Windows/Temp/svchost.exe + lsass.exe Trojan.Agent.MNR re-appearing on startup

[KiwiFruit]

These two .exe files reappear in the temp folder, and automatically run after startup. I've scanned my computer with MBAR and SuperAntiSpyware and neither has succeeded in removing them from the system. Appreciate the help!

[kevinf80]

Hello and welcome to Malwarebytes.org

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Follow the instructions in the following link to show hidden files:

 

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

Next,

 

Please open Malwarebytes Anti-Malware.

 

• 
  

On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.
With some infections, you may see this message box.
 
        'Could not load DDA driver'
 
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.
After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

If Malwarebytes is not installed follow these instructions first:

 

Download Malwarebytes Anti-Malware to your desktop.

• 
  

Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish. Follow the instructions above....

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

• 
  

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Let me see those logs in your reply....

 

Thank you,

 

Kevin...

[KiwiFruit]

Any p2p/cracked software should be removed from my system, although this was done after the scan. After my system rebooted I didn't find either of the EXEs running in the processes.
 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 4/03/15

Scan Time: 5:26:30 PM

Logfile: 

Administrator: Yes

 

Version: 2.01.4.1018

Malware Database: v2015.04.03.09

Rootkit Database: v2015.03.31.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: hp

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 426532

Time Elapsed: 32 min, 32 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 3

PUP.Optional.Somoto.A, HKU\S-1-5-21-2454555054-1461966309-388038667-1000\SOFTWARE\Somoto, Quarantined, [2c091850721865d1c4a7667013f0d22e], 

PUP.Optional.FilesFrog.A, HKU\S-1-5-21-2454555054-1461966309-388038667-1000\SOFTWARE\BI, Quarantined, [4aeb0a5e53374cea00bd8d9583822dd3], 

PUP.Optional.Somoto.A, HKU\S-1-5-21-2454555054-1461966309-388038667-1000\SOFTWARE\SOMOTO\SDP, Quarantined, [79bcb1b75d2d4beb8a67e73a52b35fa1], 

 

Registry Values: 2

PUP.Optional.FilesFrog.A, HKU\S-1-5-21-2454555054-1461966309-388038667-1000\SOFTWARE\BI|ui_path_filesfrog, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker, Quarantined, [4aeb0a5e53374cea00bd8d9583822dd3]

PUP.Optional.Somoto.A, HKU\S-1-5-21-2454555054-1461966309-388038667-1000\SOFTWARE\SOMOTO\SDP|affid, freemouseautoclickerhjwj, Quarantined, [79bcb1b75d2d4beb8a67e73a52b35fa1]

 

Registry Data: 0

(No malicious items detected)

 

Folders: 4

PUP.Optional.Extutil.A, C:\Users\hp\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B, Quarantined, [1421e4840882201644b2445046bd19e7], 

PUP.Optional.Managera.A, C:\Users\hp\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42, Quarantined, [74c1d29643475ed85e99672dc63d6a96], 

PUP.Optional.Adanak.A, C:\Users\hp\AppData\Local\Temp\Adanak, Quarantined, [062fc6a2a7e3d660b11a80155ea5f709], 

PUP.Optional.GenesisOffers, C:\Users\hp\AppData\Local\Genesis_08231954, Quarantined, [4bea8cdc5832ff3732d8c9d239ca7888], 

 

Files: 18

PUP.Optional.MoviesToolBar.A, C:\Users\hp\AppData\Local\Temp\MoviesToolbarSetup_Somoto.exe, Quarantined, [dd58b1b7bdcdf244a8f3eb6014edae52], 

PUP.Optional.MultiPlug, C:\Users\hp\AppData\Local\Temp\WZL38TeOTE.exe, Quarantined, [bd7871f7a6e46cca5b5de5ee10f1cc34], 

PUP.Optional.SearchProtect.A, C:\Users\hp\AppData\Local\Temp\nsj6596.exe, Quarantined, [47eea9bf3e4cff3777e0fc5cf809b749], 

PUP.Optional.SearchProtect.A, C:\Users\hp\AppData\Local\Temp\nso41BD.exe, Quarantined, [53e29aceb1d9f244cf88490fef127e82], 

PUP.Optional.Babylon, C:\Users\hp\AppData\Local\Temp\HgKJPc1dNt.exe, Quarantined, [00359eca3d4d20160284943e52afb44c], 

PUP.Optional.Somoto.A, C:\Users\hp\AppData\Local\Temp\FLVPlayerSetup.exe, Quarantined, [310469ff6e1c89ad70228aa943bd1fe1], 

PUP.Optional.Somoto.A, C:\Users\hp\AppData\Local\Temp\appshat-distribution.exe, Quarantined, [91a42d3b79119d99c432b86b8a7609f7], 

PUP.Optional.SearchProtect.A, C:\Users\hp\AppData\Local\Temp\nst3F1D.exe, Quarantined, [50e59dcb6e1caa8c58ff7fd9758c946c], 

PUP.Optional.SearchProtect.A, C:\Users\hp\AppData\Local\Temp\nst6315.exe, Quarantined, [3ff62543ccbee2542b2c1246a55c60a0], 

PUP.Optional.SearchProtect.A, C:\Users\hp\AppData\Local\Temp\nsx47BD.exe, Quarantined, [8ea77bed553566d0d2851d3b2ad717e9], 

PUP.Optional.BPlug, C:\Users\hp\AppData\Local\Temp\5hYuamMF5T.exe, Quarantined, [3bfa74f49eeca49296e2d3065ba6c838], 

PUP.Optional.Conduit.A, C:\Users\hp\AppData\Local\Temp\nso1FF9\SpSetup.exe, Quarantined, [eb4a02663e4ce1555af1a7a642bf25db], 

PUP.Optional.OpenCandy, C:\Users\hp\Downloads\winamp563_full_emusic-7plus_all.exe, Quarantined, [ff3668007f0b9d99c60863bb34d23ec2], 

PUP.Optional.Extutil.A, C:\Users\hp\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B\bk.js, Quarantined, [1421e4840882201644b2445046bd19e7], 

PUP.Optional.Extutil.A, C:\Users\hp\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B\cs.js, Quarantined, [1421e4840882201644b2445046bd19e7], 

PUP.Optional.Extutil.A, C:\Users\hp\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B\manifest.json, Quarantined, [1421e4840882201644b2445046bd19e7], 

PUP.Optional.Managera.A, C:\Users\hp\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42\cs.js, Quarantined, [74c1d29643475ed85e99672dc63d6a96], 

PUP.Optional.Managera.A, C:\Users\hp\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42\manifest.json, Quarantined, [74c1d29643475ed85e99672dc63d6a96], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015

Ran by hp (administrator) on LESLIE on 03-04-2015 01:13:07

Running from C:\Users\hp\Desktop

Loaded Profiles: hp (Available profiles: hp & Chinese)

Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 10 (Default browser: Chrome)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(AMD) C:\Windows\System32\atiesrxx.exe

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe

(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe

(AMD) C:\Windows\System32\atieclxx.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe

(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

() D:\Pingzapper\PZService.exe

() C:\Windows\SysWOW64\PnkBstrA.exe

() C:\Program Files\CyberLink\Shared files\RichVideo64.exe

(Razer Inc.) D:\Gamebooster\RzKLService.exe

(SoftEther VPN Project at University of Tsukuba, Japan.) D:\VPN\SoftEther VPN Client\vpnclient_x64.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe

(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe

(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

(SoftEther VPN Project at University of Tsukuba, Japan.) D:\VPN\SoftEther VPN Client\vpnclient_x64.exe

(Advanced Micro Devices, Inc.) C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe

(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

() C:\Program Files (x86)\RocketDock\RocketDock.exe

(AppEx Networks Corporation) C:\Program Files\AMD Quick Stream\AMDQuickStream.exe

(Akamai Technologies, Inc.) C:\Users\hp\AppData\Local\Akamai\netsession_win.exe

(Akamai Technologies, Inc.) C:\Users\hp\AppData\Local\Akamai\netsession_win.exe

(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe

(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe

(SoftEther VPN Project at University of Tsukuba, Japan.) D:\VPN\SoftEther VPN Client\vpncmgr_x64.exe

() C:\Program Files\Rainmeter\Rainmeter.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe

(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(Microsoft Corporation) C:\Windows\System32\schtasks.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [setDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [44880 2011-12-19] (Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)

HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1016992 2012-01-18] (Atheros Commnucations)

HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800416 2012-01-18] (Atheros Commnucations)

HKLM\...\Run: [sysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-01-04] (IDT, Inc.)

HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5618456 2013-09-12] (ESET)

HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)

HKLM\...\Run: [softEther VPN Client UI Helper] => D:\VPN\SoftEther VPN Client\vpnclient_x64.exe [4348472 2014-06-27] (SoftEther VPN Project at University of Tsukuba, Japan.)

HKLM\...\Run: [NUSB3MON] => C:\Program Files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe [97280 2012-04-11] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)

HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [576568 2011-11-29] (Hewlett-Packard Development Company, L.P.)

HKLM-x32\...\Run: [YouCam Service] => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [247016 2011-09-09] (CyberLink Corp.)

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)

HKLM-x32\...\Run: [Adobe ARM] => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

HKLM-x32\...\Run: [Aeria Ignite] => D:\Ignite\aeriaignite.exe [1925656 2013-06-06] (Aeria Games & Entertainment)

HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-04-17] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)

HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\...\Run: [RocketDock] => C:\Program Files (x86)\RocketDock\RocketDock.exe [495616 2007-09-01] ()

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\...\Run: [AppEx Accelerator UI] => C:\Program Files\AMD Quick Stream\AMDQuickStream.exe [482528 2014-03-31] (AppEx Networks Corporation)

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\...\Run: [Akamai NetSession Interface] => C:\Users\hp\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.)

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\...\Run: [Dxtory Update Checker 2.0] => D:\Dxtory2.0\UpdateChecker.exe [93696 2010-10-17] (Dxtory Software)

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\...\Run: [Hobbyist Software VLC Streamer] => "D:\VLC Streamer\VLC Streamer Configuration.exe" /startup

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\...\Run: [HydraVisionDesktopManager] => C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [1967616 2014-04-17] (AMD)

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\...\MountPoints2: {a80f0e5b-f278-11e2-b4e0-28924a42bdd1} - F:\Setup.exe

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SoftEther VPN Client Manager Startup.lnk

ShortcutTarget: SoftEther VPN Client Manager Startup.lnk -> D:\VPN\SoftEther VPN Client\vpncmgr_x64.exe (SoftEther VPN Project at University of Tsukuba, Japan.)

Startup: C:\Users\hp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk

ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe ()

Startup: C:\Users\hp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (Microsoft Corporation)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://tw.msn.com/?ocid=OIE9HP

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://tw.msn.com/?ocid=OIE9HP

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://ie9.discoverbing.com/welcome_intl.aspx?lang=zh-tw

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 

HKU\S-1-5-21-2454555054-1461966309-388038667-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ca/?ocid=iehp

SearchScopes: HKU\.DEFAULT -> DefaultScope {AB073F1B-2B2B-4685-8782-97CBC793EDC4} URL = http://www.bing.com/search?q={searchTerms}&form=BIE9DF&pc=BIE9&src=IE-SearchBox

SearchScopes: HKU\.DEFAULT -> {AB073F1B-2B2B-4685-8782-97CBC793EDC4} URL = http://www.bing.com/search?q={searchTerms}&form=BIE9DF&pc=BIE9&src=IE-SearchBox

BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-11-15] (Microsoft Corporation)

BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-13] (Advanced Micro Devices)

BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2013-09-13] (Microsoft Corporation)

BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-11-02] (Microsoft Corporation)

BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2013-11-15] (Microsoft Corporation)

BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2012-02-13] (Advanced Micro Devices)

BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-07-25] (Oracle Corporation)

BHO-x32: ArcPluginIEBHO Class -> {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} -> D:\Arc\Arc\Plugins\ArcPluginIE.dll [2014-11-25] (Perfect World Entertainment Inc)

BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-01-18] (Atheros Commnucations)

BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)

BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2013-09-13] (Microsoft Corporation)

BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2013-11-02] (Microsoft Corporation)

BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-07-25] (Oracle Corporation)

Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)

Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)

Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)

Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)

Hosts: 61.110.88.200 nprotect.ncsoft.co.kr

Tcpip\Parameters: [DhcpNameServer] 129.128.5.233 129.128.76.233

Tcpip\..\Interfaces\{E43EBD96-28FD-48E9-98AB-5D6F1572BC29}: [NameServer] 192.168.0.1

 

FireFox:

========

FF Plugin: @microsoft.com/GENUINE -> disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)

FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)

FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1206147.dll No File

FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()

FF Plugin-x32: @esn/npbattlelog,version=2.4.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.4.0\npbattlelog.dll [2014-05-26] (EA Digital Illusions CE AB)

FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-25] (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-07-25] (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-11-15] (Microsoft Corporation)

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)

FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [2013-04-30] (Nexon)

FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin -> D:\Arc\Arc\Plugins\npArcPluginFF.dll [2014-11-25] (Perfect World Entertainment Inc)

FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll [2010-02-15] (RealNetworks, Inc.)

FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-15] (RealNetworks, Inc.)

FF Plugin-x32: @Skype Technologies S.A..com/Skype Web Plugin -> C:\Program Files (x86)\SkypeWebPlugin\npSkypeWebPlugin.dll [2013-05-24] (Skype)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-05] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-05] (Google Inc.)

FF Plugin-x32: @videolan.org/vlc,version=2.0.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2013-04-14] (VideoLAN)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-09-04] (Adobe Systems Inc.)

FF Plugin HKU\S-1-5-21-2454555054-1461966309-388038667-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\hp\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-03-07] (Unity Technologies ApS)

FF Plugin HKU\S-1-5-21-2454555054-1461966309-388038667-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2013-05-03] (Ubisoft)

FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-11-15] (Microsoft Corporation)

FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2013-12-17]

FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

 

Chrome: 

=======

CHR HomePage: Default -> hxxp://www.google.ca/

CHR Profile: C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Docs) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-02]

CHR Extension: (Google Drive) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-04-02]

CHR Extension: (YouTube) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-02]

CHR Extension: (Google Search) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-02]

CHR Extension: (GFACE Experience Plugin) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejdlfmdbdibkbfdpjocdaolcheehmpol [2013-08-22]

CHR Extension: (Facebook Background Changer) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\emnlfbokmiehpnhgdjlmedakkchfldmj [2013-04-02]

CHR Extension: (PSO2 Extension) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\febdkhimnahpmjpbidcofjdpjjggojhj [2014-11-05]

CHR Extension: (AdBlock) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2013-04-02]

CHR Extension: (Chrome Hotword Shared Module) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-04]

CHR Extension: (Chitoge Kirisaki Theme) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhcckpgcmeldiebldpabhdjhbkckdmod [2015-02-19]

CHR Extension: (Google Wallet) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]

CHR Extension: (Battlefield Play4Free) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiokahphinmbmakkehgelkmpolmnbkdh [2014-05-15]

CHR Extension: (Gmail) - C:\Users\hp\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-02]

 

==================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-04-17] (Advanced Micro Devices, Inc.) [File not signed]

S3 ArcService; D:\Arc\Arc\ArcService.exe [88400 2014-11-25] (Perfect World Entertainment Inc)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [106144 2012-01-18] (Atheros Commnucations) [File not signed]

R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1337752 2013-09-12] (ESET)

S3 hpqwmiex; C:\Users\hp\AppData\Roaming\Hewlett-Packard\hpqwmiex.exe [794112 2012-05-03] (Hewlett-Packard Company) [File not signed]

S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [5148240 2013-07-22] (INCA Internet Co., Ltd.)

S3 Origin Client Service; D:\Origin\OriginClientService.exe [1903472 2014-12-31] (Electronic Arts)

R2 PingzapperSvc; D:\Pingzapper\PZService.exe [679424 2012-06-11] () [File not signed]

R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-06-03] ()

R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [386344 2010-08-19] ()

R2 RzKLService; D:\Gamebooster\RzKLService.exe [105448 2013-11-22] (Razer Inc.)

R2 SEVPNCLIENT; D:\VPN\SoftEther VPN Client\vpnclient_x64.exe [4348472 2014-06-27] (SoftEther VPN Project at University of Tsukuba, Japan.)

S3 TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [758224 2013-11-06] (Tunngle.net GmbH)

R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

R2 ZAtheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [158880 2012-01-18] (Atheros) [File not signed]

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [36608 2013-12-13] (Advanced Micro Devices, Inc.)

R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)

R2 APXACC; C:\Windows\System32\DRIVERS\appexDrv.sys [225504 2014-03-28] (AppEx Networks Corporation)

S3 arusb_win7x; C:\Windows\System32\DRIVERS\arusb_win7x.sys [769024 2010-06-01] (Atheros Communications, Inc.)

S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [133672 2011-09-20] (Broadcom Corporation.)

R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [239320 2013-09-17] (ESET)

U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [239296 2013-09-17] (ESET)

R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [168256 2013-09-17] (ESET)

R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [157432 2013-09-17] (ESET)

R3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0004.sys [28768 2014-06-27] (SoftEther VPN Project at University of Tsukuba, Japan.)

S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl64.sys [22528 2012-09-10] (Apple Inc.) [File not signed]

S3 NPPTNT2; C:\Windows\SysWOW64\npptNT2.sys [4682 2005-01-02] (INCA Internet Co., Ltd.) [File not signed]

R3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [258664 2011-09-21] (Realtek Semiconductor Corp.)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

S3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-15] (Tunngle.net)

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

S3 getbus; \??\C:\Users\hp\AppData\Local\Temp\getbus.sys [X]

S3 WinRing0_1_2_0; \??\D:\Gamebooster\Driver\WinRing0x64.sys [X]

S3 X6va015; \??\C:\Windows\SysWOW64\Drivers\X6va015 [X]

S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-04-03 01:13 - 2015-04-03 01:13 - 00024704 _____ () C:\Users\hp\Desktop\FRST.txt

2015-04-03 01:13 - 2015-04-03 01:13 - 00000000 ____D () C:\FRST

2015-04-03 01:11 - 2015-04-03 01:11 - 02095616 _____ (Farbar) C:\Users\hp\Desktop\FRST64.exe

2015-04-02 23:41 - 2015-04-03 00:47 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2015-04-02 23:41 - 2015-04-03 00:13 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2015-04-02 23:41 - 2015-04-02 23:41 - 00000000 ____D () C:\ProgramData\Malwarebytes

2015-04-02 23:38 - 2015-04-03 00:12 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2015-04-02 23:37 - 2015-04-02 23:38 - 16502728 _____ (Malwarebytes Corp.) C:\Users\hp\Downloads\mbar-1.09.1.1004.exe

2015-04-02 23:37 - 2015-04-02 23:37 - 00000000 ____D () C:\Windows\ERDNT

2015-04-02 23:36 - 2015-04-02 23:36 - 00791393 _____ (Lars Hederer ) C:\Users\hp\Downloads\erunt-setup.exe

2015-04-02 23:36 - 2015-04-02 23:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

2015-04-02 23:36 - 2015-04-02 23:36 - 00000000 ____D () C:\Program Files (x86)\ERUNT

2015-03-31 11:01 - 2015-03-31 11:02 - 14835200 _____ () C:\Users\hp\Downloads\Reactions of Glycolysis Students.ppt

2015-03-31 11:01 - 2015-03-31 11:01 - 03034112 _____ () C:\Users\hp\Downloads\Regulation of Glycolysis Students.ppt

2015-03-29 00:58 - 2015-03-29 00:58 - 00026227 _____ () C:\Users\hp\Downloads\[HorribleSubs] Koufuku Graffiti - 12 [720p].mkv.torrent

2015-03-28 18:54 - 2015-03-28 18:54 - 00033714 _____ () C:\Users\hp\Downloads\[HorribleSubs] Assassination Classroom - 11 [720p].mkv.torrent

2015-03-27 01:17 - 2015-03-27 01:29 - 305208185 _____ () C:\Users\hp\Downloads\YanSimMar19.rar

2015-03-24 16:29 - 2015-03-24 16:29 - 03600265 _____ () C:\Users\hp\Downloads\Outlook.com (1).zip

2015-03-24 11:02 - 2015-03-24 11:02 - 01212416 _____ () C:\Users\hp\Downloads\Introduction to Glycolysis Students.ppt

2015-03-24 04:28 - 2015-03-24 04:28 - 00014056 _____ () C:\Users\hp\Downloads\[얼티메이트] [140625] BEATLESS - Give Me the Beat - (320K).torrent

2015-03-23 22:33 - 2015-03-23 22:33 - 00016429 _____ () C:\Users\hp\Downloads\[shin-S] Ore no Imouto ga Konna ni Kawaii Wake ga Nai Light Novel Vol.9 Theme Song Single - nexus [ClariS].zip.torrent

2015-03-22 01:07 - 2015-03-22 01:07 - 00026727 _____ () C:\Users\hp\Downloads\[HorribleSubs] Koufuku Graffiti - 11 [720p].mkv.torrent

2015-03-21 11:06 - 2015-03-21 11:12 - 00000000 ____D () C:\Users\hp\Documents\Dolphin Emulator

2015-03-21 10:46 - 2015-03-21 10:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dolphin

2015-03-21 10:45 - 2015-03-21 11:02 - 1061651240 _____ () C:\Users\hp\Downloads\Super_Smash_Brothers_Melee_USA_PROPER_NGC-STINKYCUBE.rar

2015-03-21 10:43 - 2015-03-21 10:44 - 10150809 _____ () C:\Users\hp\Downloads\dolphin-x64-4.0.2.exe

2015-03-21 08:26 - 2015-03-21 08:26 - 00022160 _____ () C:\Users\hp\Downloads\[얼티메이트] [140813] 7!! 2ndアルバム「START LINE」(320K).torrent

2015-03-20 20:37 - 2015-03-20 20:37 - 00033554 _____ () C:\Users\hp\Downloads\[HorribleSubs] Assassination Classroom - 10 [720p].mkv.torrent

2015-03-20 16:41 - 2015-03-20 16:41 - 00025334 _____ () C:\Users\hp\Downloads\[HorribleSubs] Shigatsu wa Kimi no Uso - 22 [720p].mkv.torrent

2015-03-17 11:10 - 2015-03-17 11:10 - 02407936 _____ () C:\Users\hp\Downloads\8 WEEK 10 Oxidative Phosphorylation Students.ppt

2015-03-17 10:53 - 2015-03-17 10:53 - 03258368 _____ () C:\Users\hp\Downloads\Introduction to Metabolism Students.ppt

2015-03-12 00:29 - 2015-03-12 00:29 - 00275760 _____ () C:\Windows\Minidump\031215-27534-01.dmp

2015-03-11 21:04 - 2015-04-02 23:29 - 00000011 _____ () C:\Users\hp\Documents\precede.txt

2015-03-05 16:56 - 2015-04-01 01:51 - 02957174 _____ () C:\Users\hp\Documents\win32list_DO_NOT_DELETE_ME.txt

2015-03-04 15:13 - 2015-03-04 15:13 - 04845901 _____ () C:\Users\hp\Downloads\Outlook.com.zip

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-04-03 01:11 - 2014-05-07 13:54 - 00000542 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf6a2e2d4705a5.job

2015-04-03 00:53 - 2009-07-13 22:45 - 00014416 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2015-04-03 00:53 - 2009-07-13 22:45 - 00014416 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2015-04-03 00:51 - 2014-08-24 17:21 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware

2015-04-03 00:48 - 2012-05-03 07:28 - 00000000 ____D () C:\Users\hp\Documents\Youcam

2015-04-03 00:47 - 2014-10-18 18:06 - 00000538 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cfeb307a02aa27.job

2015-04-03 00:47 - 2014-02-17 10:10 - 00000538 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf2bfac1e0bcea.job

2015-04-03 00:46 - 2012-10-08 05:54 - 00116908 _____ () C:\Windows\setupact.log

2015-04-03 00:46 - 2012-05-03 06:50 - 00326886 _____ () C:\Windows\PFRO.log

2015-04-03 00:46 - 2012-05-03 06:39 - 00000526 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2015-04-03 00:46 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2015-04-03 00:45 - 2014-07-29 22:14 - 00065536 _____ () C:\Windows\system32\spu_storage.bin

2015-04-03 00:45 - 2012-05-02 22:15 - 01756558 _____ () C:\Windows\WindowsUpdate.log

2015-04-03 00:24 - 2012-05-03 06:39 - 00003464 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater

2015-04-03 00:17 - 2015-02-05 05:12 - 00000542 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1d041349996343d.job

2015-04-03 00:17 - 2014-10-18 18:06 - 00000542 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cfeb307a58443f.job

2015-04-02 23:09 - 2012-05-03 06:43 - 00000000 ____D () C:\Users\hp\AppData\Local\CrashDumps

2015-04-02 23:04 - 2012-05-03 07:03 - 00000000 ____D () C:\Users\hp\AppData\Roaming\Skype

2015-04-01 23:20 - 2013-09-04 13:06 - 00000000 ____D () C:\Users\hp\Documents\Uni Courses

2015-04-01 23:14 - 2012-05-03 06:34 - 00000000 ____D () C:\Users\hp\Documents\Bluetooth Folder

2015-04-01 16:00 - 2013-04-07 08:42 - 00007603 _____ () C:\Users\hp\AppData\Local\Resmon.ResmonCfg

2015-04-01 01:17 - 2014-07-22 00:06 - 02782208 _____ (Arks-Layer) C:\Users\hp\Documents\PSO2 Tweaker.exe

2015-03-31 14:47 - 2012-05-03 09:28 - 00376078 _____ () C:\Windows\system32\prfh0804.dat

2015-03-31 14:47 - 2012-05-03 09:28 - 00119784 _____ () C:\Windows\system32\prfc0804.dat

2015-03-31 14:47 - 2009-07-14 03:21 - 00400600 _____ () C:\Windows\system32\prfh0404.dat

2015-03-31 14:47 - 2009-07-14 03:21 - 00122336 _____ () C:\Windows\system32\prfc0404.dat

2015-03-31 14:47 - 2009-07-13 23:13 - 01800268 _____ () C:\Windows\system32\PerfStringBackup.INI

2015-03-30 05:00 - 2013-04-19 11:53 - 00000000 ____D () C:\Users\hp\AppData\Roaming\vlc

2015-03-30 01:58 - 2013-04-05 07:44 - 00000000 ____D () C:\Users\hp\AppData\Roaming\uTorrent

2015-03-28 16:58 - 2013-10-01 18:06 - 00000000 ____D () C:\Users\hp\AppData\Roaming\OBS

2015-03-28 16:18 - 2013-10-01 18:06 - 00000000 ____D () C:\Program Files\OBS

2015-03-24 19:59 - 2009-07-13 23:08 - 00032586 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

2015-03-21 10:46 - 2013-04-04 01:17 - 00262698 _____ () C:\Windows\DirectX.log

2015-03-18 22:59 - 2013-07-11 21:04 - 00310784 ___SH () C:\Users\hp\Documents\Thumbs.db

2015-03-13 00:26 - 2014-09-22 14:30 - 00000000 ___RD () C:\Program Files (x86)\Skype

2015-03-13 00:26 - 2012-05-03 07:03 - 00000000 ____D () C:\ProgramData\Skype

2015-03-12 00:29 - 2013-04-24 21:54 - 00000000 ____D () C:\Windows\Minidump

2015-03-11 17:08 - 2014-09-12 10:42 - 00000000 ____D () C:\Users\hp\AppData\Roaming\Wing 101 5

2015-03-11 17:08 - 2014-09-12 10:42 - 00000000 ____D () C:\Users\hp\AppData\Local\Wing 101 5

2015-03-07 01:17 - 2014-07-17 17:17 - 00031582 _____ () C:\Users\hp\Documents\LanguagePack.rar

 

==================== Files in the root of some directories =======

 

2014-02-09 22:54 - 2014-11-30 22:29 - 0000132 _____ () C:\Users\hp\AppData\Roaming\Adobe PNG Format CS6 Prefs

2013-09-05 15:49 - 2014-07-04 14:51 - 0000600 _____ () C:\Users\hp\AppData\Local\PUTTY.RND

2013-11-13 22:39 - 2013-11-13 22:39 - 0001422 _____ () C:\Users\hp\AppData\Local\recently-used.xbel

2013-04-07 08:42 - 2015-04-01 16:00 - 0007603 _____ () C:\Users\hp\AppData\Local\Resmon.ResmonCfg

2015-01-02 14:10 - 2015-01-02 14:10 - 0000052 _____ () C:\Users\hp\AppData\Local\vmrWorkAround.log

 

Some content of TEMP:

====================

C:\Users\Chinese\AppData\Local\Temp\AskSLib.dll

C:\Users\hp\AppData\Local\Temp\09f303e8b9b6181b6faa0bfaa2caecc8.dll

C:\Users\hp\AppData\Local\Temp\11be3e97f1f7a0f0af4a2d762172e690.dll

C:\Users\hp\AppData\Local\Temp\18be6784_.exe

C:\Users\hp\AppData\Local\Temp\199a6fce044cefdecef48c56197dda6a.dll

C:\Users\hp\AppData\Local\Temp\294823_.exe

C:\Users\hp\AppData\Local\Temp\2f188c4f5af57d6b2570076a86d38689.dll

C:\Users\hp\AppData\Local\Temp\40d2b79491bec17bae0206d186645898.dll

C:\Users\hp\AppData\Local\Temp\4ae13d6c_.exe

C:\Users\hp\AppData\Local\Temp\5hYuamMF5T.exe

C:\Users\hp\AppData\Local\Temp\8660976ad7078fae01921d22b2e31dc3.dll

C:\Users\hp\AppData\Local\Temp\appshat-distribution.exe

C:\Users\hp\AppData\Local\Temp\AskSLib.dll

C:\Users\hp\AppData\Local\Temp\b652aa9cb1fc6005e0de614c8e8fd64b.dll

C:\Users\hp\AppData\Local\Temp\c7a8a7c8ef6996e76e97ea7ca475b087.dll

C:\Users\hp\AppData\Local\Temp\catalyst_mobility_64-bit_util.exe

C:\Users\hp\AppData\Local\Temp\d929f4bf801a1013cd091562ea2d5dee.dll

C:\Users\hp\AppData\Local\Temp\devcon.exe

C:\Users\hp\AppData\Local\Temp\dxwebsetup.exe

C:\Users\hp\AppData\Local\Temp\FLVPlayerSetup.exe

C:\Users\hp\AppData\Local\Temp\FreeMouseAutoClickerSetup-clean.exe

C:\Users\hp\AppData\Local\Temp\gbinit.exe

C:\Users\hp\AppData\Local\Temp\HgKJPc1dNt.exe

C:\Users\hp\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe

C:\Users\hp\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe

C:\Users\hp\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe

C:\Users\hp\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe

C:\Users\hp\AppData\Local\Temp\jre-8u40-windows-au.exe

C:\Users\hp\AppData\Local\Temp\kingsoft_office_2013_132.exe

C:\Users\hp\AppData\Local\Temp\KMP_3.9.0.124.exe

C:\Users\hp\AppData\Local\Temp\MoviesToolbarSetup_Somoto.exe

C:\Users\hp\AppData\Local\Temp\networkme1.exe

C:\Users\hp\AppData\Local\Temp\NGMDll.dll

C:\Users\hp\AppData\Local\Temp\NGMResource.dll

C:\Users\hp\AppData\Local\Temp\nsj6596.exe

C:\Users\hp\AppData\Local\Temp\nso41BD.exe

C:\Users\hp\AppData\Local\Temp\nst3F1D.exe

C:\Users\hp\AppData\Local\Temp\nst6315.exe

C:\Users\hp\AppData\Local\Temp\nsx47BD.exe

C:\Users\hp\AppData\Local\Temp\SkypeSetup.exe

C:\Users\hp\AppData\Local\Temp\SRLDetectionLibrary5454277289876631752.dll

C:\Users\hp\AppData\Local\Temp\ubiA1D0.tmp.exe

C:\Users\hp\AppData\Local\Temp\unicows.dll

C:\Users\hp\AppData\Local\Temp\utt49CB.tmp.exe

C:\Users\hp\AppData\Local\Temp\vcredist_x86.exe

C:\Users\hp\AppData\Local\Temp\vlc-2.1.2-win32.exe

C:\Users\hp\AppData\Local\Temp\WZL38TeOTE.exe

C:\Users\hp\AppData\Local\Temp\__pythonRunner.dll

 

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2015-03-25 05:16

 

==================== End Of Log ============================

 

 

 

Addition.txt

[kevinf80]

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....
 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on Scan
• Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
• You will get a prompt asking to close all programs. Click OK.
• Click OK again to reboot your computer.
• A text file will open after the restart. Please post the content of that logfile in your reply.
• You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number
  

 
Next,
 
Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts. (re-enable when done)
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
  

 

Next,

 

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

• Accept the Terms of Use and click Start.
• Allow the running of add-on.
  

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.
  

To perform the scan:

• Make sure that Remove found threats is Checked.
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Under “Enable Stealth Technology select “Change” select any extra drives in that window.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.
  

Please include this logfile in your next reply.

Don't forget to re-enable protection software!

 

Let me see those logs in your next reply, also give an update on any remaining issues or conceerns....

 

Thank you,

 

Kevin....
 

Fixlist.txt

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!