Jump to content

Really stubborn malware(?)


Recommended Posts

Since a couple weeks or so, my dad's laptop has apparently been infected with some piece of malware that affects his Google Chrome browser by gradually slowing it down.

 

Neither his trusty F-Secure virus scanner nor Malwarebytes Anti-Malware was able to detect it - let alone remove it.

 

Having done some Google searching, I found AdwCleaner, which proved a nice -albeit temporary- way to find and remove the culprit.

 

I used "temporary", since the same thing keeps re-appearing in Chrome!

The malware(?) I'm talking about is located in the "Secure Preferences" folder of his Chrome folder. Indicated as "fcfenmboojpjinhpgggodefccipikbpd"

 

After having done some more Google searching, I found that this may be something to do with Microsoft's Bing search engine - more so because we get a rather annoying window with each fresh new install of Chrome about it. I will add a screenshot of this window if necessary.

 

What I've tried so far:
- Run the F-Secure virus scanner. Unsuccessful.

- Run Malwarebytes Anti-Malware. Unsuccessful.

- Run various other malware scanners that I unfortunately cannot recall right now. Unsuccessful.

- Run AdwCleaner. Successful, albeit temporarily.

- Entirely removed and re-installed Chrome. Unsuccessful.

 

Of course I'm always willing to provide everyone with more information if necessary.

 

Is anybody able to help us with this problem?

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!



Let me see those logs in your reply...

 

Thank you,

 

Kevin...
 

Link to post
Share on other sites

Hello Kevin!
After a phone call from my father about even his Firefox browser acting up now by being impossibly slow, I've decided to go over to his place and follow the steps you provided.

We make no use of P2P programs, so we'll just start off with the steps regarding Malwarebytes Anti-Malware.

 

Beforehand, however, I would like to say that this problem (browser or even the entire computer slowing down) seems to occur randomly. Indeed, it's even happened that the laptop was working perfectly fine for a couple days after I've done some scanning and fixing, only to have my dad find the same problem after those few days!

But anyway, here's the log from MBAM (in Dutch; we live in the Netherlands):

Malwarebytes Anti-Malware
www.malwarebytes.org

Scandatum: 10-11-2015
Scantijd: 20:24
Logboekbestand:
Beheerder: Ja

Versie: 2.2.0.1024
Malware-database: v2015.11.10.07
Rootkit-database: v2015.11.04.02
Licentie: Gratis
Malware-bescherming: Uitgeschakeld
Bescherming tegen kwaadaardige websites: Uitgeschakeld
Zelfbescherming: Uitgeschakeld

Besturingssysteem: Windows 8.1
Processor: x64
Bestandssysteem: NTFS
Gebruiker: Willem

Scantype: Bedreigingsscan
Resultaat: Voltooid
Objecten gescand: 322985
Verstreken tijd: 1 u., 8 min, 53 sec

Geheugen: Ingeschakeld
Opstarten: Ingeschakeld
Bestandssysteem: Ingeschakeld
Archieven: Ingeschakeld
Rootkits: Ingeschakeld
Heuristiek: Ingeschakeld
POP: Ingeschakeld
POA: Ingeschakeld

Processen: 0
(Geen kwaadaardige items gedetecteerd)

Modules: 0
(Geen kwaadaardige items gedetecteerd)

Registersleutels: 0
(Geen kwaadaardige items gedetecteerd)

Registerwaarden: 0
(Geen kwaadaardige items gedetecteerd)

Registerdata: 0
(Geen kwaadaardige items gedetecteerd)

Mappen: 0
(Geen kwaadaardige items gedetecteerd)

Bestanden: 0
(Geen kwaadaardige items gedetecteerd)

Fysieke Sectoren: 0
(Geen kwaadaardige items gedetecteerd)


(end)

If necessary, I will of course translate the log's contents to English.
In a nutshell, however, it states that it found 0 malicious items after a full scan that lasted roughly an hour.

Onward to the Farbar Recovery Scan Tool!

Here's FRST.txt:

Scanresultaten van Farbar Recovery Scan Tool (FRST) (x64) Versie:07-11-2015
Gestart door Willem (Beheerder) op LENOVO-PC (10-11-2015 21:48:07)
Gestart vanaf C:\Users\Willem\Downloads
Geladen Profielen: Willem (Beschikbare Profielen: Willem)
Platform: Windows 8.1 Connected (X64) Taal: Nederlands (Nederland)
Internet Explorer Versie 11 (Standaardbrowser: FF)
Boot Modus: Normal
Handleiding voor Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processen (gefilterd) =================

(Als een item is opgenomen in de fixlist, het proces zal worden gesloten. Het bestand zal niet worden verplaatst.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
() C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTDevMgr.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\apps\CCF_Reputation\fsorsp.exe
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Anti-Virus\fsgk32.exe
(Intel® Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Common\FSMA32.EXE
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Anti-Virus\fssm32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Common\FSHDLL64.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_IATICAE.EXE
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Common\FSM32.EXE
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe


==================== Register (gefilterd) ===========================

(Als een item is opgenomen in de fixlist, het registry item zal worden teruggezet naar de standaardwaarden of verwijderd. Het bestand zal niet worden verplaatst.)

HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [907480 2013-09-05] (Conexant Systems, Inc.)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-26] ()
HKLM\...\Run: [smartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1647616 2012-06-13] (Conexant Systems, Inc.)
HKLM\...\Run: [btServer] => C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe [216064 2014-01-06] (Realtek Semiconductor Corporation)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161728 2015-08-09] (IvoSoft)
HKLM\...\Run: [bCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [F-Secure Hoster (45123)] => C:\Program Files (x86)\Internetbeveiliging\fshoster32.exe [187432 2015-02-09] (F-Secure Corporation)
HKLM-x32\...\Run: [F-Secure Manager] => C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Common\FSM32.EXE [310312 2015-10-08] (F-Secure Corporation)
HKU\S-1-5-21-2916098315-1380299346-372993811-1001\...\Run: [EPSON Stylus DX4400] => C:\windows\system32\spool\DRIVERS\x64\3\E_IATICAE.EXE [211456 2007-03-01] (SEIKO EPSON CORPORATION)
ShellIconOverlayIdentifiers: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-08-09] (IvoSoft)

==================== Internet (gefilterd) ====================

(Als een item is opgenomen in de fixlist, als het een registry item is wordt verwijderd of hersteld naar de standaard.)

Tcpip\Parameters: [DhcpNameServer] 89.101.251.228 89.101.251.229
Tcpip\..\Interfaces\{7FB7A29A-A17C-478D-913C-6C5DB60E950F}: [DhcpNameServer] 89.101.251.228 89.101.251.229
Tcpip\..\Interfaces\{F6751C4C-472D-439A-A46B-6016A277DF5D}: [DhcpNameServer] 150.202.1.3

Internet Explorer:
==================
HKU\S-1-5-21-2916098315-1380299346-372993811-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=SL5M&ocid=SL5MDHP&osmkt=nl-nl
HKU\S-1-5-21-2916098315-1380299346-372993811-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
SearchScopes: HKU\S-1-5-21-2916098315-1380299346-372993811-1001 -> DefaultScope {F30055AD-EB36-4E9E-82B2-7B1A55CCF51F} URL = hxxp://www.google.nl/search?hl=nl&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2916098315-1380299346-372993811-1001 -> {05B28477-109B-477B-9178-32D49F395FDE} URL =
SearchScopes: HKU\S-1-5-21-2916098315-1380299346-372993811-1001 -> {F30055AD-EB36-4E9E-82B2-7B1A55CCF51F} URL = hxxp://www.google.nl/search?hl=nl&q={searchTerms}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
BHO: Browsing Protection -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\Internetbeveiliging\apps\CCF_Scanning\bin\browser\install\fs_ie_https\fs_ie_https64.dll [2015-10-10] (F-Secure Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2015-08-09] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-08-09] (IvoSoft)
BHO-x32: Browsing Protection -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\Internetbeveiliging\apps\CCF_Scanning\bin\browser\install\fs_ie_https\fs_ie_https.dll [2015-10-10] (F-Secure Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2015-08-09] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-08-09] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-08-09] (IvoSoft)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  Geen bestand

FireFox:
========
FF ProfilePath: C:\Users\Willem\AppData\Roaming\Mozilla\Firefox\Profiles\qh46h7n3.default
FF DefaultSearchEngine: Bing
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Bing
FF Homepage: hxxp://www.willemhoving.nl/
FF Keyword.URL: hxxp://www.bing.com/search?FORM=SL5MDF&PC=SL5M&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_19_0_0_226.dll [2015-11-09] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-11-09] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-11-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-11-10] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-2916098315-1380299346-372993811-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Willem\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-10] (Google Inc.)
FF Plugin HKU\S-1-5-21-2916098315-1380299346-372993811-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Willem\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-10] (Google Inc.)
FF Extension: Bing Search - C:\Users\Willem\AppData\Roaming\Mozilla\Firefox\Profiles\qh46h7n3.default\Extensions\bingsearch.full@microsoft.com [2015-10-23] [ niet getekend]
FF Extension: Click&Clean - C:\Users\Willem\AppData\Roaming\Mozilla\Firefox\Profiles\qh46h7n3.default\Extensions\clickclean@hotcleaner.com [2015-11-10]
FF Extension: Make Address Bar Font Size Bigger - C:\Users\Willem\AppData\Roaming\Mozilla\Firefox\Profiles\qh46h7n3.default\Extensions\addressBarFontSizeBigger@papafresh.com.xpi [2015-11-10]
FF Extension: uBlock - C:\Users\Willem\AppData\Roaming\Mozilla\Firefox\Profiles\qh46h7n3.default\Extensions\{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi [2015-11-10]
FF Extension: Adblock Plus - C:\Users\Willem\AppData\Roaming\Mozilla\Firefox\Profiles\qh46h7n3.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-11-10]
FF HKLM-x32\...\Firefox\Extensions: [ols@f-secure.com] - C:\Program Files (x86)\Internetbeveiliging\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi
FF Extension: Geen Naam - C:\Program Files (x86)\Internetbeveiliging\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi [2015-10-10] [ niet getekend]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.willemhoving.nl/
CHR StartupUrls: Default -> "hxxp://www.willemhoving.nl/"
CHR Profile: C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-11-10]
CHR Extension: (Google Docs) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-11-10]
CHR Extension: (Google Drive) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-10]
CHR Extension: (YouTube) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-10]
CHR Extension: (Google Search) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-10]
CHR Extension: (Google Sheets) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-11-10]
CHR Extension: (Google Docs Offline) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-10]
CHR Extension: (Browsing Protection by F-Secure) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmjjnhpacphpjmnnlnccpfmhkcloaade [2015-11-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-11-10]
CHR Extension: (Gmail) - C:\Users\Willem\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-11-10]
CHR HKU\S-1-5-21-2916098315-1380299346-372993811-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jmjjnhpacphpjmnnlnccpfmhkcloaade] - C:/Program Files (x86)/Internetbeveiliging/apps/CCF_Scanning/bin/browser/install/fs_chrome_https/fs_chrome_https.crx [2014-06-25]

==================== Services (gefilterd) ========================

(Als een item is opgenomen in de fixlist, wordt uit het register verwijderd. Het bestand zal niet worden verplaatst tenzij apart vermeld.)

S2 0221851444493150mcinstcleanup; C:\windows\TEMP\022185~1.EXE [851136 2014-03-25] (McAfee, Inc.)
R2 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [84992 2014-01-22] () [bestand niet getekend]
R2 fshoster; C:\Program Files (x86)\Internetbeveiliging\fshoster32.exe [187432 2015-02-09] (F-Secure Corporation)
R3 FSMA; C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Common\FSMA32.EXE [216104 2015-10-08] (F-Secure Corporation)
R2 FSORSPClient; C:\Program Files (x86)\Internetbeveiliging\apps\CCF_Reputation\fsorsp.exe [60456 2015-10-10] (F-Secure Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282096 2014-03-12] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-02] (Intel® Corporation) [bestand niet getekend]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-02] (Intel® Corporation)
S2 KMService; C:\windows\SysWOW64\srvany.exe [8192 2015-10-10] () [bestand niet getekend]
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [198192 2014-12-10] (Lenovo(beijing) Limited)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-03-24] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-03-24] (Microsoft Corporation)
S3 McAWFwk; c:\PROGRA~1\COMMON~1\mcafee\actwiz\mcawfwk.exe [X]

===================== Drivers (gefilterd) ==========================

(Als een item is opgenomen in de fixlist, wordt uit het register verwijderd. Het bestand zal niet worden verplaatst tenzij apart vermeld.)

R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 F-Secure Gatekeeper; C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys [217280 2015-10-20] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\HIPS\drivers\fshs.sys [73256 2015-10-20] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [66736 2015-10-10] ()
R3 fsni; C:\Program Files (x86)\Internetbeveiliging\apps\CCF_Scanning\bin\fsni64.sys [97832 2015-10-10] (F-Secure Corporation)
R1 fsvista; C:\Program Files (x86)\Internetbeveiliging\apps\ComputerSecurity\Anti-Virus\minifilter\fsvista.sys [13352 2015-10-08] ()
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-11-10] (Malwarebytes)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R0 MBI; C:\Windows\System32\drivers\MBI.sys [29464 2013-10-10] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [558296 2014-01-14] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3558104 2014-08-15] (Realtek Semiconductor Corporation                           )
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35856 2014-03-24] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [257880 2014-03-24] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123224 2014-03-24] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-14] ("CyberLink)
S3 rtsuvc; \SystemRoot\system32\DRIVERS\rtsuvc.sys [X]

==================== NetSvcs (gefilterd) ===================

(Als een item is opgenomen in de fixlist, wordt uit het register verwijderd. Het bestand zal niet worden verplaatst tenzij apart vermeld.)


==================== Een Maand Aangemaakt bestanden en mappen ========

(Als een item is opgenomen in de fixlist, het bestand/map wordt verplaatst.)

2015-11-10 21:48 - 2015-11-10 21:50 - 00018716 _____ C:\Users\Willem\Downloads\FRST.txt
2015-11-10 21:46 - 2015-11-10 21:47 - 02198528 _____ (Farbar) C:\Users\Willem\Downloads\FRST64.exe
2015-11-10 20:28 - 2015-11-10 20:28 - 00000284 _____ C:\Users\Willem\Desktop\forum.txt
2015-11-10 13:24 - 2015-11-10 13:32 - 00000000 ____D C:\Users\Willem\Desktop\Scans
2015-11-10 13:22 - 2015-11-10 13:22 - 00000000 _____ C:\Users\Willem\Sti_Trace.log
2015-11-10 13:20 - 2015-11-10 13:20 - 00000957 _____ C:\Users\Public\Desktop\EPSON Scan.lnk
2015-11-10 13:20 - 2015-11-10 13:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON Scan
2015-11-10 13:20 - 2015-11-10 13:20 - 00000000 ____D C:\Program Files (x86)\epson
2015-11-10 13:20 - 2006-12-28 00:00 - 00245248 _____ (SEIKO EPSON CORP.) C:\windows\system32\esxuin7e.dll
2015-11-10 13:20 - 2006-12-28 00:00 - 00208896 _____ (SEIKO EPSON CORP.) C:\windows\SysWOW64\esint7e.dll
2015-11-10 13:20 - 2006-12-28 00:00 - 00100352 _____ (SEIKO EPSON CORP.) C:\windows\system32\esxwia7e.dll
2015-11-10 13:20 - 2006-03-10 00:00 - 00004608 _____ (SEIKO EPSON CORP.) C:\windows\system32\esxwiaml.dll
2015-11-10 13:17 - 2015-11-10 13:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON
2015-11-10 13:15 - 2015-11-10 13:17 - 00000000 ____D C:\ProgramData\EPSON
2015-11-10 13:15 - 2007-12-07 02:08 - 00108032 _____ (SEIKO EPSON CORPORATION) C:\windows\system32\E_ILMCAE.DLL
2015-11-10 13:15 - 2007-12-07 02:01 - 00081408 _____ (SEIKO EPSON CORPORATION) C:\windows\system32\E_IBCBCAE.DLL
2015-11-10 13:15 - 2005-02-02 12:05 - 00008704 _____ (SEIKO EPSON CORP.) C:\windows\system32\E_GCINST.DLL
2015-11-10 11:57 - 2015-11-10 17:43 - 00001531 _____ C:\Users\Willem\Desktop\adwcleaner_5.019 - Snelkoppeling.lnk
2015-11-10 11:52 - 2015-11-10 11:55 - 00009515 _____ C:\Users\Willem\Downloads\hijackthis.log
2015-11-10 11:38 - 2015-11-10 12:25 - 00000638 _____ C:\windows\Tasks\Scheduled scanning task.job
2015-11-10 11:14 - 2015-11-10 21:19 - 00000918 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-10 11:14 - 2015-11-10 19:29 - 00000914 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-10 11:14 - 2015-11-10 11:14 - 00003890 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-11-10 11:14 - 2015-11-10 11:14 - 00003654 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-11-10 11:14 - 2015-11-10 11:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-11-10 09:42 - 2015-11-10 09:43 - 01712128 _____ C:\Users\Willem\Downloads\adwcleaner_5.019.exe
2015-11-10 09:22 - 2015-11-10 09:28 - 00000000 ____D C:\Users\Willem\Downloads\Helemaal fout nonstop 11tot20 re-up
2015-11-10 09:02 - 2015-11-10 19:34 - 00000000 ____D C:\Users\Willem\Downloads\nzb
2015-11-10 09:02 - 2015-11-10 19:33 - 00000000 ____D C:\Users\Willem\Downloads\incomplete
2015-11-09 14:35 - 2015-11-09 14:35 - 00000000 ____D C:\Users\Willem\AppData\Local\Macromedia
2015-11-07 10:01 - 2015-11-08 13:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-11-04 13:47 - 2015-11-04 13:48 - 00000116 _____ C:\Users\Willem\Desktop\mijn startpagina.url
2015-11-03 15:08 - 2015-11-03 15:08 - 00000000 ____D C:\Users\Willem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad++
2015-11-03 15:08 - 2015-11-03 15:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
2015-11-03 15:07 - 2015-11-10 11:53 - 00000000 ____D C:\Users\Willem\AppData\Roaming\Notepad++
2015-11-03 15:07 - 2015-11-03 15:08 - 00000000 ____D C:\Program Files (x86)\Notepad++
2015-11-03 14:29 - 2015-11-10 21:48 - 00000000 ____D C:\FRST
2015-11-03 13:14 - 2015-11-10 19:51 - 00000000 ____D C:\AdwCleaner
2015-11-03 12:45 - 2015-11-03 13:30 - 00000000 __SHD C:\windows\SysWOW64\AI_RecycleBin
2015-11-03 10:59 - 2015-11-03 10:59 - 00000000 ____H C:\windows\system32\Drivers\Msft_User_LocationProvider_01_11_00.Wdf
2015-10-30 13:41 - 2015-10-30 13:41 - 00000000 ____D C:\Users\Willem\AppData\LocalLow\F-Secure
2015-10-30 11:44 - 2015-10-30 11:44 - 00000000 ____D C:\Users\Willem\AppData\Roaming\9-lab
2015-10-30 11:43 - 2015-11-03 12:58 - 00000000 ____D C:\Program Files\9-lab
2015-10-30 11:43 - 2015-10-30 11:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\9-lab Removal Tool
2015-10-30 11:43 - 2015-10-30 11:43 - 00000000 ____D C:\ProgramData\9-lab
2015-10-29 18:33 - 2015-10-29 18:33 - 00000000 ____D C:\Users\Willem\AppData\Roaming\Maxthon3
2015-10-26 14:10 - 2014-05-22 03:42 - 02230600 _____ (ELAN Microelectronics Corp.) C:\windows\ETDUninst.dll
2015-10-26 14:01 - 2015-10-26 14:01 - 00000000 ____D C:\Users\Willem\AppData\Local\VS Revo Group
2015-10-26 14:01 - 2015-10-26 14:01 - 00000000 ____D C:\ProgramData\VS Revo Group
2015-10-20 10:22 - 2015-11-10 08:56 - 00108544 ___SH C:\Users\Willem\Downloads\Thumbs.db
2015-10-18 18:57 - 2015-10-18 18:57 - 00000000 ____D C:\Users\Willem\AppData\Roaming\dvdcss

==================== Een Maand Gewijzigd bestanden en mappen ========

(Als een item is opgenomen in de fixlist, het bestand/map wordt verplaatst.)

2015-11-10 21:43 - 2015-10-10 19:38 - 00000932 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2916098315-1380299346-372993811-1001UA.job
2015-11-10 20:43 - 2015-10-10 19:38 - 00000880 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2916098315-1380299346-372993811-1001Core.job
2015-11-10 20:24 - 2015-10-10 17:52 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-10 20:22 - 2015-10-10 18:22 - 00000000 ____D C:\Users\Willem\AppData\Local\ClassicShell
2015-11-10 20:00 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\sru
2015-11-10 19:28 - 2015-10-10 17:08 - 00000000 ___RD C:\Users\Willem\OneDrive
2015-11-10 19:28 - 2015-10-10 17:00 - 00321536 _____ C:\Users\Willem\AppData\Local\BTServer.log
2015-11-10 17:43 - 2015-10-10 18:44 - 00375808 ___SH C:\Users\Willem\Desktop\Thumbs.db
2015-11-10 17:16 - 2015-10-10 18:18 - 00003966 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{A68BA303-EB53-4C36-BA1A-35896F2CB62E}
2015-11-10 16:59 - 2014-12-10 05:47 - 02078105 _____ C:\windows\WindowsUpdate.log
2015-11-10 16:30 - 2015-10-10 18:43 - 00000000 ____D C:\Users\Willem\AppData\Roaming\vlc
2015-11-10 14:06 - 2015-10-10 17:07 - 00003598 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2916098315-1380299346-372993811-1001
2015-11-10 13:25 - 2015-10-10 16:52 - 00000000 ____D C:\Users\Willem
2015-11-10 13:22 - 2013-08-22 15:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-11-10 13:21 - 2013-08-22 14:25 - 00262144 ___SH C:\windows\system32\config\BBI
2015-11-10 13:10 - 2014-12-10 06:34 - 00806704 _____ C:\windows\system32\perfh013.dat
2015-11-10 13:10 - 2014-12-10 06:34 - 00162170 _____ C:\windows\system32\perfc013.dat
2015-11-10 13:10 - 2014-03-18 10:53 - 01823174 _____ C:\windows\system32\PerfStringBackup.INI
2015-11-10 11:50 - 2015-10-10 17:01 - 00000000 ____D C:\Users\Willem\AppData\Local\VirtualStore
2015-11-10 11:37 - 2014-03-18 10:44 - 00023432 _____ C:\windows\PFRO.log
2015-11-10 11:14 - 2015-10-10 18:23 - 00000000 ____D C:\Users\Willem\AppData\Local\Google
2015-11-10 11:14 - 2015-10-10 18:23 - 00000000 ____D C:\Program Files (x86)\Google
2015-11-10 10:31 - 2013-08-22 16:36 - 00000000 ____D C:\windows\AppReadiness
2015-11-10 07:40 - 2015-10-10 21:29 - 00003270 _____ C:\windows\System32\Tasks\Scheduled scanning task
2015-11-09 14:31 - 2015-10-10 17:11 - 00000000 ____D C:\Users\Willem\AppData\Local\Adobe
2015-11-08 14:07 - 2013-08-22 15:46 - 00032656 _____ C:\windows\setupact.log
2015-11-08 13:54 - 2015-10-10 18:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-11-07 10:09 - 2015-10-10 18:35 - 00000000 ___RD C:\Users\Willem\Desktop\Zolder
2015-11-07 07:58 - 2015-10-10 18:42 - 00000000 ____D C:\Users\Willem\Documents\Lenovo
2015-11-04 12:36 - 2015-10-10 18:33 - 00000000 ____D C:\Users\Willem\AppData\Local\Mozilla
2015-11-03 12:51 - 2014-12-10 06:15 - 00000000 ____D C:\ProgramData\Conexant
2015-11-03 11:41 - 2014-12-10 06:15 - 00642646 _____ C:\Users\Public\CAFADEBUG.log
2015-11-03 11:36 - 2014-12-10 06:13 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-11-03 11:30 - 2014-12-10 06:58 - 00000000 ____D C:\Program Files (x86)\Lenovo
2015-11-03 11:28 - 2014-12-10 06:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2015-11-03 11:01 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\NDF
2015-11-02 18:58 - 2013-08-22 15:44 - 00493312 _____ C:\windows\system32\FNTCACHE.DAT
2015-10-30 13:41 - 2015-10-10 17:14 - 00000000 ____D C:\Users\Willem\AppData\Local\F-Secure
2015-10-30 13:35 - 2014-12-10 07:25 - 00000000 ____D C:\ProgramData\Energy Manager
2015-10-30 13:35 - 2014-12-10 05:46 - 00032482 _____ C:\windows\DPINST.LOG
2015-10-26 15:03 - 2015-10-10 18:57 - 00000000 ____D C:\Users\Willem\AppData\Local\SquirrelTemp
2015-10-26 14:16 - 2014-12-10 07:01 - 00000000 ____D C:\ProgramData\Lenovo
2015-10-26 14:15 - 2014-12-10 07:16 - 00002560 _____ C:\windows\system32\VfService.trf
2015-10-26 14:14 - 2014-12-10 07:00 - 00000000 ____D C:\Program Files\Lenovo
2015-10-26 14:14 - 2014-12-10 06:59 - 00000000 ____D C:\windows\System32\Tasks\Lenovo
2015-10-26 14:13 - 2014-12-10 07:15 - 00000000 ____D C:\ProgramData\CyberLink
2015-10-26 14:06 - 2015-10-10 17:06 - 00000000 ____D C:\Users\Willem\AppData\Local\Lenovo
2015-10-26 14:06 - 2014-12-10 06:13 - 00000000 ____D C:\Program Files (x86)\Realtek
2015-10-26 14:04 - 2015-10-10 17:10 - 00001279 _____ C:\Users\Willem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wi-FiHotspotChgToast.lnk
2015-10-26 14:04 - 2014-12-10 07:23 - 00000000 ____D C:\ProgramData\Office2013
2015-10-24 11:34 - 2015-10-10 18:45 - 00000000 ____D C:\Users\Willem\AppData\Roaming\Foxit Software
2015-10-14 08:14 - 2015-10-10 17:52 - 00001125 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-14 08:14 - 2015-10-10 17:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-14 08:14 - 2015-10-10 17:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-14 06:29 - 2013-08-22 16:36 - 00000000 ____D C:\windows\rescache
2015-10-14 06:25 - 2013-08-22 16:20 - 00000000 ____D C:\windows\CbsTemp
2015-10-14 06:21 - 2014-12-10 06:18 - 00000000 ____D C:\windows\SysWOW64\XPSViewer
2015-10-14 06:21 - 2014-03-18 10:38 - 00000000 ____D C:\Program Files\Windows Journal
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\winrm
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\WCN
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\slmgr
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\Printing_Admin_Scripts
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\winrm
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\WCN
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\slmgr
2015-10-14 06:21 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\Printing_Admin_Scripts
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ___SD C:\windows\system32\dsc
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ___RD C:\windows\ImmersiveControlPanel
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\WinStore
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\SysWOW64\MUI
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\SysWOW64\Com
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\SystemResetPlatform
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\MUI
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\migwiz
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\Com
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\PolicyDefinitions
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\IME
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\windows\Help
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Windows Defender
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Common Files\System
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2015-10-14 06:21 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2015-10-14 06:21 - 2013-08-22 14:36 - 00000000 ____D C:\windows\SysWOW64\oobe
2015-10-14 06:21 - 2013-08-22 14:36 - 00000000 ____D C:\windows\SysWOW64\Dism
2015-10-14 06:21 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\Sysprep
2015-10-14 06:21 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\oobe
2015-10-14 06:21 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\Dism
2015-10-14 06:21 - 2013-08-22 14:36 - 00000000 ____D C:\windows\servicing
2015-10-13 08:02 - 2015-10-10 17:01 - 00000000 ____D C:\Users\Willem\AppData\Local\Packages
2015-10-12 12:13 - 2015-10-10 17:18 - 00001358 _____ C:\windows\fsav_db_setup.log
2015-10-12 12:13 - 2015-10-10 17:17 - 08513058 _____ C:\windows\FSISU.log
2015-10-12 12:13 - 2015-10-10 17:17 - 01838543 _____ C:\windows\FSSFM.log
2015-10-12 12:13 - 2015-10-10 17:17 - 01685335 _____ C:\windows\FSSETUP.log
2015-10-12 12:13 - 2015-10-10 17:17 - 00281500 _____ C:\windows\FSDEPH.log
2015-10-12 12:13 - 2015-10-10 17:17 - 00271883 _____ C:\windows\FSPROD.log
2015-10-12 12:13 - 2015-10-10 17:17 - 00178477 _____ C:\windows\RunSetup.log
2015-10-12 12:13 - 2015-10-10 17:17 - 00145755 _____ C:\windows\FSAVINST.LOG
2015-10-12 12:13 - 2015-10-10 17:17 - 00012855 _____ C:\windows\FSAVCSIN.LOG
2015-10-12 12:13 - 2015-10-10 17:17 - 00008824 _____ C:\windows\FSGKIAIN.log
2015-10-12 12:13 - 2015-10-10 17:17 - 00004340 _____ C:\windows\fstnbins.LOG
2015-10-12 12:13 - 2015-10-10 17:17 - 00003760 _____ C:\windows\FSLDIN.LOG
2015-10-12 12:13 - 2015-10-10 17:17 - 00003517 _____ C:\windows\fsavunin.log
2015-10-12 12:13 - 2015-10-10 17:14 - 00000000 ____D C:\ProgramData\F-Secure
2015-10-12 12:12 - 2015-10-10 17:17 - 00038650 _____ C:\windows\fspplugin.log
2015-10-12 12:12 - 2015-10-10 17:17 - 00020508 _____ C:\windows\prodsett_copy.ini

==================== Bestanden in de root van sommige mappen =======

2015-10-10 17:00 - 2015-11-10 19:28 - 0321536 _____ () C:\Users\Willem\AppData\Local\BTServer.log
2015-10-10 21:27 - 2015-10-10 21:27 - 0000043 ___SH () C:\ProgramData\.zreglib
2014-12-10 06:15 - 2014-12-10 06:15 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Sommige bestanden in TEMP:
====================
C:\Users\Willem\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(Er is geen automatische fix voor bestanden die de verificatie niet doorkomen.)

C:\windows\system32\winlogon.exe => Bestand is getekend
C:\windows\system32\wininit.exe => Bestand is getekend
C:\windows\explorer.exe => Bestand is getekend
C:\windows\SysWOW64\explorer.exe => Bestand is getekend
C:\windows\system32\svchost.exe => Bestand is getekend
C:\windows\SysWOW64\svchost.exe => Bestand is getekend
C:\windows\system32\services.exe => Bestand is getekend
C:\windows\system32\User32.dll => Bestand is getekend
C:\windows\SysWOW64\User32.dll => Bestand is getekend
C:\windows\system32\userinit.exe => Bestand is getekend
C:\windows\SysWOW64\userinit.exe => Bestand is getekend
C:\windows\system32\rpcss.dll => Bestand is getekend
C:\windows\system32\dnsapi.dll => Bestand is getekend
C:\windows\SysWOW64\dnsapi.dll => Bestand is getekend
C:\windows\system32\Drivers\volsnap.sys => Bestand is getekend


LastRegBack: 2015-11-06 10:43

==================== Eind van FRST.txt ============================

Addition.txt and RogueKiller's report are attached to my reply.

And, once more, I will of course translate any info to English if necessary.

Addition.txt

RogueKiller.txt

Link to post
Share on other sites

Are these DNS settings known and trusted?

 

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7FB7A29A-A17C-478D-913C-6C5DB60E950F} | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F6751C4C-472D-439A-A46B-6016A277DF5D} | DhcpNameServer : 150.202.1.3 ([uNITED STATES (US)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7FB7A29A-A17C-478D-913C-6C5DB60E950F} | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F6751C4C-472D-439A-A46B-6016A277DF5D} | DhcpNameServer : 150.202.1.3 ([uNITED STATES (US)])  -> Gevonden

 

Do not see any obvious malware or infection in the posted logs.....

Link to post
Share on other sites

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

DNSJumper instructions available here: http://www.sordum.org/7952/dns-jumper-v2-0/

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper

Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool.

From the lefthand pane select "Flush DNS"

From the main interface select the dropdown under "Choose a DNS Server"

From the list select either "Google Public DNS" or "Open DNS"

From the lefthand pane select "Apply DNS"

When done re-boot your system....

 

Re-run RogueKiller as before and post fresh log...

 

Thank you,

 

Kevin....

Link to post
Share on other sites

Hello Kevin!

I am performing the steps right as we speak. I'll post the log as soon as RogueKiller is done scanning.
In the meantime, however, I'd like to say that things seem to have gotten even worse now: RogueKiller seems to have found a virus within the F-Secure virus scanner!

I might be mistaken, but this seems rather strange to me.

Link to post
Share on other sites

Here's the RogueKiller log.
 

The virus in question seems to be the Zeus Trojan. RogueKiller directed me to a page with removal instructions, where it also stated that it could remove it automatically.

Further investigation via Google informed me that it can drain a person's bank account, and that it could have found its way to a personal computer via trusted websites such as Facebook. However, I personally think that it might also have found its way in here via an update of the F-Secure virus scanner.

 

Maybe the above information is unnecessary, but it may be helpful for other users to give them a heads-up.

RogueKiller.txt

Link to post
Share on other sites

I have indeed done running DNS jumper by the instructions provided to me, but it doesn't seem to have solved that problem.

 

Perhaps I should run another RK scan, and let RK remove the DNS entries instead?

 

Good to know that there is no need to do anything regarding the "Trojan", though.

Link to post
Share on other sites

Yes the problem with many tools is what they find and show is not always malicious or infected, hence the need to understand codes etc.....

 

Regarding DNS jumper did you select the option to "Apply" after selection of the setting, if yes the possible issue is patched router settings.  I`d recommend you reset the router and change the password, then rerun DNSjumper. On completion re-run RK and post a fresh log..

 

Thank you,

 

Kevin

Link to post
Share on other sites

Hello Kevin,

 

I have followed all the instructions for DnsJumper to the letter. That includes indeed having chosen to "Apply" the new DNS (I chose Google's).

 

Router has been reset and the password has been changed as instructed.

Followed the instructions for DnsJumper as before after this procedure.

 

And the new RK log is attached to this reply.

RogueKiller.txt

Link to post
Share on other sites

mmm DNS settings still not correct,

 

Double-click RogueKiller.exe to run again. (Vista/7/8/10 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Registry tab and locate the following detections:


[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7FB7A29A-A17C-478D-913C-6C5DB60E950F} | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7FB7A29A-A17C-478D-913C-6C5DB60E950F} | DhcpNameServer : 89.101.251.228 89.101.251.229 ([iRELAND (IE)][iRELAND (IE)])  -> Gevonden

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.

 

Post that log, also run RK again as normal scan, post that log also...

 

Thank you,

 

Kevin....
 

Link to post
Share on other sites

Thanks for the logs, RK2 log is now clean...

 

Continue as follows:

 

Download AdwCleaner by Xplode onto your Desktop.
 

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

 

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
 

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Next,

 

dr_web_cureit_zpse80d87bf.jpg
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)
 

  • The file will be randomly named
  • Reboot to safe mode  <<<<<------------ http://support.eset.com/kb2268/
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning

    drwebselect.JPG
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats

    drwebfolders.JPG
  • Press start scan
  • The scan will now commence

    drwebscan.JPG
  • Once the scan has finished click open report <<<--- Do not miss this step

    drwebscancomplete.JPG
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop


This log will be excessive,  Attach it to your next reply…
 

 

Let me see those logs, also give an update on any remaining issues or concerns....

 

Thank you,

 

Kevin.

Link to post
Share on other sites

Hello Kevin,

 

The laptop currently works fine. But I'm still too uncertain if it continues to work like this - moreso because the Chrome install on it seems bugged.

 

I theorize that "MSN Homepage & Bing Search Engine" will just re-implant itself into Chrome as soon as I start it up. Which is highly undesired.

The laptop therefore is using Mozilla Firefox as its current standard web browser, but my dad likes to use Chromecast to watch stuff from his laptop on his TV. However, Chromecast is not supported by Firefox.

 

In a nutshell, I'm afraid that there is still an "invisible" malware on the laptop that keeps buggering Chrome.

Link to post
Share on other sites

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Remove all synced data from Chrome go here: http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/ follow those instructions...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Install Google Chrome from here: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb
 

Also install the free version of Malwarebytes anti-exploit from here: https://www.malwarebytes.org/antiexploit/

 

Let me know if that makes any difference...

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.