Jump to content

Possible Infection


QSY

Recommended Posts

Hi,

I was receiving frequent notifications yesterday about an outbound malicious website blocked. There were no threats detected during scan. Today, those pop ups aren't happening (yet anyway), but I don't want to assume all is ok. Attached is the protection log from yesterday. Can you advise?

 

Thanks.

MBAM 12_2.txt

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt and Shortcut.txt are checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make logs named (Addition.txt) and Shortcut.txt Please attach those logs to your reply.


 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

 

Let me see those logs in your reply...

 

Thank you,

 

Kevin

Link to post
Share on other sites

Kevin,

Thank you for your quick respose. Here are the logs requested.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/3/2015
Scan Time: 12:47 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.03.03
Rootkit Database: v2015.11.26.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 8.1

 

 

FABER

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:01-12-2015
Ran by qsy (administrator) on CAMS (03-12-2015 15:35:02)
Running from C:\Users\qsy\Downloads
Loaded Profiles: qsy &  (Available Profiles: qsy)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2016\vsserv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2016\updatesrv.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Bitdefender) C:\Program Files\Bitdefender Agent\ProductAgentService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hp\HP System Event\HPWMISVC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Pokki) C:\Users\qsy\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2016\bdagent.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2016\bdwtxag.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hp\HP UT LEDM\bin\hppusg.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hp\HP System Event\HPMSGSVC.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2016\odscanui.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\msdt.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Pokki) C:\Users\qsy\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\qsy\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\qsy\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\outlook.exe
(Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7569624 2014-04-03] (Realtek Semiconductor)
HKLM\...\Run: [simplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2817776 2014-04-11] (Synaptics Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [bdagent] => C:\Program Files\Bitdefender\Bitdefender 2016\bdagent.exe [1688552 2015-10-20] (Bitdefender)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-02-13] (Hewlett-Packard Company)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [HPUsageTrackingLEDM] => C:\Program Files (x86)\HP\HP UT LEDM\bin\hppusg.exe [30264 2009-08-04] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe [653576 2015-06-29] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4377256 2015-09-04] (Fitbit, Inc.)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001\...\Run: [skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31282816 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001\...\Run: [Google Update] => C:\Users\qsy\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-10] (Google Inc.)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4377256 2015-09-04] (Fitbit, Inc.)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001\...\Run: [bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender 2016\bdwtxag.exe [1416096 2015-10-13] (Bitdefender)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001\...\RunOnce: [Application Restart #7] => C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-clien (the data entry has 567 more characters).
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31282816 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Google Update] => C:\Users\qsy\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-10] (Google Inc.)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4377256 2015-09-04] (Fitbit, Inc.)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender 2016\bdwtxag.exe [1416096 2015-10-13] (Bitdefender)
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\RunOnce: [Application Restart #7] => C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-clien (the data entry has 567 more characters).
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ISCTSystray.lnk [2015-02-11]
ShortcutTarget: ISCTSystray.lnk -> C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe (Intel Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{81E0A278-6865-4257-A2E0-11CFA1E3A5F8}: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{F6E0BFB0-F9EF-42C6-8169-D95F3AF6E7C5}: [DhcpNameServer] 20.0.1.2 20.0.1.7

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT14/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT14/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://js.redirect.hp.com/jumpstation?bd=all&c=143&locale=ww_ww&pf=cnnb&s=ieHPtab&tp=iehome
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://js.redirect.hp.com/jumpstation?bd=all&c=143&locale=ww_ww&pf=cnnb&s=ieHPtab&tp=iehome
SearchScopes: HKLM -> {532CEFE6-867E-44D4-AD9B-597DD1EC2955} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {532CEFE6-867E-44D4-AD9B-597DD1EC2955} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001 -> {532CEFE6-867E-44D4-AD9B-597DD1EC2955} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {532CEFE6-867E-44D4-AD9B-597DD1EC2955} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: Bitdefender Wallet  -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender 2016\pmbxie.dll [2015-09-21] (Bitdefender)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-10-13] (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-10-13] (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender 2016\Antispam32\pmbxie.dll [2015-09-21] (Bitdefender)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-03-04] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Toolbar: HKLM - Bitdefender Wallet  - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2016\pmbxie.dll [2015-09-21] (Bitdefender)
Toolbar: HKLM-x32 - Bitdefender Wallet - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2016\Antispam32\pmbxie.dll [2015-09-21] (Bitdefender)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-05-19] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\qsy\AppData\Roaming\Mozilla\Firefox\Profiles\7uhg70ns.default
FF DefaultSearchEngine: Web Search
FF DefaultSearchEngine.US: Google
FF SelectedSearchEngine: Web Search
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-11] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-11] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-05-19] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001: @citrixonline.com/appdetectorplugin -> C:\Users\qsy\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-10-22] (Citrix Online)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\qsy\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001: @talk.google.com/O1DPlugin -> C:\Users\qsy\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001: @tools.google.com/Google Update;version=3 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001: @tools.google.com/Google Update;version=9 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @citrixonline.com/appdetectorplugin -> C:\Users\qsy\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-10-22] (Citrix Online)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @talk.google.com/GoogleTalkPlugin -> C:\Users\qsy\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @talk.google.com/O1DPlugin -> C:\Users\qsy\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @tools.google.com/Google Update;version=3 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @tools.google.com/Google Update;version=9 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\qsy\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\qsy\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-10-08]
FF HKLM\...\Firefox\Extensions: [bdwteff@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2016\bdwteff
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender 2016\bdwteff [2015-11-18] [not signed]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2016\bdtbext
FF Extension: Bitdefender Antispam Toolbar - C:\Program Files\Bitdefender\Bitdefender 2016\bdtbext [2015-11-18] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: SmartPrintButton - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [bdwteff@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2016\antispam32\bdwteff
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender 2016\antispam32\bdwteff [2015-11-18] [not signed]
FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2016\bdtbext

Chrome:
=======
CHR Profile: C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-23]
CHR Extension: (Google Docs) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-23]
CHR Extension: (Google Drive) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-23]
CHR Extension: (YouTube) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-23]
CHR Extension: (Google Search) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-23]
CHR Extension: (Bitdefender Wallet) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhhejlifdlcgcmogbggeomfodgklfaem [2015-11-23]
CHR Extension: (Google Sheets) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-23]
CHR Extension: (Google Docs Offline) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-04]
CHR Extension: (Gmail) - C:\Users\qsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-23]
CHR HKLM-x32\...\Chrome\Extension: [dhhejlifdlcgcmogbggeomfodgklfaem] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [318592 2013-12-24] (Windows ® Win 7 DDK provider) [File not signed]
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2015-10-12] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2015-10-12] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2797752 2015-10-13] (Microsoft Corporation)
R2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [5750440 2015-09-04] (Fitbit, Inc.)
S2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [136704 2009-06-24] (HP) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89840 2015-03-28] (Hewlett-Packard Company)
R2 HPWMISVC; c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe [602888 2015-06-29] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-11-08] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282096 2014-03-22] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-12-10] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [200168 2013-12-04] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-28] (Softex Inc.) [File not signed]
R2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [834664 2015-10-13] (Bitdefender)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [191728 2014-04-11] (Synaptics Incorporated)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2016\updatesrv.exe [124488 2015-09-29] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2016\vsserv.exe [1572168 2015-10-14] (Bitdefender)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3888640 2014-02-14] (Qualcomm Atheros Communications, Inc.)
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1600512 2015-11-20] (BitDefender)
R3 avchv; C:\Windows\system32\DRIVERS\avchv.sys [282000 2015-11-20] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [775424 2015-11-20] (BitDefender)
S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [8536752 2013-07-01] (Broadcom Corporation)
S0 bdelam; C:\Windows\System32\drivers\bdelam.sys [23568 2013-09-08] (Bitdefender)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [107008 2013-07-29] (BitDefender LLC)
S4 BDVEDISK; C:\Windows\system32\DRIVERS\bdvedisk.sys [87920 2015-11-26] (BitDefender)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [160032 2015-04-29] (BitDefender LLC)
R0 ignis; C:\Windows\system32\DRIVERS\ignis.sys [271808 2015-11-28] (Bitdefender)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [21408 2013-08-13] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [21920 2013-08-13] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [29088 2013-08-13] ()
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-08-13] ()
R2 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-03] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [19968 2012-11-07] (Marvell Semiconductor, Inc.)
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [466136 2014-01-14] (Realsil Semiconductor Corporation)
R3 SensorsServiceDriver; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-28] (Microsoft Corporation)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2014-04-11] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-04-11] (Synaptics Incorporated)
R2 trufos; C:\Windows\System32\DRIVERS\trufos.sys [477272 2015-06-02] (BitDefender S.R.L.)
R3 VirtualButtons; C:\Windows\System32\drivers\VirtualButtons.sys [32024 2013-10-04] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
U3 McAPExe; no ImagePath
U3 McMPFSvc; no ImagePath
U3 McNaiAnn; no ImagePath
U3 mcpltsvc; no ImagePath
U3 mfecore; no ImagePath
U3 MSK80Service; no ImagePath
S3 OATool; \??\C:\Windows\TEMP\OAToolx64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-03 15:35 - 2015-12-03 15:35 - 00029272 _____ C:\Users\qsy\Downloads\FRST.txt
2015-12-03 15:33 - 2015-12-03 15:35 - 00000000 ____D C:\FRST
2015-12-03 15:33 - 2015-12-03 15:33 - 02350080 _____ (Farbar) C:\Users\qsy\Downloads\FRST64.exe
2015-12-03 13:35 - 2015-12-03 13:35 - 00001043 _____ C:\Users\qsy\Desktop\MBAM 12_3.txt
2015-12-03 11:24 - 2015-12-03 11:24 - 00007505 _____ C:\Users\qsy\Desktop\MBAM 12_2.txt
2015-12-02 14:03 - 2015-12-02 14:03 - 05686125 _____ C:\Users\qsy\Desktop\Look.pdf
2015-11-28 16:36 - 2015-11-28 16:36 - 00026315 _____ C:\ProgramData\1448746554.bdinstall.bin
2015-11-28 12:05 - 2015-11-28 12:05 - 00442246 _____ C:\ProgramData\1448729688.bdinstall.bin
2015-11-28 11:59 - 2015-11-28 12:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender 2016
2015-11-28 11:58 - 2015-11-28 16:58 - 00271808 _____ (Bitdefender) C:\Windows\system32\Drivers\ignis.sys
2015-11-28 11:56 - 2015-06-02 14:21 - 00477272 _____ (BitDefender S.R.L.) C:\Windows\system32\Drivers\trufos.sys
2015-11-28 11:56 - 2015-04-29 13:32 - 00160032 _____ (BitDefender LLC) C:\Windows\system32\Drivers\gzflt.sys
2015-11-28 11:50 - 2015-11-28 11:51 - 00285632 _____ C:\Windows\Minidump\112815-24125-01.dmp
2015-11-28 09:11 - 2015-11-28 09:11 - 00285576 _____ C:\Windows\Minidump\112815-24312-01.dmp
2015-11-28 08:54 - 2015-11-28 08:54 - 00285632 _____ C:\Windows\Minidump\112815-28796-01.dmp
2015-11-25 13:36 - 2015-11-25 13:36 - 00285632 _____ C:\Windows\Minidump\112515-35421-01.dmp
2015-11-25 13:35 - 2015-11-28 11:50 - 671470331 _____ C:\Windows\MEMORY.DMP
2015-11-20 12:24 - 2015-11-20 12:24 - 00026313 _____ C:\ProgramData\1448040277.bdinstall.bin
2015-11-20 12:16 - 2015-11-20 12:16 - 00282000 _____ (BitDefender) C:\Windows\system32\Drivers\avchv.sys
2015-11-20 12:09 - 2015-11-20 12:09 - 00409263 _____ C:\ProgramData\1448038838.bdinstall.bin
2015-11-20 12:07 - 2015-11-28 11:59 - 00002224 _____ C:\Users\Public\Desktop\Bitdefender 2016.lnk
2015-11-20 12:07 - 2013-09-08 19:04 - 00023568 _____ (Bitdefender) C:\Windows\system32\Drivers\bdelam.sys
2015-11-20 12:06 - 2015-11-28 11:59 - 00000000 ____D C:\Users\qsy\AppData\Roaming\Bitdefender
2015-11-20 12:06 - 2015-11-26 08:47 - 00087920 _____ (BitDefender) C:\Windows\system32\Drivers\bdvedisk.sys
2015-11-20 12:06 - 2015-11-20 12:15 - 01600512 _____ (BitDefender) C:\Windows\system32\Drivers\avc3.sys
2015-11-20 12:06 - 2015-11-20 12:15 - 00775424 _____ (BitDefender) C:\Windows\system32\Drivers\avckf.sys
2015-11-20 12:00 - 2015-11-28 22:41 - 00000000 ____D C:\ProgramData\Bitdefender
2015-11-20 12:00 - 2015-11-20 12:00 - 00000000 ____D C:\Program Files\Bitdefender
2015-11-20 11:58 - 2015-11-20 11:58 - 07236184 _____ C:\Users\qsy\Downloads\bitdefender_windows_15655458-83e7-45e3-9ac1-fa1203a5c77e.exe
2015-11-20 11:46 - 2015-11-20 11:46 - 07236184 _____ C:\Users\qsy\Downloads\bitdefender_windows_6cb4b226-694b-4eb4-b207-cf37e6b0ae67.exe
2015-11-20 11:45 - 2015-11-20 11:45 - 07236184 _____ C:\Users\qsy\Downloads\bitdefender_windows_50ac5c8f-3b8c-4384-a795-bd1e253e2983.exe
2015-11-20 11:27 - 2015-11-20 11:27 - 00000034 _____ C:\Windows\system32\STOOLSubmit.ret
2015-11-20 10:56 - 2015-11-20 10:57 - 07236184 _____ C:\Users\qsy\Downloads\bitdefender_windows_a2145436-b708-4a8b-8d32-16ec190f199c.exe
2015-11-20 09:31 - 2015-12-03 15:31 - 00000000 ____D C:\Program Files\Bitdefender Agent
2015-11-20 09:31 - 2015-11-20 09:31 - 00000000 ____D C:\ProgramData\Bitdefender Agent
2015-11-20 09:30 - 2015-11-20 11:35 - 07207048 _____ C:\Users\qsy\Downloads\bitdefender_isecurity.exe
2015-11-18 07:50 - 2015-11-18 07:52 - 118207310 _____ C:\Users\qsy\Desktop\HubSpot_Content_Creation_Templates-final.zip
2015-11-17 12:30 - 2015-11-17 12:31 - 00002256 _____ C:\Windows\system32\bdsandbox.txt
2015-11-15 23:16 - 2015-11-15 23:16 - 00000000 ____D C:\Users\qsy\Documents\Avatar
2015-11-13 09:09 - 2015-11-13 09:09 - 00000000 ____D C:\ProgramData\Dumps
2015-11-11 08:36 - 2015-11-12 21:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-11-11 06:41 - 2015-11-11 06:41 - 00367273 _____ C:\Users\qsy\Desktop\ZenContent-BuyingGuideInstructionsTX.pdf
2015-11-10 16:53 - 2015-11-10 16:54 - 00009952 _____ C:\Users\qsy\Desktop\sample maptive.xlsx
2015-11-10 16:05 - 2015-10-15 11:08 - 00990208 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-11-10 16:05 - 2015-10-15 10:46 - 00803328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-11-10 16:05 - 2015-10-13 12:10 - 00559616 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2015-11-10 16:05 - 2015-10-13 12:10 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2015-11-10 16:05 - 2015-10-13 10:59 - 00397224 _____ (Microsoft Corporation) C:\Windows\system32\bcryptprimitives.dll
2015-11-10 16:05 - 2015-10-13 10:59 - 00340872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcryptprimitives.dll
2015-11-10 16:05 - 2015-10-13 10:59 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-11-10 16:05 - 2015-10-13 10:59 - 00120376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-11-10 16:05 - 2015-10-13 10:59 - 00106952 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2015-11-10 16:05 - 2015-10-13 10:59 - 00091416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2015-11-10 16:05 - 2015-10-11 01:36 - 00561952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-11-10 16:05 - 2015-10-11 01:36 - 00177496 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-11-10 16:05 - 2015-10-10 13:40 - 00202240 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-11-10 16:05 - 2015-10-10 13:39 - 00401408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-11-10 16:05 - 2015-10-10 13:07 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-11-10 16:05 - 2015-10-10 12:33 - 01441280 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-11-10 16:05 - 2015-10-10 12:27 - 00432640 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-11-10 16:05 - 2015-10-10 12:11 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2015-11-10 16:05 - 2015-10-10 11:45 - 00359424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-11-10 16:05 - 2015-09-12 08:47 - 00414559 _____ C:\Windows\system32\ApnDatabase.xml
2015-11-10 16:04 - 2015-10-20 16:54 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-11-10 16:04 - 2015-10-20 09:53 - 03705856 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-11-10 16:04 - 2015-10-20 09:36 - 02243072 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-11-10 16:04 - 2015-10-20 09:35 - 00891904 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-11-10 16:04 - 2015-10-20 09:34 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2015-11-10 16:04 - 2015-10-20 09:34 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-11-10 16:04 - 2015-10-20 09:34 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-11-10 16:04 - 2015-10-20 09:33 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-11-10 16:04 - 2015-10-20 09:14 - 00721920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-11-10 16:04 - 2015-10-20 09:13 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-11-10 16:04 - 2015-10-20 09:13 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-11-10 16:04 - 2015-10-20 09:13 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-11-10 16:04 - 2015-10-14 18:02 - 07455064 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-11-10 16:04 - 2015-10-14 18:02 - 01659560 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-11-10 16:04 - 2015-10-14 18:02 - 01519592 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-11-10 16:04 - 2015-10-14 18:02 - 01487008 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-11-10 16:04 - 2015-10-14 18:02 - 01355848 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-11-10 16:03 - 2015-10-30 18:46 - 25818624 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-11-10 16:03 - 2015-10-30 18:25 - 02886656 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-11-10 16:03 - 2015-10-30 18:24 - 00585728 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-11-10 16:03 - 2015-10-30 18:11 - 05990912 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-11-10 16:03 - 2015-10-30 18:11 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-11-10 16:03 - 2015-10-30 17:52 - 20331520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-11-10 16:03 - 2015-10-30 17:47 - 00504832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-11-10 16:03 - 2015-10-30 17:42 - 02279936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-11-10 16:03 - 2015-10-30 17:39 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-11-10 16:03 - 2015-10-30 17:36 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-11-10 16:03 - 2015-10-30 17:32 - 00720896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-11-10 16:03 - 2015-10-30 17:31 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-11-10 16:03 - 2015-10-30 17:22 - 14457856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-11-10 16:03 - 2015-10-30 17:17 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-11-10 16:03 - 2015-10-30 17:16 - 04527616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-11-10 16:03 - 2015-10-30 17:14 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-11-10 16:03 - 2015-10-30 17:10 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-11-10 16:03 - 2015-10-30 17:09 - 12854272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-11-10 16:03 - 2015-10-30 17:04 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-11-10 16:03 - 2015-10-30 16:53 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-11-10 16:03 - 2015-10-30 16:51 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-11-10 16:03 - 2015-10-30 16:48 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-11-10 16:03 - 2015-10-30 16:46 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-11-10 16:03 - 2015-10-17 09:19 - 04176384 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-11-10 16:03 - 2015-10-08 11:08 - 01083904 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2015-11-10 16:03 - 2015-09-07 11:22 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\puiobj.dll
2015-11-10 16:03 - 2015-09-07 10:54 - 00367104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\puiobj.dll
2015-11-10 16:03 - 2015-09-07 10:30 - 01091584 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2015-11-10 16:03 - 2015-08-10 13:15 - 00845312 _____ (Microsoft Corporation) C:\Windows\system32\BFE.DLL
2015-11-10 16:03 - 2015-08-10 13:06 - 00422400 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2015-11-10 16:03 - 2015-08-10 12:49 - 00713216 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2015-11-10 16:03 - 2015-08-10 11:56 - 00272384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL
2015-11-10 16:03 - 2015-08-10 11:46 - 00561664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2015-11-10 16:03 - 2014-11-10 13:06 - 00136512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wfplwfs.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-03 15:34 - 2013-08-22 08:36 - 00000000 ____D C:\Windows
2015-12-03 15:29 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\NDF
2015-12-03 15:26 - 2015-10-22 12:57 - 00000560 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3414068117-3589510931-1149334826-1001.job
2015-12-03 15:26 - 2015-05-13 16:44 - 00003902 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{7B92343E-21EB-40D4-809F-E63A1D5E62A7}
2015-12-03 15:26 - 2015-02-11 20:27 - 00000000 ____D C:\Users\qsy\Documents\Youcam
2015-12-03 15:25 - 2015-07-23 16:10 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-03 15:25 - 2015-06-04 15:40 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-03 13:58 - 2015-05-25 08:28 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-03 13:55 - 2015-10-20 10:52 - 00000000 ____D C:\Users\qsy\Documents\CSBA
2015-12-03 13:54 - 2015-08-24 12:20 - 00000000 ____D C:\Users\qsy\Documents\job search
2015-12-03 13:54 - 2015-06-29 11:22 - 00042219 _____ C:\Users\qsy\Desktop\FitforFree Calendar.xlsx
2015-12-03 13:49 - 2015-07-23 16:10 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-03 13:48 - 2015-02-11 20:24 - 00000000 ____D C:\Users\qsy\AppData\Local\Packages
2015-12-03 13:46 - 2014-03-18 04:53 - 00958356 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-03 13:46 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Inf
2015-12-03 13:23 - 2015-08-10 13:32 - 00000910 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3414068117-3589510931-1149334826-1001UA.job
2015-12-03 12:13 - 2015-10-22 12:57 - 00000656 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3414068117-3589510931-1149334826-1001.job
2015-12-03 08:20 - 2015-02-11 20:30 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3414068117-3589510931-1149334826-1001
2015-12-02 20:51 - 2015-05-14 08:44 - 00000000 ____D C:\Users\qsy\AppData\Local\CrashDumps
2015-12-02 20:44 - 2015-02-11 20:24 - 00000000 ____D C:\Users\qsy\AppData\Local\SweetLabs App Platform
2015-12-02 08:34 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\AppReadiness
2015-12-02 07:23 - 2015-05-13 17:00 - 00002405 _____ C:\Users\qsy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
2015-12-02 07:21 - 2015-10-31 14:30 - 00003280 _____ C:\Windows\System32\Tasks\SweetLabs App Platform
2015-12-02 06:47 - 2015-06-11 20:09 - 00024420 _____ C:\Users\qsy\Desktop\JOB APPLICATION TRACKING.docx.xlsx
2015-12-02 06:23 - 2015-08-10 13:32 - 00000858 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3414068117-3589510931-1149334826-1001Core.job
2015-12-02 06:18 - 2015-08-10 13:32 - 00003852 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3414068117-3589510931-1149334826-1001UA
2015-12-02 06:18 - 2015-08-10 13:32 - 00003472 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3414068117-3589510931-1149334826-1001Core
2015-12-01 18:22 - 2015-08-01 06:57 - 00000000 ____D C:\Users\qsy\Downloads\Bitdefender Safepay
2015-11-28 12:41 - 2015-07-08 13:38 - 00020102 _____ C:\bdlog.txt
2015-11-28 12:07 - 2013-08-22 09:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-28 12:06 - 2015-02-11 20:24 - 00000000 ____D C:\Users\qsy
2015-11-28 12:01 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2015-11-28 11:56 - 2015-06-17 19:52 - 00000000 ____D C:\Program Files\Common Files\Bitdefender
2015-11-28 11:50 - 2015-07-20 13:15 - 00000000 ____D C:\Windows\Minidump
2015-11-25 09:24 - 2013-08-22 10:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2015-11-25 09:23 - 2015-05-19 09:04 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-11-23 10:52 - 2015-10-22 12:57 - 00003644 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3414068117-3589510931-1149334826-1001
2015-11-23 10:52 - 2015-10-22 12:57 - 00003548 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3414068117-3589510931-1149334826-1001
2015-11-20 18:54 - 2015-06-05 19:10 - 00001995 _____ C:\Users\Public\Desktop\HP Print and Scan Doctor.lnk
2015-11-20 11:23 - 2015-06-17 20:22 - 00000000 ____D C:\ProgramData\BDLogging
2015-11-20 09:58 - 2015-09-11 07:03 - 00000334 _____ C:\Windows\Tasks\HPCeeScheduleForqsy.job
2015-11-20 07:20 - 2015-05-13 16:44 - 00000000 __SHD C:\Users\qsy\AppData\LocalLow\EmieUserList
2015-11-20 07:20 - 2015-05-13 16:44 - 00000000 __SHD C:\Users\qsy\AppData\Local\EmieUserList
2015-11-20 07:20 - 2015-05-13 16:44 - 00000000 __SHD C:\Users\qsy\AppData\Local\EmieSiteList
2015-11-20 07:20 - 2015-05-13 16:43 - 00000000 __SHD C:\Users\qsy\AppData\LocalLow\EmieSiteList
2015-11-20 06:51 - 2015-09-11 07:03 - 00003144 _____ C:\Windows\System32\Tasks\HPCeeScheduleForqsy
2015-11-18 16:15 - 2015-08-24 12:25 - 00000000 ____D C:\Users\qsy\Documents\FitForFree
2015-11-18 11:42 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\ELAMBKUP
2015-11-16 12:02 - 2015-05-17 12:15 - 00000000 ____D C:\Windows\system32\MRT
2015-11-16 11:58 - 2015-05-17 12:15 - 145617392 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-11-15 13:40 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\rescache
2015-11-12 21:16 - 2015-05-13 16:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-11-12 08:08 - 2013-08-22 09:44 - 00491624 _____ C:\Windows\system32\FNTCACHE.DAT
2015-11-11 18:44 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-11-11 18:43 - 2013-08-22 10:36 - 00000000 ___RD C:\Windows\ToastData
2015-11-11 18:36 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps
2015-11-11 18:36 - 2013-08-22 10:20 - 00000000 ____D C:\Windows\CbsTemp
2015-11-11 14:58 - 2015-05-25 08:28 - 00003718 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

==================== Files in the root of some directories =======

2015-06-03 06:32 - 2015-06-03 06:32 - 0007605 _____ () C:\Users\qsy\AppData\Local\Resmon.ResmonCfg
2015-11-20 12:09 - 2015-11-20 12:09 - 0409263 _____ () C:\ProgramData\1448038838.bdinstall.bin
2015-11-20 12:24 - 2015-11-20 12:24 - 0026313 _____ () C:\ProgramData\1448040277.bdinstall.bin
2015-11-28 12:05 - 2015-11-28 12:05 - 0442246 _____ () C:\ProgramData\1448729688.bdinstall.bin
2015-11-28 16:36 - 2015-11-28 16:36 - 0026315 _____ () C:\ProgramData\1448746554.bdinstall.bin

Some files in TEMP:
====================
C:\Users\qsy\AppData\Local\Temp\HPPSdr.exe
C:\Users\qsy\AppData\Local\Temp\octC554.tmp.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD.


LastRegBack: 2015-11-25 10:00

==================== End of FRST.txt ============================
CPU: x64
File System: NTFS
User: qsy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333388
Time Elapsed: 40 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

ROGUE KILLER

RogueKiller V11.0.0.0 [Nov 27 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : qsy [Administrator]
Started from : C:\Users\qsy\Desktop\RogueKiller.exe
Mode : Scan -- Date : 12/03/2015 16:08:24

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUP] (X64) HKEY_USERS\S-1-5-21-3414068117-3589510931-1149334826-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #7 : C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-phishing-detection --enable-file-cookies --disable-sync --disable-breakpad --disable-bundled-ppapi-flash --disable-sync-tabs --disable-speech-input --disable-custom-jumplist --process-per-tab --debug-devtools-frontend="C:\Users\qsy\AppData\Local\Pokki\Engine\inspector" --no-first-run --lang=en-US --disable-component-update --disable-prompt-on-repost --no-startup-window --disable-translate --disable-logging --disable-desktop-notifications --disable-gpu-process-prelaunch --enable-touch-events --flag-switches-begin --flag-switches-end --restore-last-session [x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x] -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3414068117-3589510931-1149334826-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #7 : C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-phishing-detection --enable-file-cookies --disable-sync --disable-breakpad --disable-bundled-ppapi-flash --disable-sync-tabs --disable-speech-input --disable-custom-jumplist --process-per-tab --debug-devtools-frontend="C:\Users\qsy\AppData\Local\Pokki\Engine\inspector" --no-first-run --lang=en-US --disable-component-update --disable-prompt-on-repost --no-startup-window --disable-translate --disable-logging --disable-desktop-notifications --disable-gpu-process-prelaunch --enable-touch-events --flag-switches-begin --flag-switches-end --restore-last-session [x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x] -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #7 : C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-phishing-detection --enable-file-cookies --disable-sync --disable-breakpad --disable-bundled-ppapi-flash --disable-sync-tabs --disable-speech-input --disable-custom-jumplist --process-per-tab --debug-devtools-frontend="C:\Users\qsy\AppData\Local\Pokki\Engine\inspector" --no-first-run --lang=en-US --disable-component-update --disable-prompt-on-repost --no-startup-window --disable-translate --disable-logging --disable-desktop-notifications --disable-gpu-process-prelaunch --enable-touch-events --flag-switches-begin --flag-switches-end --restore-last-session [x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x] -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #7 : C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable-client-side-phishing-detection --enable-file-cookies --disable-sync --disable-breakpad --disable-bundled-ppapi-flash --disable-sync-tabs --disable-speech-input --disable-custom-jumplist --process-per-tab --debug-devtools-frontend="C:\Users\qsy\AppData\Local\Pokki\Engine\inspector" --no-first-run --lang=en-US --disable-component-update --disable-prompt-on-repost --no-startup-window --disable-translate --disable-logging --disable-desktop-notifications --disable-gpu-process-prelaunch --enable-touch-events --flag-switches-begin --flag-switches-end --restore-last-session [x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x] -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OATool (\??\C:\Windows\TEMP\OAToolx64.sys) -> Found
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OATool (\??\C:\Windows\TEMP\OAToolx64.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[PUP][File] C:\ProgramData\Pokki\PC App Store.lnk [LNK@] C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"f22abfeae27a67446927d078890381efc546d3e1" -> Found
[PUP][File] C:\ProgramData\Pokki\Start Menu.lnk [LNK@] C:\Users\qsy\AppData\Local\Pokki\Engine\HostAppService.exe /OPEN"menu" -> Found
[PUP][Folder] C:\ProgramData\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE} -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS545050A7E680 +++++
--- User ---
[MBR] b8dc235ccb2bd8ee78b82847eed4fd15
[bSP] 6be009fc56306f61fb1c2b2683a99641 : Empty|VT.Unknown MBR Code
Partition table:
0 - [sYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 650 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1333248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1865728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2127872 | Size: 454428 MB
4 - [sYSTEM] Basic data partition | Offset (sectors): 932796416 | Size: 21468 MB
User = LL1 ... OK
User = LL2 ... OK
 

Addition.txt

Shortcut.txt

Link to post
Share on other sites

The IP address being blocked in the initial log you posted was suspicious to say the least (123.123.123.124), have look at the following:

 

IP Location cn.gif China Beijing China Unicom Beijing Province Network ASN

cn.gif AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network (registered Jan 09, 1996)

 

Is that address known to you and trusted?

 

I see no indication regarding that IP in the logs from FRST or RogueKiller. I do see that you are using Google Public DNS settings, were those set up after the block to IP locating to China?

 

Continue please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

 
Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Next,

 

1.Download Malwarebytes Anti-Rootkit from this link:

 http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the update completes select Next.

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

MBAntiRKcleanA.png

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:

Image6.png

13. Verify that your system is now running normally, making sure that the following items are functional:


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall



14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

 

Let me see those logs, also give an update on any remaining issues or concerns.....

Thanks,

Kevin...


 

Fixlist.txt

Link to post
Share on other sites

Hi Kevin,

 

Regarding your questions:

 

IP Location cn.gif China Beijing China Unicom Beijing Province Network ASN

cn.gif AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network (registered Jan 09, 1996)

 

Is that address known to you and trusted? NO. I DON"T KNOW IT AND DON"T TRUST IT.

 

I see no indication regarding that IP in the logs from FRST or RogueKiller. I do see that you are using Google Public DNS settings, were those set up after the block to IP locating to China? I NEVER CHANGED ANY SETTINGS, SO THIS IS CONCERNING. COULD MALWARE HAVE MADE THE CHANGES? WHAT DO I DO TO CHANGE IT BACK (if that is recommended)?

 

Here are the logs requested:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:01-12-2015
Ran by qsy (2015-12-04 14:18:19) Run:1
Running from C:\Users\qsy\Desktop
Loaded Profiles: qsy &  (Available Profiles: qsy)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
U3 McAPExe; no ImagePath
U3 McMPFSvc; no ImagePath
U3 McNaiAnn; no ImagePath
U3 mcpltsvc; no ImagePath
U3 mfecore; no ImagePath
U3 MSK80Service; no ImagePath
S3 OATool; \??\C:\Windows\TEMP\OAToolx64.sys [X]
C:\Users\qsy\AppData\Local\Temp\HPPSdr.exe
C:\Users\qsy\AppData\Local\Temp\octC554.tmp.exe
CustomCLSID: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3414068117-3589510931-1149334826-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\qsy\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
ShortcutWithArgument: C:\Users\Public\Desktop\Snapfish.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://www.snapfish.com/hp_notebook_desktopicon_2014_us <==== ATTENTION
AlternateDataStreams: C:\Users\qsy\Desktop\FitbitConnect_Win_20150908_2.0.0.6630.exe:BDU
AlternateDataStreams: C:\Users\qsy\Downloads\bitdefender_isecurity.exe:BDU
AlternateDataStreams: C:\Users\qsy\Downloads\bitdefender_windows_50ac5c8f-3b8c-4384-a795-bd1e253e2983.exe:BDU
AlternateDataStreams: C:\Users\qsy\Downloads\bitdefender_windows_6cb4b226-694b-4eb4-b207-cf37e6b0ae67.exe:BDU
AlternateDataStreams: C:\Users\qsy\Downloads\bitdefender_windows_a2145436-b708-4a8b-8d32-16ec190f199c.exe:BDU
AlternateDataStreams: C:\Users\qsy\Downloads\ChromeSetup.exe:BDU
AlternateDataStreams: C:\Users\qsy\Downloads\FRST64.exe:BDU
AlternateDataStreams: C:\Users\qsy\Downloads\GoogleVoiceAndVideoSetup.exe:BDU
Emptytemp:
end
*****************

Processes closed successfully.
McAPExe => service removed successfully
McMPFSvc => service removed successfully
McNaiAnn => service removed successfully
mcpltsvc => service removed successfully
mfecore => service removed successfully
MSK80Service => service removed successfully
OATool => service removed successfully
C:\Users\qsy\AppData\Local\Temp\HPPSdr.exe => moved successfully
C:\Users\qsy\AppData\Local\Temp\octC554.tmp.exe => moved successfully
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E} => key not found.
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98} => key not found.
HKU\S-1-5-21-3414068117-3589510931-1149334826-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key not found.
"HKU\S-1-5-21-3414068117-3589510931-1149334826-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-3414068117-3589510931-1149334826-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-3414068117-3589510931-1149334826-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}" => key removed successfully
C:\Users\Public\Desktop\Snapfish.lnk => Shortcut argument removed successfully.
C:\Users\qsy\Desktop\FitbitConnect_Win_20150908_2.0.0.6630.exe => ":BDU" ADS removed successfully.
C:\Users\qsy\Downloads\bitdefender_isecurity.exe => ":BDU" ADS removed successfully.
C:\Users\qsy\Downloads\bitdefender_windows_50ac5c8f-3b8c-4384-a795-bd1e253e2983.exe => ":BDU" ADS removed successfully.
C:\Users\qsy\Downloads\bitdefender_windows_6cb4b226-694b-4eb4-b207-cf37e6b0ae67.exe => ":BDU" ADS removed successfully.
C:\Users\qsy\Downloads\bitdefender_windows_a2145436-b708-4a8b-8d32-16ec190f199c.exe => ":BDU" ADS removed successfully.
C:\Users\qsy\Downloads\ChromeSetup.exe => ":BDU" ADS removed successfully.
"C:\Users\qsy\Downloads\FRST64.exe" => ":BDU" ADS not found.
C:\Users\qsy\Downloads\GoogleVoiceAndVideoSetup.exe => ":BDU" ADS removed successfully.
EmptyTemp: => 506.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 14:18:51 ====

 

JUNKWARE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 8.1 x64
Ran by qsy (Administrator) on Fri 12/04/2015 at 15:32:39.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\Users\qsy\Start Menu\Programs\pc app store.lnk (Shortcut)
Successfully deleted: C:\Users\qsy\Start Menu\Programs\pokki menu.lnk (Shortcut)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/04/2015 at 15:42:52.22
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

SYSTEM LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 8.1 x64
Ran by qsy (Administrator) on Fri 12/04/2015 at 15:32:39.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\Users\qsy\Start Menu\Programs\pc app store.lnk (Shortcut)
Successfully deleted: C:\Users\qsy\Start Menu\Programs\pokki menu.lnk (Shortcut)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/04/2015 at 15:42:52.22
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

MBAR LOG

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2015.12.04.05
  rootkit: v2015.11.26.01

Windows 8.1 x64 NTFS
Internet Explorer 11.0.9600.18098
qsy :: CAMS [administrator]

12/4/2015 4:03:31 PM
mbar-log-2015-12-04 (16-03-31).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 334915
Time elapsed: 38 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

Thank you for your time and help!

 

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.