-09-10 15:04 - 2009-03-16 14:18 - 00022360 _____ (Microsoft Corporation) C:\windows\SysWOW64\X3DAudio1_6.dll
2014-09-10 15:04 - 2009-03-09 15:27 - 05425496 _____ (Microsoft Corporation) C:\windows\system32\D3DX9_41.dll
2014-09-10 15:04 - 2009-03-09 15:27 - 04178264 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DX9_41.dll
2014-09-10 15:04 - 2009-03-09 15:27 - 02430312 _____ (Microsoft Corporation) C:\windows\system32\D3DCompiler_41.dll
2014-09-10 15:04 - 2009-03-09 15:27 - 00520544 _____ (Microsoft Corporation) C:\windows\system32\d3dx10_41.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00518480 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_3.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00514384 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAudio2_3.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00235856 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_3.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00175440 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_3.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00074576 _____ (Microsoft Corporation) C:\windows\system32\XAPOFX1_2.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00070992 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAPOFX1_2.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00025936 _____ (Microsoft Corporation) C:\windows\system32\X3DAudio1_5.dll
2014-09-10 15:04 - 2008-10-27 10:04 - 00023376 _____ (Microsoft Corporation) C:\windows\SysWOW64\X3DAudio1_5.dll
2014-09-10 15:04 - 2008-10-15 06:22 - 05631312 _____ (Microsoft Corporation) C:\windows\system32\D3DX9_40.dll
2014-09-10 15:04 - 2008-10-15 06:22 - 04379984 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DX9_40.dll
2014-09-10 15:04 - 2008-10-15 06:22 - 02605920 _____ (Microsoft Corporation) C:\windows\system32\D3DCompiler_40.dll
2014-09-10 15:04 - 2008-10-15 06:22 - 02036576 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DCompiler_40.dll
2014-09-10 15:04 - 2008-10-15 06:22 - 00519000 _____ (Microsoft Corporation) C:\windows\system32\d3dx10_40.dll
2014-09-10 15:04 - 2008-10-15 06:22 - 00452440 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dx10_40.dll
2014-09-10 15:04 - 2008-07-31 10:41 - 00072200 _____ (Microsoft Corporation) C:\windows\system32\XAPOFX1_1.dll
2014-09-10 15:04 - 2008-07-31 10:40 - 00513544 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_2.dll
2014-09-10 15:03 - 2008-07-31 10:41 - 00238088 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_2.dll
2014-09-10 15:03 - 2008-07-31 10:41 - 00177672 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_2.dll
2014-09-10 15:03 - 2008-07-10 11:00 - 04992520 _____ (Microsoft Corporation) C:\windows\system32\D3DX9_39.dll
2014-09-10 15:03 - 2008-07-10 11:00 - 01942552 _____ (Microsoft Corporation) C:\windows\system32\D3DCompiler_39.dll
2014-09-10 15:03 - 2008-07-10 11:00 - 00540688 _____ (Microsoft Corporation) C:\windows\system32\d3dx10_39.dll
2014-09-10 15:03 - 2008-05-30 14:19 - 00511496 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_1.dll
2014-09-10 15:03 - 2008-05-30 14:19 - 00507400 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAudio2_1.dll
2014-09-10 15:03 - 2008-05-30 14:18 - 00238088 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_1.dll
2014-09-10 15:03 - 2008-05-30 14:18 - 00177672 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_1.dll
2014-09-10 15:03 - 2008-05-30 14:17 - 00068104 _____ (Microsoft Corporation) C:\windows\system32\XAPOFX1_0.dll
2014-09-10 15:03 - 2008-05-30 14:17 - 00065032 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAPOFX1_0.dll
2014-09-10 15:03 - 2008-05-30 14:17 - 00025608 _____ (Microsoft Corporation) C:\windows\SysWOW64\X3DAudio1_4.dll
2014-09-10 15:03 - 2008-05-30 14:16 - 00028168 _____ (Microsoft Corporation) C:\windows\system32\X3DAudio1_4.dll
2014-09-10 15:03 - 2008-05-30 14:11 - 04991496 _____ (Microsoft Corporation) C:\windows\system32\D3DX9_38.dll
2014-09-10 15:03 - 2008-05-30 14:11 - 03850760 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DX9_38.dll
2014-09-10 15:03 - 2008-05-30 14:11 - 01941528 _____ (Microsoft Corporation) C:\windows\system32\D3DCompiler_38.dll
2014-09-10 15:03 - 2008-05-30 14:11 - 01491992 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DCompiler_38.dll
2014-09-10 15:03 - 2008-05-30 14:11 - 00540688 _____ (Microsoft Corporation) C:\windows\system32\d3dx10_38.dll
2014-09-10 15:03 - 2008-05-30 14:11 - 00467984 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dx10_38.dll
2014-09-10 15:03 - 2008-03-05 16:04 - 00489480 _____ (Microsoft Corporation) C:\windows\system32\XAudio2_0.dll
2014-09-10 15:03 - 2008-03-05 16:03 - 00479752 _____ (Microsoft Corporation) C:\windows\SysWOW64\XAudio2_0.dll
2014-09-10 15:03 - 2008-03-05 16:03 - 00238088 _____ (Microsoft Corporation) C:\windows\SysWOW64\xactengine3_0.dll
2014-09-10 15:03 - 2008-03-05 16:03 - 00177672 _____ (Microsoft Corporation) C:\windows\system32\xactengine3_0.dll
2014-09-10 15:03 - 2008-03-05 16:00 - 00028168 _____ (Microsoft Corporation) C:\windows\system32\X3DAudio1_3.dll
2014-09-10 15:03 - 2008-03-05 16:00 - 00025608 _____ (Microsoft Corporation) C:\windows\SysWOW64\X3DAudio1_3.dll
2014-09-10 15:03 - 2008-03-05 15:56 - 04910088 _____ (Microsoft Corporation) C:\windows\system32\D3DX9_37.dll
2014-09-10 15:03 - 2008-03-05 15:56 - 03786760 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DX9_37.dll
2014-09-10 15:03 - 2008-03-05 15:56 - 01860120 _____ (Microsoft Corporation) C:\windows\system32\D3DCompiler_37.dll
2014-09-10 15:03 - 2008-03-05 15:56 - 01420824 _____ (Microsoft Corporation) C:\windows\SysWOW64\D3DCompiler_37.dll
2014-09-10 15:03 - 2008-02-05 23:07 - 00529424 _____ (Microsoft Corporation) C:\windows\system32\d3dx10_37.dll
2014-09-10 15:03 - 2008-02-05 23:07 - 00462864 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3dx10_37.dll
2014-09-10 12:30 - 2014-09-10 12:30 - 00000000 ___HD () C:\ProgramData\CanonBJ
2014-09-10 12:29 - 2012-04-16 05:00 - 00389120 _____ (CANON INC.) C:\windows\system32\CNMLMBB.DLL
2014-09-10 12:28 - 2012-02-08 16:36 - 00363520 _____ (CANON INC.) C:\windows\system32\CNC_BBL.dll
2014-09-10 12:28 - 2012-01-26 10:28 - 00081920 _____ () C:\windows\system32\CNC1764D.TBL
2014-09-10 12:28 - 2012-01-16 14:21 - 00287744 _____ (CANON INC.) C:\windows\system32\CNC_BBC.dll
2014-09-10 12:28 - 2012-01-16 14:20 - 00106496 _____ (CANON INC.) C:\windows\system32\CNC_BBI.dll
2014-09-10 12:28 - 2008-08-25 18:02 - 00017920 _____ (CANON INC.) C:\windows\system32\CNHMCA6.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-06 18:21 - 2011-09-10 13:19 - 01205039 _____ () C:\windows\WindowsUpdate.log
2014-10-06 18:15 - 2012-07-31 19:28 - 00000000 ____D () C:\Users\Derp\AppData\Roaming\uTorrent
2014-10-06 18:15 - 2012-05-24 13:46 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-10-06 18:13 - 2011-09-10 13:50 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-06 17:36 - 2009-07-13 23:13 - 00783400 _____ () C:\windows\system32\PerfStringBackup.INI
2014-10-06 17:35 - 2009-07-13 22:51 - 00172644 _____ () C:\windows\setupact.log
2014-10-06 17:32 - 2014-01-08 23:50 - 00000904 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1020647697-4144810973-723673556-1000UA.job
2014-10-06 16:00 - 2009-07-13 22:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-06 16:00 - 2009-07-13 22:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-06 15:39 - 2011-09-10 13:50 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-06 15:39 - 2009-07-13 23:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-10-06 13:44 - 2014-05-24 06:06 - 00000000 ___RD () C:\Users\Derp\Audio
2014-10-06 07:32 - 2014-01-08 23:50 - 00000852 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1020647697-4144810973-723673556-1000Core.job
2014-10-04 13:26 - 2013-12-30 14:09 - 00007601 _____ () C:\Users\Derp\AppData\Local\resmon.resmoncfg
2014-10-04 03:16 - 2012-05-24 12:04 - 00000000 ____D () C:\Users\Derp\AppData\Local\CrashDumps
2014-10-03 09:00 - 2010-11-20 21:47 - 00514118 _____ () C:\windows\PFRO.log
2014-10-03 08:46 - 2011-04-27 21:31 - 00000000 ____D () C:\windows\PCHEALTH
2014-10-03 00:23 - 2011-09-10 13:52 - 00000000 ____D () C:\ProgramData\Norton
2014-10-02 10:45 - 2013-01-08 11:53 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-10-01 13:56 - 2011-09-10 13:47 - 00000000 ____D () C:\Program Files (x86)\TOSHIBA Corporation
2014-10-01 13:56 - 2011-04-27 21:25 - 00000000 ____D () C:\Program Files (x86)\Toshiba
2014-10-01 13:56 - 2011-04-27 21:24 - 00000000 ____D () C:\Program Files\Toshiba
2014-09-27 03:28 - 2009-07-13 21:20 - 00000000 ____D () C:\windows\rescache
2014-09-27 02:51 - 2012-05-04 19:20 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-09-24 12:15 - 2012-05-24 13:46 - 00701104 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2014-09-24 12:15 - 2012-05-24 13:46 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-24 12:15 - 2012-05-24 13:46 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2014-09-15 09:06 - 2010-11-20 21:27 - 00278152 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-09-12 03:09 - 2011-12-31 02:34 - 00776014 _____ () C:\windows\SysWOW64\PerfStringBackup.INI
2014-09-12 03:08 - 2013-07-16 03:28 - 00000000 ____D () C:\windows\system32\MRT
2014-09-12 03:02 - 2011-11-12 13:48 - 101694776 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-09-12 03:00 - 2014-05-06 03:00 - 00000000 ___SD () C:\windows\system32\CompatTel
2014-09-10 15:04 - 2011-12-31 03:07 - 00000000 ____D () C:\Users\Derp\AppData\Roaming\Skype
2014-09-10 15:03 - 2011-04-27 21:31 - 00221002 _____ () C:\windows\DirectX.log

Some content of TEMP:
====================
C:\Users\Derp\AppData\Local\Temp\-3juv9k1.dll
C:\Users\Derp\AppData\Local\Temp\AskSLib.dll
C:\Users\Derp\AppData\Local\Temp\avgnt.exe
C:\Users\Derp\AppData\Local\Temp\Checkupdate.exe
C:\Users\Derp\AppData\Local\Temp\DefaultAssets.exe
C:\Users\Derp\AppData\Local\Temp\DefaultOfflineContent.exe
C:\Users\Derp\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\Derp\AppData\Local\Temp\Foxit Updater.exe
C:\Users\Derp\AppData\Local\Temp\gcapi_dll.dll
C:\Users\Derp\AppData\Local\Temp\gtapi_signed.dll
C:\Users\Derp\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Derp\AppData\Local\Temp\PCCU_Installer.exe
C:\Users\Derp\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Derp\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Derp\AppData\Local\Temp\utt60DC.tmp.exe
C:\Users\Derp\AppData\Local\Temp\_is551A.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-06 05:14

==================== End Of Log ============================

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please attach this file to your next reply.

Link to post
Share on other sites

I could get neither scan to complete when the WiFi was on. Here are the results with the WiFi off.

GMER 2.1.19357 - http://www.gmer.netRootkit scan 2014-10-07 22:57:54Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS547564A9E384 rev.JEDOA60B 596.17GBRunning: gosfr412.exe; Driver: C:\Users\Derp\AppData\Local\Temp\kxliakob.sys---- Registry - GMER 2.1 ----Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{19EF556D-25B3-486E-BD38-A17253FB7938}\Connection@Name  Local Area Connection* 13Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158342915e                                                                  Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158342915e@f80cf300e1c3                                                     0x13 0x49 0x9E 0xEF ...Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158342915e@10bf48f3aff6                                                     0x39 0x2C 0x08 0x48 ...Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158342915e@74458ab882be                                                     0x75 0x83 0x72 0xA3 ...Reg  HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@ReadyBootPlanAge                                                                  1Reg  HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@LastBootPlanUserTime                                                              ?Tue?, ?Oct ?07 ?14, 09:50:28 PM?;?????????????????????????????Reg  HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch                                                                              17268Reg  HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch                                                                             17836Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158342915e (not active ControlSet)                                              Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158342915e@f80cf300e1c3                                                         0x13 0x49 0x9E 0xEF ...Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158342915e@10bf48f3aff6                                                         0x39 0x2C 0x08 0x48 ...Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158342915e@74458ab882be                                                         0x75 0x83 0x72 0xA3 ...---- EOF - GMER 2.1 ----

TDSSKiller.3.0.0.40_07.10.2014_23.37.18_log.txt

Link to post
Share on other sites

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

ComboFix 14-10-04.01 - Derp 2014-10-12 1:57.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5610.3498 [GMT -6:00]

Running from: c:\users\Derp\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.

You should verify if current CLSID data is correct:

.

HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

(Default) REG_SZ Thumbnail Cache Class Factory for Out of Proc Server

AppID REG_SZ {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

.

HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32

(Default) REG_SZ c:\windows\system32\thumbcache.dll

ThreadingModel REG_SZ Apartment

.

.

((((((((((((((((((((((((( Files Created from 2014-09-12 to 2014-10-12 )))))))))))))))))))))))))))))))

.

.

2014-10-12 08:26 . 2014-10-12 08:26 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-10-12 08:25 . 2014-10-12 08:25 -------- d-----w- c:\users\Share\AppData\Local\temp

2014-10-12 08:04 . 2014-10-12 08:04 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6D0134E9-5200-4140-851E-9E64931CD055}\offreg.dll

2014-10-11 20:25 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6D0134E9-5200-4140-851E-9E64931CD055}\mpengine.dll

2014-10-07 00:21 . 2014-10-07 00:23 -------- d-----w- C:\FRST

2014-10-03 06:57 . 2014-10-12 07:53 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-10-03 06:55 . 2014-05-12 13:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-10-03 06:55 . 2014-05-12 13:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-10-03 06:55 . 2014-10-03 06:55 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware

2014-10-03 06:55 . 2014-10-03 06:55 -------- d-----w- c:\programdata\Malwarebytes

2014-10-03 06:55 . 2014-05-12 13:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-10-03 06:28 . 2014-10-03 06:29 -------- d-----w- C:\NPE

2014-10-03 06:23 . 2014-10-03 06:34 -------- d-----w- c:\users\Derp\AppData\Local\NPE

2014-10-01 06:11 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll

2014-10-01 06:11 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll

2014-09-23 17:19 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll

2014-09-23 17:19 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2014-09-12 09:01 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll

2014-09-12 09:01 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-09-24 18:15 . 2012-05-24 19:46 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2014-09-24 18:15 . 2012-05-24 19:46 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2014-09-15 15:06 . 2010-11-21 03:27 278152 ------w- c:\windows\system32\MpSigStub.exe

2014-09-12 09:02 . 2011-11-12 19:48 101694776 ----a-w- c:\windows\system32\MRT.exe

2014-09-05 02:10 . 2014-09-12 03:59 578048 ----a-w- c:\windows\system32\aepdu.dll

2014-09-05 02:05 . 2014-09-12 03:59 424448 ----a-w- c:\windows\system32\aeinv.dll

2014-09-01 06:38 . 2010-06-24 18:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2014-08-23 02:07 . 2014-08-27 23:36 404480 ----a-w- c:\windows\system32\gdi32.dll

2014-08-23 01:45 . 2014-08-27 23:36 311808 ----a-w- c:\windows\SysWow64\gdi32.dll

2014-08-23 00:59 . 2014-08-27 23:36 3163648 ----a-w- c:\windows\system32\win32k.sys

2014-08-01 11:53 . 2014-09-12 04:06 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll

2014-08-01 11:35 . 2014-09-12 04:06 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll

2014-07-25 08:35 . 2014-07-25 08:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll

2014-07-25 05:47 . 2014-07-25 05:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoogleChromeAutoLaunch_A6ACDD3A2DEDDF84FDD4A98DD16E7437"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2014-09-23 852808]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-20 336384]

"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2010-11-29 1294712]

"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]

"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]

.

c:\users\Derp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\Drivers\btnetBus.sys;c:\windows\SYSNATIVE\Drivers\btnetBus.sys [x]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]

R3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys;c:\windows\SYSNATIVE\DRIVERS\easytthr.sys [x]

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys;c:\windows\SYSNATIVE\Drivers\IvtBtBus.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]

R3 TDEIO;TDEIO;c:\windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys;c:\windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 vzandnetadb;ADB Interface DriverNet for VZW;c:\windows\system32\Drivers\lgvzandnetadb.sys;c:\windows\SYSNATIVE\Drivers\lgvzandnetadb.sys [x]

R3 vzandnetdiag;LGE AndroidNet for VZW USB Serial Port;c:\windows\system32\DRIVERS\lgvzandnetdiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lgvzandnetdiag64.sys [x]

R3 vzandnetdiag2;LGE AndroidNet for VZW Diagnostics Port;c:\windows\system32\DRIVERS\lgvzandnetdiag264.sys;c:\windows\SYSNATIVE\DRIVERS\lgvzandnetdiag264.sys [x]

R3 vzandnetmodem;LGE AndroidNet for VZW USB Modem;c:\windows\system32\DRIVERS\lgvzandnetmdm64.sys;c:\windows\SYSNATIVE\DRIVERS\lgvzandnetmdm64.sys [x]

R3 vzandnetndis;LGE AndroidNet for VZW NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgvzandnetndis64.sys;c:\windows\SYSNATIVE\DRIVERS\lgvzandnetndis64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\System32\Drivers\BtHidBus.sys;c:\windows\SYSNATIVE\Drivers\BtHidBus.sys [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]

S2 GFNEXSrv;GFNEX Service;c:\windows\System32\GFNEXSrv.exe;c:\windows\SYSNATIVE\GFNEXSrv.exe [x]

S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe [x]

S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys [x]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]

S2 Virtual Router;VirtualRouterService;c:\program files (x86)\Virtual Router\VirtualRouterService.exe;c:\program files (x86)\Virtual Router\VirtualRouterService.exe [x]

S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 RTWlanE;Realtek Wireless LAN 802.11n PCI-E Network Adapter;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]

S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]

S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-09-24 23:13 1096520 ----a-w- c:\program files (x86)\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-10-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-24 18:15]

.

2014-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-10 19:50]

.

2014-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-10 19:50]

.

2014-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1020647697-4144810973-723673556-1000Core.job

- c:\users\Derp\AppData\Local\Google\Update\GoogleUpdate.exe [2014-01-09 05:50]

.

2014-10-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1020647697-4144810973-723673556-1000UA.job

- c:\users\Derp\AppData\Local\Google\Update\GoogleUpdate.exe [2014-01-09 05:50]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-12 11775592]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-10 2186856]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-12-08 710040]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = https://employees.www.uprr.com/emp/index.shtml

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: Add to TOSHIBA Bulletin Board - c:\program files\TOSHIBA\BulletinBoard\TosBBCom.dll/1000

TCP: DhcpNameServer = 10.0.1.1

DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://www.montanarail.com/newbz/controls/sglw2hcm.ocx

FF - ProfilePath - c:\users\Derp\AppData\Roaming\Mozilla\Firefox\Profiles\p2d93bom.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=714647&p=

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe

HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe

HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe

HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]

"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.15"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2014-10-12 02:30:50

ComboFix-quarantined-files.txt 2014-10-12 08:30

.

Pre-Run: 478,380,396,544 bytes free

Post-Run: 486,546,911,232 bytes free

.

- - End Of File - - 2CC8BE4B3C3F735EF6A4DF6992C20A68

5B5E648D12FCADC244C1EC30318E1EB9

Link to post
Share on other sites

Full System Scan with Malwarebytes Antimalware


  • If not existing, please download
Malwarebytes Anti-Malware to your desktop. Double-click the downloaded setup file and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

[*]Click Finish.



If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

    [*]Click Start[*]Wait for the scan to finish[*]When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."[*] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[*]Close the ESET online scan, and let me know how things are now.

Link to post
Share on other sites

After running Malwarebytes it did not require a restart but I restarted it anyway.

 

This is the application log after the restart.

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 2014-10-19Scan Time: 20:29:49Logfile: Administrator: YesVersion: 2.00.2.1012Malware Database: v2014.10.20.01Rootkit Database: v2014.10.17.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: DerpScan Type: Threat ScanResult: CompletedObjects Scanned: 365368Time Elapsed: 18 min, 21 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end)

The ESET scan reported that no threats were found.

 

 

To be honest, most if not all of the issues went away after running the TDSSKiller application. I noticed that one application seemed to reset many preferences (like default browser, etc.) but everything seems to be running well. What was wrong? I ask because originally I thought it was an oncoming HDD failure so I moved all of my pictures and documents to some usb HDDs. If it was a virus however, then those HDDs are possibly contaminated also, correct?

Link to post
Share on other sites

as TDSS-Killer did not remove anything, it couldn´t fix the issues.

Please attach your HDDs and run the next scan:

 

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

    [*]Click Start[*]Wait for the scan to finish[*]When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."[*] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[*]Close the ESET online scan, and let me know how things are now.

Link to post
Share on other sites

  • 3 weeks later...

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.





SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK Mirror (if the link is down)

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread (Note: Do NOT post this one into a code box!

Link to post
Share on other sites

  • 5 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.