Jump to content

Recommended Posts

Hey guys,

Today I was searching some tools for my game (Anno). I've found it, but with it, many more items came within installation that tricked me :)

Since I installed that tool, my browser redirected me to a new search engine, some "MyStartSearch" and it's cousin malwares, I knew it's not good, and Avart reported Rootkits!

Immediately I investigated what's the problem, ran MBAM with "Scan for Rootkits" and found 78 threads. I've quarentined them all and deleted.

Also I ran Kasperky TDSSKiller, adwCleaner and RougeKiller, now going to scan again to make sure everything is fine.

 

I hope You can point me some advanced tools to check if threads are 100% deleted.

 

Here is the log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 13.7.2015
Scan Time: 20:24
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.13.04
Rootkit Database: v2015.07.10.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Amaranthus

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299799
Time Elapsed: 31 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 3
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\hnsuC035.tmp, 1248, Delete-on-Reboot, [91b7627f038752e443707f070bf90ef2]
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\knsk6571.tmpfs, 4940, Delete-on-Reboot, [91b7627f038752e443707f070bf90ef2]
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\vnsu5466.tmp, 3928, Delete-on-Reboot, [91b7627f038752e443707f070bf90ef2]

Modules: 0
(No malicious items detected)

Registry Keys: 40
PUP.Optional.LuckyTab.A, HKLM\SOFTWARE\CLASSES\CLSID\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}, Quarantined, [91b7e7fa94f676c09572443a0002b14f],
PUP.Optional.LuckyTab.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}, Quarantined, [91b7e7fa94f676c09572443a0002b14f],
PUP.Optional.LuckyTab.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{917CAAE9-DD47-4025-936E-1414F07DF5B8}, Quarantined, [91b7e7fa94f676c09572443a0002b14f],
PUP.Optional.LuckyTab.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}, Quarantined, [91b7e7fa94f676c09572443a0002b14f],
PUP.Optional.LuckyTab.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}, Quarantined, [91b7e7fa94f676c09572443a0002b14f],
PUP.Optional.MultiPlug.Gen, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\vicoqudu, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.MultiPlug.Gen, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\gybywive, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.APNToolBar.Gen, HKLM\SOFTWARE\AskPartnerNetwork, Quarantined, [fc4c16cbf3971f177a807f823ac960a0],
PUP.Optional.FFPluginHp.A, HKLM\SOFTWARE\FFPluginHp, Quarantined, [91b7528f55354de98e7f24df5ca7bb45],
PUP.Optional.IHProtect.A, HKLM\SOFTWARE\IHProtect, Quarantined, [4cfce5fcc6c437ff7f1c13004fb49769],
PUP.Optional.Iminent.A, HKLM\SOFTWARE\Iminent, Quarantined, [3f09a83905859e98150be367ed1609f7],
PUP.Optional.MyStartSearch.A, HKLM\SOFTWARE\mystartsearchSoftware, Quarantined, [5debe100048631050d892ded5da653ad],
PUP.Optional.WPM.A, HKLM\SOFTWARE\supWindowsMangerProtect, Quarantined, [a6a201e08604ca6c670f6711c83cee12],
PUP.Optional.Wajam.A, HKLM\SOFTWARE\WajIntEnhance, Quarantined, [f4543ea35337979f73e4da36a162e61a],
PUP.Optional.MyStartSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}, Quarantined, [8ebafbe6a1e90a2cabadf0982ed651af],
PUP.Optional.Iminent.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [49ffa839bcce9c9a562826e73bc8ff01],
PUP.Optional.Iminent.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IminentToolbar, Quarantined, [d276c8191a707fb71568b7564cb7af51],
PUP.Optional.VoPackage.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VOPackage, Quarantined, [cc7c20c1721855e13d7aa5e0d72d15eb],
PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Vosteran.com, Quarantined, [a8a09a472b5fb97d1de4809b4db6d030],
PUP.Optional.Wajam.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WajIntEnhance, Quarantined, [31175889ff8b48ee2755cc410cf73dc3],
PUP.Optional.SupTab.A, HKLM\SOFTWARE\SUPTAB, Quarantined, [66e28d54c3c752e4e98a3fe75ba89d63],
PUP.Optional.WindowsMangerProtect.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WindowsMangerProtect, Quarantined, [7acecd14573363d3291f829b42c17a86],
PUP.Optional.APNToolBar.Gen, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\AskPartnerNetwork, Quarantined, [b593637e385220169e5ba45da3606c94],
PUP.Optional.HomeTab.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\HomeTab, Quarantined, [80c80dd419715dd9eb7e0e27c63def11],
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\SearchProtectWS, Quarantined, [6fd93ca55733ae8870107a93699af40c],
PUP.Optional.TNT.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\TNT2, Quarantined, [88c0d60b3753063076b463ac946fa55b],
PUP.Optional.Wajam.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\WajIEnhance, Quarantined, [1d2bdf025931f64057d673a2b15216ea],
PUP.Optional.Wajam.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\WajIntEnhance, Quarantined, [89bf48993258ae884d0b050b9d66ce32],
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [c68214cd1f6b0e2805521d6b13f135cb],
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}, Quarantined, [4206fee30d7d072fe86f206852b2cf31],
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}, Quarantined, [55f34b964d3d7abc2e29602872926898],
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{E733165D-CBCF-4FDA-883E-ADEF965B476C}, Quarantined, [df696e738dfdc96d550289ff956f827e],
PUP.Optional.Iminent.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [0d3bc51c54363105b173b75330d334cc],
PUP.Optional.Iminent.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IminentToolbar, Quarantined, [a1a7954c008ac076220334d68d76a759],
PUP.Optional.Linkey.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Linkey, Quarantined, [9aaeda07ddad9d9942e442c83fc403fd],
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SearchProtect, Quarantined, [e1678b56652583b3571fc2c73dc7d42c],
PUP.Optional.Vosteran.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Vosteran.com, Quarantined, [f751e5fcd0baea4c56d18783c0434fb1],
PUP.Optional.Wajam.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WajIntEnhance, Quarantined, [a2a624bd0585fc3ad05868a228dbbb45],
PUP.Optional.FastSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MOZILLA\EXTENDS, Quarantined, [3e0a38a9345696a098f86f9326ddb44c],
PUP.Optional.HomeTab.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\SIMPLYTECH\HomeTab, Quarantined, [ad9b3da41e6c76c09fdb65e110f3916f],

Registry Values: 17
PUP.Optional.MyStartSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}|DisplayName, mystartsearch, Quarantined, [8ebafbe6a1e90a2cabadf0982ed651af]
PUP.Optional.MyStartSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}|URL, http://www.mystartsearch.com/web/?type=ds&ts=1436811692&z=baedb29c6c4faca79325f5dg0z4c9q7b9g3gfm6z3z&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX&q={searchTerms},Quarantined, [62e602dfff8b063079df414763a121df]
PUP.Optional.Package.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Update, C:\Users\Amaranthus\AppData\Roaming\VOPackage\VOPackage.exe /runonce, Quarantined, [74d468797d0d44f24cfaa7e3bf45a55b]
PUP.Optional.VOPackage, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VOPACKAGE|UninstallString, "C:\Users\Amaranthus\AppData\Roaming\VOPackage\Uninstall.exe", Quarantined, [da6ed9086e1c44f22067280426dda25e]
PUP.Optional.FastStart.A, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|searchffv2@gmail.com, C:\Users\Amaranthus\AppData\Roaming\Mozilla\Firefox\Profiles\myh75s7a.default-1429832575356\extensions\searchffv2@gmail.com, Quarantined, [e6625c856f1b2016982998f4db290000]
PUP.Optional.SweetSearch.A, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|sweetsearch@gmail.com, C:\Users\Amaranthus\AppData\Roaming\Mozilla\Firefox\Profiles\myh75s7a.default-1429832575356\extensions\sweetsearch@gmail.com, Quarantined, [d0781dc4f19993a3be3f5ca7ff041fe1]
PUP.Optional.SupTab.A, HKLM\SOFTWARE\SUPTAB|ptid, cvs, Quarantined, [66e28d54c3c752e4e98a3fe75ba89d63]
PUP.Optional.MultiPlug.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\gybywive|ImagePath, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\knsk6571.tmpfs, Quarantined, [b2966180d2b87abcd5691075b94b4fb1]
PUP.Optional.MultiPlug.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\vicoqudu|ImagePath, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\hnsuC035.tmp, Quarantined, [55f3a43d2e5cff3777c7a7ded133e41c]
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cvs&utm_campaign=install_ie&utm_content=ds&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX&ts=1436811739&type=default&q={searchTerms},Quarantined, [c68214cd1f6b0e2805521d6b13f135cb]
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}|URL, http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cvs&utm_campaign=install_ie&utm_content=ds&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX&ts=1436811739&type=default&q={searchTerms},Quarantined, [4206fee30d7d072fe86f206852b2cf31]
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}|FaviconURL, http://www.mystartsearch.com//favicon.ico, Quarantined, [4cfc6a774c3e8aac51068cfcf80c0cf4]
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}|DisplayName, mystartsearch, Quarantined, [55f34b964d3d7abc2e29602872926898]
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}|URL, http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cvs&utm_campaign=install_ie&utm_content=ds&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX&ts=1436811739&type=default&q={searchTerms},Quarantined, [1137ba278bff9c9aaea94147f01455ab]
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{33BB0A4E-99AF-4226-BDF6-49120163DE86}|TopResultURL, http://www.mystartsearch.com/web/?type=ds&ts=1436811692&z=baedb29c6c4faca79325f5dg0z4c9q7b9g3gfm6z3z&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX&q={searchTerms},Quarantined, [57f126bb7317e55179de38509e661de3]
PUP.Optional.MyStartSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{E733165D-CBCF-4FDA-883E-ADEF965B476C}|URL, http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cvs&utm_campaign=install_ie&utm_content=ds&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX&ts=1436811739&type=default&q={searchTerms},Quarantined, [df696e738dfdc96d550289ff956f827e]
PUP.Optional.FastSearch.A, HKU\S-1-5-21-819178547-188060312-1766734351-1000\SOFTWARE\MOZILLA\EXTENDS|appid, searchffv2@gmail.com, Quarantined, [3e0a38a9345696a098f86f9326ddb44c]

Registry Data: 0
(No malicious items detected)

Folders: 6
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.WPM.A, C:\ProgramData\WindowsMangerProtect, Quarantined, [51f7a53c3852102687e132af2cd6d32d],
PUP.Optional.VOPackage.A, C:\Users\Amaranthus\AppData\Roaming\VOPackage, Quarantined, [70d8825fcfbb9f97322025d00101e21e],
PUP.Optional.VOPackage.A, C:\Users\Amaranthus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage, Quarantined, [b395776ad4b6a98d3d163bbae61c1ae6],
PUP.Optional.IHProtectUpDate.A, C:\ProgramData\IHProtectUpDate, Quarantined, [fe4a1ac7c2c85ed8d99530c559a96997],
PUP.Optional.IHProtectUpDate.A, C:\ProgramData\IHProtectUpDate\update, Quarantined, [fe4a1ac7c2c85ed8d99530c559a96997],

Files: 12
PUP.Optional.WProtectManager.A, C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe, Quarantined, [a3a524bdef9bec4acf518cd632d316ea],
PUP.Optional.WProtectManager.A, C:\Users\Amaranthus\AppData\Local\Temp\xmi5578221\tmp\wpm_v20.0.0.2290.exe, Quarantined, [e365875ab1d948ee61bffd65e91c22de],
PUP.Optional.Browserwatch, C:\Users\Amaranthus\AppData\Local\Temp\xmi5578221\tmp\XTab_Setup(2639).exe, Quarantined, [e16779683b4fb383691dac6b26dffb05],
PUP.Optional.MyStartSearch.A, C:\Users\Amaranthus\AppData\Roaming\Mozilla\Firefox\Profiles\myh75s7a.default-1429832575356\searchplugins\mystartsearch.xml, Quarantined, [84c4be23cbbfb48275209288c43ff010],
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\hnsuC035.tmp, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\knsk6571.tmpfs, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\rnsp79FC.exe, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\Uninstall.exe, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.MultiPlug.Gen, C:\Users\Amaranthus\AppData\Roaming\A56CDAC0-1436811764-11DF-B88B-E0CB4ED70B6D\vnsu5466.tmp, Quarantined, [91b7627f038752e443707f070bf90ef2],
PUP.Optional.Package.A, C:\Users\Amaranthus\AppData\Roaming\VOPackage\VOPackage.exe, Quarantined, [74d468797d0d44f24cfaa7e3bf45a55b],
PUP.Optional.VOPackage.A, C:\Users\Amaranthus\AppData\Roaming\VOPackage\Uninstall.exe, Quarantined, [70d8825fcfbb9f97322025d00101e21e],
PUP.Optional.VOPackage.A, C:\Users\Amaranthus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage\Configure.lnk, Quarantined, [b395776ad4b6a98d3d163bbae61c1ae6],

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hello AmarK! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Please follow the instructions here and then post your log files in a new reply in this thread:

https://forums.malwarebytes.org/index.php?/topic/9573-im-infected-what-do-i-do-now/

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-07-2015
Ran by Amaranthus (administrator) on AMARANTHUS-PC on 14-07-2015 16:09:50
Running from D:\Sve\Security
Loaded Profiles: Amaranthus (Available Profiles: Amaranthus)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.27.5\GoogleCrashHandler.exe
(VIA) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Skillbrains) C:\Program Files\Skillbrains\lightshot\5.2.1.1\Lightshot.exe
() C:\Users\Amaranthus\AppData\Local\Viber\Viber.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\mshta.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [4045432 2012-10-25] (VIA)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5512912 2015-04-21] (Avast Software s.r.o.)
HKLM\...\Run: [Lightshot] => C:\Program Files\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-05-26] (Adobe Systems Incorporated)
HKLM\...\Run: [switchBoard] => C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS6ServiceManager] => C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKU\S-1-5-21-819178547-188060312-1766734351-1000\...\Run: [Viber] => C:\Users\Amaranthus\AppData\Local\Viber\Viber.exe [80035536 2015-06-10] ()
HKU\S-1-5-21-819178547-188060312-1766734351-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-819178547-188060312-1766734351-1000\...\Run: [GarenaPlus] => "C:\Program Files\Garena Plus\GarenaMessenger.exe" -autolaunch
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-04-21] (Avast Software s.r.o.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?trackid=sp-006
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?trackid=sp-006&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-819178547-188060312-1766734351-1000\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/search?trackid=sp-006&q={searchTerms}
HKU\S-1-5-21-819178547-188060312-1766734351-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?trackid=sp-006
HKU\S-1-5-21-819178547-188060312-1766734351-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-819178547-188060312-1766734351-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/?trackid=sp-006
SearchScopes: HKLM -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = https://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKLM -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = https://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-819178547-188060312-1766734351-1000 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = https://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-819178547-188060312-1766734351-1000 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = https://www.google.com/search?trackid=sp-006&q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-04-21] (Avast Software s.r.o.)
Tcpip\..\Interfaces\{1FD87B0F-D74D-4316-90CA-A9AE26D833CA}: [NameServer] 217.75.192.10 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\Amaranthus\AppData\Roaming\Mozilla\Firefox\Profiles\myh75s7a.default-1429832575356
FF DefaultSearchEngine: Google (avast)
FF DefaultSearchUrl: https://www.google.com/search/?trackid=sp-006
FF SearchEngineOrder.1: Google (avast)
FF SelectedSearchEngine: Google (avast)
FF Homepage: https://www.google.com/?trackid=sp-006
FF Keyword.URL: https://www.google.com/search/?trackid=sp-006
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_203.dll [2015-07-08] ()
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2012-02-29] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2012-02-29] (NVIDIA Corporation)
FF Plugin: @t.garena.com/garenatalk -> C:\Program Files\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-07-13] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-07-13] (Google Inc.)
FF SearchPlugin: C:\Users\Amaranthus\AppData\Roaming\Mozilla\Firefox\Profiles\myh75s7a.default-1429832575356\searchplugins\google-avast.xml [2015-07-13]
FF Extension: LastPass - C:\Users\Amaranthus\AppData\Roaming\Mozilla\Firefox\Profiles\myh75s7a.default-1429832575356\Extensions\support@lastpass.com [2015-07-03]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-04-21]

Chrome:
=======
CHR Profile: C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-13]
CHR Extension: (Google Docs) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-13]
CHR Extension: (Google Drive) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-13]
CHR Extension: (YouTube) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-07-13]
CHR Extension: (Google Search) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-07-13]
CHR Extension: (Avast SafePrice) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2015-07-13]
CHR Extension: (Google Sheets) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-13]
CHR Extension: (Avast Online Security) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-07-13]
CHR Extension: (Google Wallet) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-13]
CHR Extension: (Gmail) - C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-13]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-04-21]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-21]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-04-21] (Avast Software s.r.o.)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [3205216 2015-04-21] (Avast Software)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 SwitchBoard; C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27768 2012-10-22] (VIA Technologies, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\System32\drivers\AsIO.sys [12400 2007-12-17] ()
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24144 2015-04-21] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [73440 2015-04-21] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81728 2015-04-21] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49904 2015-04-21] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [788272 2015-04-21] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427736 2015-04-21] (Avast Software s.r.o.)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [106912 2015-04-21] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [208024 2015-04-21] ()
R2 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [94936 2015-06-18] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [98520 2015-07-14] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [6504 2009-05-13] ()
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [220240 2015-04-21] (Avast Software)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1841272 2012-10-22] (VIA Technologies, Inc.)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-14 16:05 - 2015-07-14 16:06 - 01636864 _____ (Farbar) C:\Users\Amaranthus\Desktop\FRST.exe
2015-07-14 15:22 - 2015-07-14 16:09 - 00000000 ____D C:\FRST
2015-07-13 20:25 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2015-07-13 20:23 - 2009-06-10 23:39 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-07-13 20:22 - 2015-07-13 20:22 - 00000000 _____ C:\Windows\prleth.sys
2015-07-13 20:22 - 2015-07-13 20:22 - 00000000 _____ C:\Windows\hgfs.sys
2015-07-13 20:13 - 2015-07-13 20:13 - 15872468 _____ C:\Users\Amaranthus\Desktop\ANN1404_AddonTools_1_2.zip
2015-07-13 20:13 - 2010-03-03 12:25 - 00000000 ____D C:\Users\Amaranthus\Desktop\AddonToolsRelease_2010_02_22_15_09_FINAL
2015-07-13 20:09 - 2015-07-13 20:09 - 00002197 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-07-13 20:09 - 2015-07-13 20:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-07-13 20:08 - 2015-07-14 15:13 - 00000944 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-13 20:08 - 2015-07-14 13:42 - 00000940 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-13 20:08 - 2015-07-13 20:09 - 00000000 ____D C:\Users\Amaranthus\AppData\Local\Google
2015-07-13 20:08 - 2015-07-13 20:08 - 00000000 ____D C:\Program Files\Google
2015-07-13 19:56 - 2013-04-20 09:59 - 05143150 _____ (SDesign ) C:\Users\Amaranthus\Desktop\setup_iaam_3.00_editoren_tools.exe
2015-07-13 19:55 - 2015-07-13 19:56 - 05113627 _____ C:\Users\Amaranthus\Desktop\setup_iaam_3.00_editoren_tools.zip
2015-07-13 19:42 - 2015-07-13 19:42 - 00001391 _____ C:\Users\Amaranthus\Desktop\Anno 1404 - Venice IAAM.lnk
2015-07-13 16:21 - 2015-07-13 16:21 - 00001028 _____ C:\Users\Public\Desktop\Anno 1404 - Dawn of Discovery.lnk
2015-07-13 16:20 - 2015-07-13 16:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anno 1404 - Dawn of Discovery
2015-07-13 16:07 - 2014-08-23 20:11 - 849220096 _____ (SDesign ) C:\Users\Amaranthus\Desktop\setup_iaam_3.4.exe
2015-07-13 15:44 - 2015-07-13 15:54 - 849013413 _____ C:\Users\Amaranthus\Desktop\setup_iaam_3.4.zip
2015-07-13 15:33 - 2009-09-29 16:41 - 14761296 _____ (Macrovision Corporation) C:\Users\Amaranthus\Desktop\Anno1404_Entwickler_Tools.exe
2015-07-13 15:32 - 2015-07-13 15:32 - 13526950 _____ C:\Users\Amaranthus\Desktop\Anno1404_Entwickler_Tools.zip
2015-07-13 15:28 - 2014-01-08 21:36 - 00000000 ____D C:\Users\Amaranthus\Desktop\anno-designer-version7-1404
2015-07-13 15:26 - 2015-07-13 15:26 - 00395543 _____ C:\Users\Amaranthus\Desktop\anno-designer-version7-1404.rar
2015-07-10 16:12 - 2015-07-10 16:12 - 28662910 _____ C:\Users\Amaranthus\Desktop\Introducing-UI-project-resource-PIXEDEN.zip
2015-07-10 15:09 - 2014-05-19 03:59 - 00020024 _____ C:\Users\Amaranthus\Desktop\Arcade Future.otf
2015-07-10 15:01 - 2015-07-10 15:01 - 00010783 _____ C:\Users\Amaranthus\Desktop\arcade_future.zip
2015-07-08 14:48 - 2015-07-08 14:48 - 03194991 _____ C:\Users\Amaranthus\Desktop\calendar___task.psd
2015-07-06 15:17 - 2015-07-06 15:17 - 00511764 _____ C:\Users\Amaranthus\Desktop\openhardwaremonitor-v0.7.1-beta.zip
2015-07-03 13:46 - 2015-07-03 21:33 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-07-01 13:39 - 2015-07-01 13:39 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\2BFE3715.sys
2015-06-30 21:47 - 2015-06-30 21:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Seagate
2015-06-30 21:47 - 2015-06-30 21:47 - 00000000 ____D C:\Program Files\Seagate
2015-06-29 19:39 - 2015-06-29 19:42 - 00000000 ____D C:\Users\Amaranthus\Desktop\USB
2015-06-29 19:38 - 2015-06-29 19:38 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2015-06-29 00:12 - 2015-06-29 00:12 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-28 22:50 - 2014-10-30 16:51 - 00000000 ____D C:\Users\Amaranthus\Desktop\psd
2015-06-28 22:50 - 2014-10-30 16:51 - 00000000 ____D C:\Users\Amaranthus\Desktop\png
2015-06-28 22:48 - 2015-06-28 22:49 - 05220355 _____ C:\Users\Amaranthus\Desktop\ios7-set-filled-1.zip
2015-06-28 22:37 - 2015-06-28 22:37 - 00000000 ____D C:\Users\Amaranthus\AppData\Local\CrashDumps
2015-06-28 15:32 - 2015-06-28 15:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2015-06-28 15:32 - 2015-06-28 15:32 - 00000000 ____D C:\Program Files\Speccy
2015-06-28 15:17 - 2015-06-28 15:17 - 05127432 _____ (Piriform Ltd) C:\Users\Amaranthus\Desktop\spsetup128.exe
2015-06-28 14:24 - 2015-06-28 14:24 - 00306928 _____ (Thesycon GmbH) C:\Users\Amaranthus\Desktop\dpclat.exe
2015-06-28 14:07 - 2015-06-28 14:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASUS
2015-06-28 14:07 - 2015-06-28 14:07 - 00000000 ____D C:\Program Files\ASUS
2015-06-28 14:07 - 2008-01-04 13:34 - 00011832 _____ C:\Windows\system32\Drivers\AsInsHelp64.sys
2015-06-28 14:07 - 2008-01-04 13:34 - 00010216 _____ C:\Windows\system32\Drivers\AsInsHelp32.sys
2015-06-28 14:07 - 2007-12-17 18:14 - 00012400 _____ C:\Windows\system32\Drivers\AsIO.sys
2015-06-28 14:07 - 2006-01-10 17:50 - 00024576 _____ () C:\Windows\system32\AsIO.dll
2015-06-28 14:07 - 2004-02-27 00:00 - 00962612 _____ (Microsoft Corporation) C:\Windows\system32\mfc42d.dll
2015-06-28 14:07 - 2004-02-17 00:00 - 00434252 _____ (Microsoft Corporation) C:\Windows\system32\MSVCRTD.DLL
2015-06-28 14:03 - 2015-06-28 14:03 - 05922831 _____ C:\Users\Amaranthus\Desktop\AMDCoolnQuiet_Utility_V21801_XPVistaWin7.zip
2015-06-28 13:22 - 2015-07-14 13:48 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-28 13:21 - 2015-06-29 00:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-28 13:21 - 2015-06-29 00:12 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-06-28 13:21 - 2015-06-28 13:21 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-28 13:21 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-28 13:21 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-28 13:21 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-28 13:19 - 2015-06-28 13:19 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\Amaranthus\Desktop\mbam-setup-2.1.6.1022.exe
2015-06-28 13:15 - 2015-06-28 13:15 - 00002413 _____ C:\Users\Amaranthus\Desktop\RKreport[0]_S_06282015_131540.txt
2015-06-28 13:12 - 2015-06-28 13:16 - 00000000 ____D C:\Users\Amaranthus\Desktop\RK_Quarantine
2015-06-26 22:06 - 2015-06-26 22:06 - 00000000 ____D C:\Users\Amaranthus\AppData\Roaming\NVIDIA
2015-06-26 21:55 - 2015-06-26 21:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2015-06-26 21:51 - 2015-07-14 13:42 - 00000000 ____D C:\ProgramData\NVIDIA
2015-06-26 21:50 - 2015-06-26 21:50 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2015-06-26 21:50 - 2012-02-29 22:56 - 03881792 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2015-06-26 21:50 - 2012-02-29 22:53 - 00645440 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2015-06-26 21:50 - 2012-02-29 22:53 - 00108352 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2015-06-26 21:50 - 2012-02-29 22:53 - 00062272 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2015-06-26 21:49 - 2015-06-26 21:51 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2015-06-26 21:49 - 2012-03-01 01:59 - 19444544 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv32.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 17543488 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 10819392 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2015-06-26 21:49 - 2012-03-01 01:59 - 07713088 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2um.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 05892928 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 02517312 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 02437440 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 02301248 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 01000256 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco32.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 00061248 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2015-06-26 21:49 - 2012-03-01 01:59 - 00008772 _____ C:\Windows\system32\nvinfo.pb
2015-06-26 21:49 - 2012-01-17 14:46 - 00027968 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap32.dll
2015-06-26 21:49 - 2012-01-17 14:45 - 00876864 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco3220103.dll
2015-06-26 21:49 - 2012-01-17 14:45 - 00148800 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda32v.sys
2015-06-26 21:40 - 2015-06-26 21:40 - 00000000 ____D C:\Users\Amaranthus\Desktop\Guru3D.com
2015-06-26 21:38 - 2015-06-26 21:38 - 01118497 _____ C:\Users\Amaranthus\Desktop\[Guru3D.com]-DDU.zip
2015-06-24 22:48 - 2015-06-24 22:48 - 00001072 _____ C:\Users\Amaranthus\Desktop\[GraphicRiver][Mobile App UI] Averto - Shortcut.lnk
2015-06-17 18:59 - 2015-06-17 18:59 - 00000000 ____D C:\ProgramData\boost_interprocess
2015-06-17 18:49 - 2015-06-17 18:52 - 00000000 ____D C:\ProgramData\Package Cache
2015-06-16 14:09 - 2015-06-16 14:09 - 01993852 _____ C:\Users\Amaranthus\Desktop\iOS7_Bars.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-14 15:42 - 2009-07-14 06:34 - 00016640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 15:42 - 2009-07-14 06:34 - 00016640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 15:36 - 2015-05-27 13:35 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-14 15:28 - 2015-04-21 19:30 - 00000386 _____ C:\Windows\Tasks\update-S-1-5-21-819178547-188060312-1766734351-1000.job
2015-07-14 14:04 - 2015-04-21 22:32 - 01888284 _____ C:\Windows\WindowsUpdate.log
2015-07-14 13:46 - 2015-04-21 15:53 - 00000000 ____D C:\Users\Amaranthus\AppData\Roaming\ViberPC
2015-07-14 13:42 - 2010-11-20 23:48 - 00017290 _____ C:\Windows\PFRO.log
2015-07-14 13:42 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-14 13:42 - 2009-07-14 06:39 - 00039917 _____ C:\Windows\setupact.log
2015-07-14 02:06 - 2015-05-28 22:46 - 00000007 _____ C:\Users\Amaranthus\Documents\mt-e_hook.txt
2015-07-14 02:04 - 2015-05-28 22:46 - 00000041 _____ C:\Users\Amaranthus\Documents\mt-x_hook.txt
2015-07-14 00:34 - 2015-04-21 19:29 - 00000386 _____ C:\Windows\Tasks\update-sys.job
2015-07-13 21:23 - 2014-05-21 01:14 - 00000000 ____D C:\AdwCleaner
2015-07-13 21:01 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\schemas
2015-07-13 20:24 - 2015-04-21 14:15 - 00001093 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-07-13 20:24 - 2015-04-21 14:15 - 00001093 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-07-10 18:50 - 2009-07-14 06:33 - 03957984 _____ C:\Windows\system32\FNTCACHE.DAT
2015-07-10 15:09 - 2015-04-21 14:13 - 00143008 _____ C:\Users\Amaranthus\AppData\Local\GDIPFONTCACHEV1.DAT
2015-07-08 21:42 - 2015-04-21 14:23 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-07-08 21:42 - 2015-04-21 14:23 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-07-08 21:33 - 2015-05-01 02:42 - 00000132 _____ C:\Users\Amaranthus\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-07-07 13:14 - 2010-02-01 00:00 - 00000000 ____D C:\Users\Amaranthus\Desktop\OpenHardwareMonitor
2015-07-03 21:33 - 2015-04-21 14:15 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-06-30 21:37 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\system32\LogFiles
2015-06-29 19:41 - 2010-11-20 23:01 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-28 14:15 - 2009-07-14 04:37 - 00000000 __RSD C:\Windows\Media
2015-06-28 14:08 - 2015-05-20 01:34 - 00000000 ____D C:\Program Files\Garena Plus
2015-06-28 14:07 - 2015-04-21 14:06 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2015-06-28 14:06 - 2015-04-21 14:24 - 00000000 ____D C:\Program Files\Common Files\InstallShield
2015-06-26 21:50 - 2015-04-21 14:07 - 00000000 ____D C:\NVIDIA
2015-06-26 21:50 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\Help
2015-06-18 13:15 - 2015-04-21 13:54 - 00000000 ____D C:\Users\Amaranthus
2015-06-17 19:03 - 2015-04-23 21:37 - 00000000 ____D C:\Program Files\Common Files\Adobe
2015-06-17 19:02 - 2015-04-23 21:44 - 00000000 ____D C:\Program Files\Adobe
2015-06-17 19:02 - 2015-04-21 14:24 - 00000000 ____D C:\Users\Amaranthus\AppData\Roaming\Adobe
2015-06-17 18:59 - 2015-04-23 21:36 - 00000000 ____D C:\ProgramData\Adobe

==================== Files in the root of some directories =======

2015-05-01 02:42 - 2015-07-08 21:33 - 0000132 _____ () C:\Users\Amaranthus\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-04-21 19:29 - 2015-04-21 19:29 - 0000003 _____ () C:\Users\Amaranthus\AppData\Local\updater.log
2015-04-21 19:30 - 2015-04-23 23:05 - 0000412 _____ () C:\Users\Amaranthus\AppData\Local\UserProducts.xml

Some files in TEMP:
====================
C:\Users\Amaranthus\AppData\Local\Temp\ntdll_dump.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-14 16:02

==================== End of log ============================

Link to post
Share on other sites

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 12-07-2015
Ran by Amaranthus at 2015-07-14 16:10:28
Running from D:\Sve\Security
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-819178547-188060312-1766734351-500 - Administrator - Disabled)
Amaranthus (S-1-5-21-819178547-188060312-1766734351-1000 - Administrator - Enabled) => C:\Users\Amaranthus
Guest (S-1-5-21-819178547-188060312-1766734351-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.203 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Anno 1404 - Dawn of Discovery version 1.3 (HKLM\...\{1520E069-19A9-4B01-BA5D-87B67D56F55D}_is1) (Version: 1.3 - )
ASIO4ALL (HKLM\...\ASIO4ALL) (Version: 2.11 Beta2 - Michael Tippach)
Avast Free Antivirus (HKLM\...\Avast) (Version: 10.2.2215 - AVAST Software)
Cool & Quiet (HKLM\...\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}) (Version:  - )
Dota 2 (HKLM\...\Steam App 570) (Version:  - Valve)
FL Studio 11 (HKLM\...\FL Studio 11) (Version:  - Image-Line)
FlowStone FL 3.0 (HKLM\...\FlowStone) (Version:  - )
GitHub (HKU\S-1-5-21-819178547-188060312-1766734351-1000\...\5f7eb300e2ea4ebf) (Version: 2.13.2.4 - GitHub, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 43.0.2357.132 - Google Inc.)
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
IL Shared Libraries (HKLM\...\IL Shared Libraries) (Version:  - Image-Line)
Lightshot-5.2.1.1 (HKLM\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.2.1.1 - Skillbrains)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
MegaTrainer eXperience V1.2.9.2 (HKLM\...\MegaTrainer eXperience_is1) (Version:  - )
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 en-US) (HKLM\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 37.0.2 - Mozilla)
NVIDIA 3D Vision Controller Driver 296.10 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 296.10 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 296.10 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 296.10 - NVIDIA Corporation)
NVIDIA Graphics Driver 296.10 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 296.10 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.12.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.12.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.12.0213 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0213 - NVIDIA Corporation)
PDF Settings CS6 (Version: 11.0 - Adobe Systems Incorporated) Hidden
Platform (Version: 1.39 - VIA Technologies, Inc.) Hidden
Realtek 8136 8168 8169 Ethernet Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0005 - Realtek)
reFX Nexus VSTi RTAS v2.2.0 (HKLM\...\reFX Nexus_is1) (Version:  - )
SeaTools for Windows 1.4.0.2 (HKLM\...\SeaTools for Windows) (Version: 1.4.0.2 - Seagate Technology)
SourceTree (HKLM\...\SourceTree 1.6.14) (Version: 1.6.14 - Atlassian)
SourceTree (Version: 1.6.14 - Atlassian) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.28 - Piriform)
Steam (HKLM\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Sublime Text Build 3083 (HKLM\...\Sublime Text 3_is1) (Version:  - Sublime HQ Pty Ltd)
Sylenth1 v2.20 (HKLM\...\Sylenth1_is1) (Version:  - )
VIA Platform Device Manager (HKLM\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.39 - VIA Technologies, Inc.)
Viber (HKU\S-1-5-21-819178547-188060312-1766734351-1000\...\Viber) (Version: 5.1.2.24 - Viber Media Inc)
WinRAR 5.21 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
Wolfenstein (HKLM\...\InstallShield_{F9B37992-968C-4264-8449-489032FC28DE}) (Version: 1.0 - Activision)
Wolfenstein (Version: 1.0 - Activision) Hidden
XAMPP (HKLM\...\xampp) (Version: 5.6.8-0 - Bitnami)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

22-04-2015 00:12:21 Installed DirectX
22-04-2015 03:08:20 Windows Update
24-04-2015 01:35:57 UxStyle
24-04-2015 01:36:36 UxStyle
05-05-2015 01:30:27 Installed GTA San Andreas
14-05-2015 18:35:21 Windows Update
25-05-2015 19:24:08 Scheduled Checkpoint
30-05-2015 22:11:43 Installed SourceTree
13-06-2015 21:17:18 Installed Wolfenstein
17-06-2015 18:49:03 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
17-06-2015 18:50:57 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005
26-06-2015 15:36:45 Scheduled Checkpoint
26-06-2015 21:36:14 Removed GTA San Andreas
26-06-2015 21:41:08 DDU System Restored Point
28-06-2015 14:06:38 Installed Cool & Quiet
30-06-2015 21:48:12 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005
09-07-2015 20:30:52 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:04 - 2009-06-10 23:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1FEDBDF7-4C7C-40EB-9C42-1BF62E547E22} - System32\Tasks\update-sys => C:\Program Files\Skillbrains\Updater\Updater.exe [2014-11-28] ()
Task: {3EE08BAA-2BAF-4081-8456-6DC262A9E158} - System32\Tasks\update-S-1-5-21-819178547-188060312-1766734351-1000 => C:\Program Files\Skillbrains\Updater\Updater.exe [2014-11-28] ()
Task: {8ED585AF-0622-485C-A197-0A53B742E476} - System32\Tasks\{2DC0E33F-F62D-41AB-ADFE-88DFD8F43F12} => pcalua.exe -a C:\Users\Amaranthus\Desktop\Anno1404_Entwickler_Tools.exe -d C:\Users\Amaranthus\Desktop
Task: {A5F6F12F-EA7C-424B-8FAA-2C290218B52A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-07-13] (Google Inc.)
Task: {B528A609-55CE-4B70-8032-6780A9858376} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-08] (Adobe Systems Incorporated)
Task: {B8AA5ADF-DD9A-418A-A7F0-0CC579F4640E} - System32\Tasks\{7D90D7D2-9A58-46BC-9261-AD0A99C80133} => pcalua.exe -a C:\Users\Amaranthus\Desktop\AddonToolsRelease_2010_02_22_15_09_FINAL\Anno1404Venedig_Entwickler_Tools.exe -d C:\Users\Amaranthus\Desktop\AddonToolsRelease_2010_02_22_15_09_FINAL
Task: {C8E8FD3B-0215-40DB-B18C-357D9E8E1434} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-06-18] (Avast Software s.r.o.)
Task: {D8176563-48C3-4545-B9C6-949DC8DF6FAF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-07-13] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\update-S-1-5-21-819178547-188060312-1766734351-1000.job => C:\Program Files\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files\Skillbrains\Updater\Updater.exe

==================== Loaded Modules (Whitelisted) ==============

2015-04-21 14:29 - 2015-04-21 14:29 - 00104400 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2015-04-21 14:29 - 2015-04-21 14:29 - 00081728 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2015-07-13 18:53 - 2015-07-13 18:53 - 02956288 _____ () C:\Program Files\AVAST Software\Avast\defs\15071301\algo.dll
2015-07-14 13:46 - 2015-07-14 13:46 - 02956288 _____ () C:\Program Files\AVAST Software\Avast\defs\15071400\algo.dll
2015-04-21 14:25 - 2012-10-25 11:25 - 00080504 ____R () C:\Program Files\VIA\VIAudioi\VDeck\QsApoApi.dll
2015-04-21 14:25 - 2012-10-25 11:25 - 00113272 ____R () C:\Program Files\VIA\VIAudioi\VDeck\Dts2ApoApi.dll
2015-04-21 14:29 - 2015-04-21 14:29 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2015-04-21 15:49 - 2015-06-10 09:50 - 80035536 _____ () C:\Users\Amaranthus\AppData\Local\Viber\Viber.exe
2015-05-29 18:32 - 2015-02-25 09:21 - 01507328 _____ () C:\Users\Amaranthus\AppData\Local\Viber\libGLESv2.dll
2015-05-29 18:32 - 2015-06-10 09:19 - 00100864 _____ () C:\Users\Amaranthus\AppData\Local\Viber\qfacebook.dll
2015-05-29 18:32 - 2015-06-10 09:19 - 00171008 _____ () C:\Users\Amaranthus\AppData\Local\Viber\exif.dll
2015-05-29 18:32 - 2015-02-25 09:21 - 00063488 _____ () C:\Users\Amaranthus\AppData\Local\Viber\libEGL.dll
2015-05-29 18:32 - 2015-02-25 09:36 - 00010240 _____ () C:\Users\Amaranthus\AppData\Local\Viber\QtQuick.2\qtquick2plugin.dll
2015-07-02 22:45 - 2015-07-02 22:45 - 01020928 _____ () C:\Users\Amaranthus\AppData\Roaming\Mozilla\Firefox\Profiles\myh75s7a.default-1429832575356\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-819178547-188060312-1766734351-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 217.75.192.10 - 8.8.8.8

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{F0A42E11-31E2-4670-8F26-248CD0F9AB7D}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{0EEB88DC-D515-48E6-8EDA-C10EA5A0E444}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{637AD46C-861D-4C3A-B11D-67831F5F0E03}] => (Allow) D:\Program Files\Steam\Steam.exe
FirewallRules: [{A05134B3-749A-481A-B8DF-837C7A38674F}] => (Allow) D:\Program Files\Steam\Steam.exe
FirewallRules: [{AD8EDBAF-3134-4B71-857E-864FF3B61803}] => (Allow) D:\Program Files\Steam\bin\steamwebhelper.exe
FirewallRules: [{9191B680-202A-4FBA-8149-4490A2A70E8A}] => (Allow) D:\Program Files\Steam\bin\steamwebhelper.exe
FirewallRules: [{4603DC87-520D-4774-BBCF-8E804ED8DC1E}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
FirewallRules: [{0873AA54-6EB5-4279-AC85-D9FDFFC0E907}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
FirewallRules: [{E2FECD21-D51E-4AFA-981B-E646F098223E}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{9FAE69E9-907F-414B-A8F4-EDCBF8C33A82}] => (Allow) D:\Program Files\Steam\steamapps\common\dota 2 beta\dota.exe
FirewallRules: [{AEE8C40A-8DAF-42D2-B2B8-A3021EE866CA}] => (Allow) D:\Program Files\Steam\steamapps\common\dota 2 beta\dota.exe
FirewallRules: [TCP Query User{B7B796E5-06AC-4AE4-83B4-D11F4BC16F73}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [uDP Query User{3F81AAAC-35F3-4C40-AAC1-08E87843AA12}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [TCP Query User{76E8577F-627F-4338-A4B7-809BFB637DD6}C:\xampp\mysql\bin\mysqld.exe] => (Allow) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [uDP Query User{C2C13CEC-FA39-43E5-8949-0DA67D7CE338}C:\xampp\mysql\bin\mysqld.exe] => (Allow) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [{0E26463C-E08D-415D-9C08-5B1B9541EFEA}] => (Block) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [{A75D0DE5-C7D6-4469-836B-36647CC9F15A}] => (Block) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [{CCE99EC5-A089-413B-8899-48D24FB06663}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{082738DD-CF51-4E2B-9779-962DA095D3DA}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{8B0BE223-4574-4620-886C-12AD43202609}] => (Allow) C:\Program Files\Garena Plus\ggdllhost.exe
FirewallRules: [{59EF2525-1861-4C8F-9706-C3330CE01A25}] => (Allow) C:\Program Files\Activision\Wolfenstein\MP\Wolf2MP.exe
FirewallRules: [{C7579ABD-0CEE-45CA-A781-246A699606FA}] => (Allow) C:\Program Files\Activision\Wolfenstein\MP\Wolf2MP.exe
FirewallRules: [{5812834D-7863-433A-9635-E27BE2585792}] => (Allow) C:\Program Files\Activision\Wolfenstein\MP\Wolf2MPLite.exe
FirewallRules: [{C268D7E7-9944-4B3F-8347-D3C4859EB7CF}] => (Allow) C:\Program Files\Activision\Wolfenstein\MP\Wolf2MPLite.exe
FirewallRules: [{FEEB4C4C-DE38-4370-AEB8-FB2A1F20D928}] => (Allow) D:\Program Files\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
FirewallRules: [{D774FD3E-8F83-4943-A80E-94CBF68DD869}] => (Allow) D:\Program Files\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
FirewallRules: [{D3E2125C-04F4-47DB-A079-D840053149D2}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/14/2015 01:42:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/14/2015 02:06:31 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Addon.exe version 2.1.5010.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1304

Start Time: 01d0bdc8e8381532

Termination Time: 177

Application Path: D:\Program Files\Ubisoft\Related Designs\Anno 1404 - Dawn of Discovery\Addon.exe

Report Id: 2ba47117-29bc-11e5-be02-e0cb4ed70b6d

Error: (07/14/2015 01:42:53 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Anno4.exe version 1.3.3650.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 12b4

Start Time: 01d0bdc579b0afc5

Termination Time: 327

Application Path: D:\Program Files\Ubisoft\Related Designs\IAAM 1404\Anno4.exe

Report Id: d426a386-29b8-11e5-be02-e0cb4ed70b6d

Error: (07/13/2015 09:01:55 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/13/2015 06:49:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/13/2015 01:57:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/13/2015 01:12:05 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program dota.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1028

Start Time: 01d0bcef243b3334

Termination Time: 1562

Application Path: D:\Program Files\Steam\steamapps\common\dota 2 beta\dota.exe

Report Id: 5d0b38e0-28eb-11e5-945f-e0cb4ed70b6d

Error: (07/12/2015 09:19:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/12/2015 12:56:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/11/2015 09:17:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (07/13/2015 08:28:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Encyclopaedia Enter service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/13/2015 08:28:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Compact Bulletin Board service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/13/2015 08:23:40 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The WindowsMangerProtect Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/13/2015 02:02:28 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (07/08/2015 03:14:34 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

Error: (07/04/2015 02:14:54 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 14:14:04 on ‎4.‎7.‎2015 was unexpected.

Error: (07/04/2015 02:05:16 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 14:03:53 on ‎4.‎7.‎2015 was unexpected.

Error: (06/30/2015 09:55:37 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 21:50:40 on ‎30.‎6.‎2015 was unexpected.

Error: (06/30/2015 01:45:05 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMScheduler service failed to start due to the following error:
%%1053

Error: (06/30/2015 01:45:05 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the MBAMScheduler service to connect.


Microsoft Office:
=========================
Error: (07/14/2015 01:42:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/14/2015 02:06:31 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Addon.exe2.1.5010.0130401d0bdc8e8381532177D:\Program Files\Ubisoft\Related Designs\Anno 1404 - Dawn of Discovery\Addon.exe2ba47117-29bc-11e5-be02-e0cb4ed70b6d

Error: (07/14/2015 01:42:53 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Anno4.exe1.3.3650.012b401d0bdc579b0afc5327D:\Program Files\Ubisoft\Related Designs\IAAM 1404\Anno4.exed426a386-29b8-11e5-be02-e0cb4ed70b6d

Error: (07/13/2015 09:01:55 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/13/2015 06:49:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/13/2015 01:57:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/13/2015 01:12:05 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: dota.exe0.0.0.0102801d0bcef243b33341562D:\Program Files\Steam\steamapps\common\dota 2 beta\dota.exe5d0b38e0-28eb-11e5-945f-e0cb4ed70b6d

Error: (07/12/2015 09:19:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/12/2015 12:56:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/11/2015 09:17:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Processor: Intel® Celeron® CPU E3300 @ 2.50GHz
Percentage of memory in use: 74%
Total physical RAM: 2047.18 MB
Available physical RAM: 514.93 MB
Total Virtual: 4094.36 MB
Available Virtual: 1902.41 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.44 GB) (Free:35.42 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:149.65 GB) (Free:42.93 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 4BB24BB1)
Partition 1: (Active) - (Size=148.4 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149.6 GB) - (Type=OF Extended)

==================== End of log ============================

Link to post
Share on other sites

Step 1

Please uninstall this program: Lightshot-5.2.1.1

Step 2

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Step 3

Please update Malwarebytes Anti-Malware and perform a threat scan. Post your log file.

In your next reply, post the following log files:

  • FRST log
  • Malwarebytes' Anti-Malware log

fixlist.txt

Link to post
Share on other sites

Here is the Fixlog. I will post Malwarebytes log later, when it finishes with scanning.

 

Also, I've seen this files

2015-07-13 20:25 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2015-07-13 20:23 - 2009-06-10 23:39 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-07-13 20:22 - 2015-07-13 20:22 - 00000000 _____ C:\Windows\prleth.sys
2015-07-13 20:22 - 2015-07-13 20:22 - 00000000 _____ C:\Windows\hgfs.sys

 

and checked them on the Net, those last two may be flagged as malware, what do You think? This first two, don't remember installing anything that requires SQLite or even HP stuff.

 

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 12-07-2015
Ran by Amaranthus at 2015-07-14 20:00:49 Run:1
Running from D:\Sve\Security
Loaded Profiles: Amaranthus (Available Profiles: Amaranthus)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CloseProcesses:
Task: {1FEDBDF7-4C7C-40EB-9C42-1BF62E547E22} - System32\Tasks\update-sys => C:\Program Files\Skillbrains\Updater\Updater.exe [2014-11-28] ()
Task: {3EE08BAA-2BAF-4081-8456-6DC262A9E158} - System32\Tasks\update-S-1-5-21-819178547-188060312-1766734351-1000 => C:\Program Files\Skillbrains\Updater\Updater.exe [2014-11-28] ()
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files\Skillbrains\Updater\Updater.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
C:\Program Files\Skillbrains
EmptyTemp:
end
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1FEDBDF7-4C7C-40EB-9C42-1BF62E547E22}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FEDBDF7-4C7C-40EB-9C42-1BF62E547E22}" => key removed successfully.
C:\Windows\System32\Tasks\update-sys => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\update-sys" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3EE08BAA-2BAF-4081-8456-6DC262A9E158}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3EE08BAA-2BAF-4081-8456-6DC262A9E158}" => key removed successfully.
C:\Windows\System32\Tasks\update-S-1-5-21-819178547-188060312-1766734351-1000 => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\update-S-1-5-21-819178547-188060312-1766734351-1000" => key removed successfully.
C:\Windows\Tasks\update-sys.job => moved successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
C:\Program Files\Skillbrains => moved successfully.
EmptyTemp: => 1.3 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 20:02:21 ====

Link to post
Share on other sites

Malwarebytes log

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 14.7.2015
Scan Time: 20:13
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.14.05
Rootkit Database: v2015.07.14.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Amaranthus

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 298726
Time Elapsed: 34 min, 43 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.MyStartSearch, C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences, Good: ("session":{"restore_on_startup":4,"startup_urls":["https://www.malwarebytes.org/restorebrowser/]}}),Bad: ("session":{"restore_on_startup":4,"startup_urls":["http://www.mystartsearch.com/?type=hp&ts=1436811692&z=baedb29c6c4faca79325f5dg0z4c9q7b9g3gfm6z3z&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX"]}}), Replaced,[cce1c21fe5a573c3a33aa3c7f3120cf4]

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Lightshot is small app from this http://prnt.sc/

Could be a virus?

It could be.

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=9098393#none

Also, I've seen this files

2015-07-13 20:25 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll

2015-07-13 20:23 - 2009-06-10 23:39 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak

2015-07-13 20:22 - 2015-07-13 20:22 - 00000000 _____ C:\Windows\prleth.sys

2015-07-13 20:22 - 2015-07-13 20:22 - 00000000 _____ C:\Windows\hgfs.sys

and checked them on the Net, those last two may be flagged as malware, what do You think? This first two, don't remember installing anything that requires SQLite or even HP stuff.

May be, but they are not in your case all of these are legitimate. It is possible to be used by the operating system or form software you have installed.

Don't worry about the things your log files.

Step 1

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 2

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan button. Wait until is finished.
  • Click on Clean.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well.
Step 3

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

      Save it to your Desktop.

    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • In your next reply, post the following log files:
    • Junkware Removal Tool log
    • AdwCleaner log
    • ESET Online Scanner log
Link to post
Share on other sites

Here are the logs as You requested. Sorry for delay, ESET was scanning almost 4 hours.

Also sorry for using spoiler for logs.

 

 

Eset scan log

 

C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\GoogleUpdate.exe.vir Win32/AlteredSoftware.C potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe.vir Win32/AlteredSoftware.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe.vir Win32/AlteredSoftware.C potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe.vir a variant of Win32/AlteredSoftware.B potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe.vir a variant of Win32/AlteredSoftware.B potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\goopdate.dll.vir a variant of Win32/AlteredSoftware.B potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\goopdateres_en.dll.vir a variant of Win32/AlteredSoftware.B potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll.vir a variant of Win32/AlteredSoftware.E potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\psmachine.dll.vir a variant of Win32/AlteredSoftware.G potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\globalUpdate\Update\1.3.25.0\psuser.dll.vir a variant of Win32/AlteredSoftware.G potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\iWebar\iWebar-nova.dll.vir a variant of Win32/Toolbar.CrossRider.AI potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\iWebar\Uninstall.exe.vir a variant of Win32/Toolbar.CrossRider.BP potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\manifest.json.vir JS/ShopperPro.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\ShopperPro.crx.vir JS/ShopperPro.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\ShopperPro.zip.vir JS/ShopperPro.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\SPRemove.exe.vir a variant of Win32/SBWatchman.E potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\Updater.exe.vir a variant of Win32/ShopperPro.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\FireFox\content\overlay.js.vir JS/ShopperPro.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\JSDriver\jsdrv.exe.vir a variant of Win32/ShopperPro.B potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\ShopperPro\JSDriver\jsdrv.sys.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\engine.dll.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\helper.dll.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\ipc.dll.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\lspinst.exe.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\lspinst2.exe.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\Res.dll.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\testlsp.exe.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\unelevate.exe.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\Updater.exe.vir a variant of Win32/ShopperPro.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\xmldb.dll.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\YouTubeAccelerator.exe.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\YouTubeAcceleratorService.exe.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\YTAHUninstall.exe.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\ytalsp.dll.vir a variant of Win32/SBWatchman.D potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\YouTube Accelerator\YTAUninstall.exe.vir a variant of Win32/SBWatchman.E potentially unwanted application cleaned by deleting - quarantined
C:\Users\Amaranthus\Desktop\spsetup128.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
D:\Sve\DriverUpdaterSetup-2.0.0.7613.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application deleted - quarantined
D:\Sve\g-pen(1).zip a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application deleted - quarantined

 

Junkware Removal Tool Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.4.9 (07.14.2015:2)
OS: Windows 7 Ultimate x86
Ran by Amaranthus on sri 15.07.2015 at 13:50:25,12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks

Successfully deleted: [Task] C:\Windows\tasks\update-S-1-5-21-819178547-188060312-1766734351-1000.job



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\APN PIP



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Amaranthus\AppData\Roaming\mozilla\firefox\profiles\myh75s7a.default-1429832575356\prefs.js

user_pref(browser.search.searchengine.alias, mystartsearch);
user_pref(browser.search.searchengine.desc, this is my first firefox searchEngine);
user_pref(browser.search.searchengine.iconURL, hxxp://www.mystartsearch.com/favicon.ico);
user_pref(browser.search.searchengine.name, mystartsearch);
user_pref(browser.search.searchengine.ptid, cvs);
user_pref(browser.search.searchengine.uid, HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX);
user_pref(browser.search.searchengine.url, hxxp://www.mystartsearch.com/web/?type=ds&ts=1436811692&z=baedb29c6c4faca79325f5dg0z4c9q7b9g3gfm6z3z&from=cvs&uid=HitachiXHDS7210
user_pref(extensions.lastpass.ca4efd51bde70c874236c103a688f74c09f9d5f7962ec4b8b18224c34997acac.searchforsiteswithinaddressbar, true);
user_pref(extensions.lastpass.searchforsiteswithinaddressbar, true);
user_pref(extensions.quick_start.enable_search1, false);
user_pref(extensions.quick_start.sd.closeWindowWithLastTab_prev_state, false);
Emptied folder: C:\Users\Amaranthus\AppData\Roaming\mozilla\firefox\profiles\myh75s7a.default-1429832575356\minidumps [15 files]



~~~ Chrome


[C:\Users\Amaranthus\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Amaranthus\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Amaranthus\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Amaranthus\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on sri 15.07.2015 at 13:54:42,51
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

adwCleaner Log

 

# AdwCleaner v4.208 - Logfile created 15/07/2015 at 13:57:47
# Updated 09/07/2015 by Xplode
# Database : 2015-07-15.1 [server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x86)
# Username : Amaranthus - AMARANTHUS-PC
# Running from : D:\Sve\Security\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKCU\Software\OCS
Key Deleted : HKCU\Software\simplytech
Key Deleted : HKCU\Software\Linkey
Key Deleted : HKCU\Software\Kromtech
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\SearchProtect
Key Deleted : HKLM\SOFTWARE\SupDp
Key Deleted : HKLM\SOFTWARE\SpeedBit
Key Deleted : HKLM\SOFTWARE\AIM Toolbar
Key Deleted : HKLM\SOFTWARE\searchult
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Linkey

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.7601.17514


-\\ Mozilla Firefox v39.0 (x86 en-US)


-\\ Google Chrome v43.0.2357.134

[C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.mystartsearch.com/web/?type=ds&ts=1436811692&z=baedb29c6c4faca79325f5dg0z4c9q7b9g3gfm6z3z&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX&q={searchTerms}
[C:\Users\Amaranthus\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Homepage] : hxxp://www.mystartsearch.com/?type=hp&ts=1436811692&z=baedb29c6c4faca79325f5dg0z4c9q7b9g3gfm6z3z&from=cvs&uid=HitachiXHDS721032CLA362_JP1421HN18GZ1A18GZ1AX

*************************

AdwCleaner[R0].txt - [1541 bytes] - [28/06/2015 13:17:04]
AdwCleaner[R10].txt - [4560 bytes] - [27/05/2014 13:08:05]
AdwCleaner[R11].txt - [1258 bytes] - [27/05/2014 13:35:33]
AdwCleaner[R12].txt - [1379 bytes] - [27/05/2014 14:24:51]
AdwCleaner[R13].txt - [1497 bytes] - [21/07/2014 18:23:51]
AdwCleaner[R14].txt - [1678 bytes] - [22/11/2014 14:52:19]
AdwCleaner[R1].txt - [3763 bytes] - [13/07/2015 20:24:49]
AdwCleaner[R2].txt - [2546 bytes] - [13/07/2015 21:22:07]
AdwCleaner[R3].txt - [2666 bytes] - [15/07/2015 13:56:04]
AdwCleaner[R8].txt - [1334 bytes] - [21/05/2014 01:14:11]
AdwCleaner[R9].txt - [1394 bytes] - [21/05/2014 01:54:57]
AdwCleaner[s0].txt - [2444 bytes] - [15/07/2015 13:57:47]
AdwCleaner[s2].txt - [1463 bytes] - [21/05/2014 01:55:54]
AdwCleaner[s3].txt - [4500 bytes] - [27/05/2014 13:09:12]
AdwCleaner[s4].txt - [1444 bytes] - [27/05/2014 14:26:01]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2680  bytes] ##########
 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.