Jump to content

Anti-rootkit driver dda error even after reinstalling, restarting and using beta rootkit remover


Recommended Posts

I have today turned on my computer, and the malwarebytes anti malware opened saying that it could not load the dda drive to scan root kits. So i googled this and found this forum with some information to restart the computer which i did several times (also said by the program) which did not help. The message kept appearing.

So i installed the malwarebytes anti rootkit, and did a scan and it said there was no suspicious malware.

So i again opened the malwarebytes anti malware, it still gave me that message. So i restarted again. What i notice during this porcess is that it gave a smaller window for like one second something like error.. Then bunch of numbers.

Another thing is that i was on the non adminstrator account. So i decided to remove the anti malware and reinstall. Then i opened it again and there was no error message. Scanned for rootkits and other stuff. There was no malware. So i went to the adminstrator account. Then i opened the anti malware, then there was no message. Then i closed it and several minutes later i reopened it and got the same message!

So i have right now downloaded the beta anti rootkit scanner again to this account and am running the scan.

I am really confused as the message appears sometimes then does not appear. The anti rootkit from the same company and the scanner which when it did not give the message indicates no rootkit. Is this due to the rootkit preventing the scanners to scan for it? I am very confused.

What should i do next?

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

 
Next,
 
Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt)  Please attach those logs to your reply.

 

Let me see those logs...

 

Thank you,

 

Kevin...

Link to post
Share on other sites
Hello Kevin, thanks for helping!

 

I am new to this forum and i do not know how to attach things on a post... So i guess its ok to just paste it in the reply?

 

Here is the logs:

 

1. Malwarebytes Anti Malware log:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 2015-12-20

Scan Time: 1:51 pm

Logfile: 

Administrator: Yes

 

Version: 2.2.0.1024

Malware Database: v2015.12.19.06

Rootkit Database: v2015.12.18.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x86

File System: NTFS

User: Administrator

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 327088

Time Elapsed: 31 min, 11 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

2. AdwCleaner log:

 

# AdwCleaner v5.025 - Logfile created 20/12/2015 at 14:36:15

# Updated 13/12/2015 by Xplode

# Database : 2015-12-13.2 [server]

# Operating system : Windows 7 Ultimate Service Pack 1 (x86)

# Username : Administrator - MSDN-SPECIAL

# Running from : C:\Users\Administrator\Downloads\AdwCleaner.exe

# Option : Cleaning


 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

[-] Folder Deleted : C:\Program Files\startools

[-] Folder Deleted : C:\Program Files\tencent

[-] Folder Deleted : C:\Program Files\BBestSaavveFiorYou

[-] Folder Deleted : C:\Program Files\FunDieAAlSS

[-] Folder Deleted : C:\Program Files\JonniCeouPPOn

[-] Folder Deleted : C:\Program Files\RanDDoomPrice

[!] Folder Not Deleted : C:\Program Files\BBestSaavveFiorYou

[!] Folder Not Deleted : C:\Program Files\FunDieAAlSS

[!] Folder Not Deleted : C:\Program Files\JonniCeouPPOn

[!] Folder Not Deleted : C:\Program Files\RanDDoomPrice

[-] Folder Deleted : C:\Program Files\Common Files\tencent

[-] Folder Deleted : C:\ProgramData\StarApp

[-] Folder Deleted : C:\ProgramData\Surf Protect

[-] Folder Deleted : C:\ProgramData\BBestSaavveFiorYou

[-] Folder Deleted : C:\ProgramData\FunDieAAlSS

[-] Folder Deleted : C:\ProgramData\JonniCeouPPOn

[-] Folder Deleted : C:\ProgramData\RanDDoomPrice

[!] Folder Not Deleted : C:\ProgramData\BBestSaavveFiorYou

[-] Folder Deleted : C:\ProgramData\coNNtinoueutosave

[!] Folder Not Deleted : C:\ProgramData\FunDieAAlSS

[!] Folder Not Deleted : C:\ProgramData\JonniCeouPPOn

[!] Folder Not Deleted : C:\ProgramData\RanDDoomPrice

[-] Folder Deleted : C:\Users\Administrator\AppData\LocalLow\Yahoo! Companion

[-] Folder Deleted : C:\Users\Administrator\AppData\LocalLow\Yahoo!\Companion

[-] Folder Deleted : C:\Users\Administrator\AppData\Roaming\Yahoo!\Companion

 

***** [ Files ] *****

 

 

***** [ DLLs ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1

[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar

[-] Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6517DD27-EA6F-4947-9DEA-F9C487BB1020}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}

[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{89FBF526-AB75-4D2D-AB79-C64221C7F354}

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

[-] Key Deleted : HKCU\Software\startools

[-] Key Deleted : HKCU\Software\Yahoo\Companion

[-] Key Deleted : HKCU\Software\Yahoo\YFriendsBar

[!] Key Not Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}

[-] Key Deleted : HKCU\Software\AppDataLow\Software\MyWebSearch

[-] Key Deleted : HKCU\Software\AppDataLow\Software\Yahoo\Companion

[-] Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}

[-] Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}

[-] Key Deleted : HKLM\SOFTWARE\SP Global

[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion

[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}

[-] Key Deleted : HKU\S-1-5-19\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}

[-] Key Deleted : HKU\S-1-5-20\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}

[!] Key Not Deleted : HKU\S-1-5-21-1456077899-4243021156-2624550000-1001\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}

 

***** [ Web browsers ] *****

 

 

*************************

 

:: "Tracing" keys removed

:: Winsock settings cleared

 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4007 bytes] ##########

 

3. Farbar Recovery Scan Tool

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:19-12-2015

Ran by Administrator (administrator) on MSDN-SPECIAL (20-12-2015 14:44:56)

Running from C:\Users\Administrator\Downloads

Loaded Profiles: UpdatusUser & Administrator (Available Profiles: UpdatusUser & Administrator)

Platform: Microsoft Windows 7 Ultimate K  Service Pack 1 (X86) Language: 한국어(대한민국)

Internet Explorer Version 11 (Default browser: IE)

Boot Mode: Normal


 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgrsx.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgcsrvx.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(VIA) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgidsagent.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgui.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgwdsvcx.exe

(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgnsx.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgemcx.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe

(Teruten Inc.) C:\Windows\System32\TsService.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

 

 

==================== Registry (Whitelisted) ===========================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [1728512 2009-12-04] (VIA)

HKLM\...\Run: [] => [X]

HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2621240 2015-11-18] (Malwarebytes Corporation)

HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguix.exe [1136552 2015-11-12] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\Av\avgui.exe [3855272 2015-11-20] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7004376 2015-12-01] (AVAST Software)

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-12-01] (AVAST Software)

ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File

ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File

ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File

Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2012-09-30]

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\모니터 잉크 경고 - HP Deskjet 2510 series.lnk [2015-12-20]

ShortcutTarget: 모니터 잉크 경고 Monitor Ink Warning - HP Deskjet 2510 series.lnk -> C:\Program Files\HP\HP Deskjet 2510 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

BootExecute: autocheck autochk * 

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Tcpip\..\Interfaces\{837F4175-B051-48C6-867C-C69C90A29D29}: [DhcpNameServer] 192.168.1.254

 

Internet Explorer:

==================

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-1456077899-4243021156-2624550000-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-1456077899-4243021156-2624550000-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?

 

prd=ie&ar=iesearch

HKU\S-1-5-21-1456077899-4243021156-2624550000-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-1456077899-4243021156-2624550000-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://zum.com/

HKU\S-1-5-21-1456077899-4243021156-2624550000-500\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?

 

prd=ie&ar=iesearch

BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-12-01] (AVAST Software)

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft 

 

Corporation)

DPF: {150324B2-EBEA-4F97-9F87-CC572BB25865} hxxp://ebook.kkulmat.com/activex/Yes24ViewerX.cab

DPF: {24A04430-81DA-467A-BE87-774DFAECBBF6} hxxp://kr.hompy.yahoo.com/PHOTONORI/cab/oollalla.cab

DPF: {5AB4F795-2F82-41A5-98E5-65FDB61F36E2} hxxp://www.filejo.com/mmsv/FileJoControl.CAB

DPF: {77A4A4F3-C3C9-4F6D-901D-5F08B4969A56} hxxp://kr.hompy.yahoo.com/PHOTONORI/cab3/SWFGen.cab

DPF: {794F6CE1-05EE-4702-8BFF-FCADEE13C585} hxxp://www.hanfile.kr/app/HanFileLauncher.cab

DPF: {99806ADD-C5EF-4632-A3D0-3E778B051F94} hxxp://file.booxen.com/b2b/MASetupCaller_booxen.cab

DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} hxxp://www.anystudy.kr/anyplayer/MagicLockOCX.cab

DPF: {9EE7D86E-EDF7-427C-8E97-5BCF5851DA03} hxxp://s1.daumcdn.net/photo-section/-cartoon10/activex/viewer/20130128/32bit/XDMToonViewer32.cab

DPF: {A82FEC82-2C03-4FB2-BF8A-C011780B6915} hxxp://www.ssam.co.kr/ssam/views/videos/IMGTech/ZPlayer/download/Vista/ZInsX.cab

DPF: {A977FF0C-8757-4E76-8533-482F91946233} hxxp://dl.sayclub.com/sayclub/sayctl/sayax.cab

DPF: {AB2D3D84-D28E-4260-824C-E54402C51A97} hxxp://www.kkulmat.com/ngedu/paint/4CSoftPainter.cab

DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} hxxp://mail.daum.net/hanmail-ax/DaumActiveX/2_0_1_4/DaumActiveX.cab?ver=2,0,1,4

DPF: {BDD22343-1DF0-4983-947F-7604DD9838F8} hxxp://www.anystudy.kr/anyplayer/MagicSpeeder.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

 

FireFox:

========

FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ec8yjerk.default

FF Homepage: hxxp://www.daum.net/

FF Plugin: @4csoft.com/PaintObject -> C:\Windows\Downloaded Program Files\NP4CSoftPainter.dll [2009-03-11] (4C Soft, Inc.)

FF Plugin: @cdnetworks.com/AquaPlayer -> C:\Program Files\AquaPlayer\npAquaPlugin.dll [2013-07-09] ()

FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-08] (Google)

FF Plugin: @imgtech.co.kr/ZonePlayer -> C:\IMGTech\Dll\NP_ZonePlayer.dll [2011-06-11] (IMGTech. (www.imgtech.co.kr))

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-04] ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)

FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)

FF Plugin: @qq.com/npqscall,version=1.0.0 -> %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll [No File]

FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-06] (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-06] (Google Inc.)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-30] (Adobe Systems Inc.)

FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-01]

FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-12-01]

 

Chrome: 

=======

CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google 문서도구 Document tool) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-

 

04-08]

CHR Extension: (Google 드라이브 Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-01]

CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-01]

CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-01]

CHR Extension: (Google 문서 오프라인 Doc Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi 

 

[2015-12-01]

CHR Extension: (Avast Online Security) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-12-01]

CHR Extension: (Chrome 웹 스토어 결제 Web Store Purchase) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions

 

\nmmhkkegccagdldgiimedpiccmgmieda [2015-09-20]

CHR Extension: (Haruhi Suzumiya Theme2) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\onfchlljanflheonaanejoibmfgifnjd [2014-11-06]

CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-20]

CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-01]

 

==================== Services (Whitelisted) ========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [174416 2015-12-01] (AVAST Software)

S3 AvgAMPS; C:\Program Files\AVG\Av\avgamps.exe [615584 2015-11-20] (AVG Technologies CZ, s.r.o.)

R2 AVGIDSAgent; C:\Program Files\AVG\Av\avgidsagent.exe [3857272 2015-11-20] (AVG Technologies CZ, s.r.o.)

R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [862632 2015-11-12] (AVG Technologies CZ, s.r.o.)

R2 avgwd; C:\Program Files\AVG\Av\avgwdsvcx.exe [579776 2015-11-20] (AVG Technologies CZ, s.r.o.)

R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [739640 2015-11-18] (Malwarebytes Corporation)

S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)

R2 TsService; C:\Windows\system32\TsService.exe [179928 2013-09-30] (Teruten Inc.)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

S2 f3dadae8; "C:\Windows\system32\rundll32.exe" "c:\progra~2\surfpr~1\SurfProtectSvc.dll",service

 

===================== Drivers (Whitelisted) ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-12-01] (AVAST Software)

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [81168 2015-12-01] (AVAST Software)

R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81728 2015-12-01] (AVAST Software)

R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-12-01] (AVAST Software)

R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [794952 2015-12-01] (AVAST Software)

R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [435464 2015-12-01] (AVAST Software)

R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [117200 2015-12-01] (AVAST Software)

R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [209432 2015-12-01] (AVAST Software)

R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [149936 2015-11-06] (AVG Technologies CZ, s.r.o.)

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [255920 2015-11-06] (AVG Technologies CZ, s.r.o.)

R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [231344 2015-08-20] (AVG Technologies CZ, s.r.o.)

R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-20] (AVG Technologies CZ, s.r.o.)

R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [229296 2015-10-21] (AVG Technologies CZ, s.r.o.)

R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [308656 2015-08-14] (AVG Technologies CZ, s.r.o.)

R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [193968 2015-11-06] (AVG Technologies CZ, s.r.o.)

R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [36784 2015-08-10] (AVG Technologies CZ, s.r.o.)

R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [231856 2015-10-08] (AVG Technologies CZ, s.r.o.)

R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2015-11-18] ()

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)

S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)

R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1108480 2009-11-26] (VIA Technologies, Inc.)

S3 VGPU; System32\drivers\rdvgkmd.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== One Month Created files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2015-12-20 14:44 - 2015-12-20 14:45 - 00016398 _____ C:\Users\Administrator\Downloads\FRST.txt

2015-12-20 14:44 - 2015-12-20 14:44 - 01721344 _____ (Farbar) C:\Users\Administrator\Downloads\FRST.exe

2015-12-20 14:44 - 2015-12-20 14:44 - 00000000 ____D C:\FRST

2015-12-20 14:34 - 2015-12-20 14:36 - 00000000 ____D C:\AdwCleaner

2015-12-20 14:32 - 2015-12-20 14:32 - 01740288 _____ C:\Users\Administrator\Downloads\AdwCleaner.exe

2015-12-20 12:38 - 2015-12-20 12:38 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Administrator\Downloads\mbar-1.09.3.1001.exe

2015-12-20 11:46 - 2015-12-20 14:26 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2015-12-20 11:46 - 2015-12-20 12:38 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys

2015-12-20 11:46 - 2015-12-20 11:46 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2015-12-20 11:46 - 2015-12-20 11:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2015-12-20 11:46 - 2015-12-20 11:46 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware

2015-12-20 11:46 - 2015-10-05 09:50 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2015-12-20 11:46 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys

2015-12-16 22:18 - 2015-12-16 22:18 - 00000000 ____D C:\Users\Default\AppData\Roaming\AVG

2015-12-16 22:18 - 2015-12-16 22:18 - 00000000 ____D C:\Users\Default\AppData\Local\AVG

2015-12-16 22:18 - 2015-12-16 22:18 - 00000000 ____D C:\Users\Default User\AppData\Roaming\AVG

2015-12-16 22:18 - 2015-12-16 22:18 - 00000000 ____D C:\Users\Default User\AppData\Local\AVG

2015-12-12 09:33 - 2015-11-12 09:52 - 00341192 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll

2015-12-12 09:33 - 2015-11-12 07:39 - 01242624 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll

2015-12-12 09:33 - 2015-11-12 07:39 - 00487936 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll

2015-12-12 09:33 - 2015-11-12 05:00 - 12856832 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2015-12-12 09:33 - 2015-11-12 04:44 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2015-12-12 09:33 - 2015-11-12 04:44 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2015-12-12 09:33 - 2015-11-12 04:41 - 20366848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2015-12-12 09:33 - 2015-11-12 03:57 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2015-12-12 09:33 - 2015-11-11 07:39 - 01251328 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll

2015-12-12 09:33 - 2015-11-11 07:39 - 00909824 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll

2015-12-12 09:33 - 2015-11-11 07:39 - 00811520 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll

2015-12-12 09:33 - 2015-11-11 06:40 - 02386944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2015-12-12 09:33 - 2015-11-10 13:24 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2015-12-12 09:33 - 2015-11-10 13:24 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll

2015-12-12 09:33 - 2015-11-10 13:13 - 00496640 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2015-12-12 09:33 - 2015-11-10 13:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2015-12-12 09:33 - 2015-11-10 13:12 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec

2015-12-12 09:33 - 2015-11-10 13:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll

2015-12-12 09:33 - 2015-11-10 13:11 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll

2015-12-12 09:33 - 2015-11-10 13:08 - 02280448 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2015-12-12 09:33 - 2015-11-10 13:06 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2015-12-12 09:33 - 2015-11-10 13:06 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2015-12-12 09:33 - 2015-11-10 13:04 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2015-12-12 09:33 - 2015-11-10 13:03 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2015-12-12 09:33 - 2015-11-10 13:03 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe

2015-12-12 09:33 - 2015-11-10 13:02 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2015-12-12 09:33 - 2015-11-10 13:02 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll

2015-12-12 09:33 - 2015-11-10 12:57 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe

2015-12-12 09:33 - 2015-11-10 12:50 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll

2015-12-12 09:33 - 2015-11-10 12:47 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2015-12-12 09:33 - 2015-11-10 12:46 - 04514816 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2015-12-12 09:33 - 2015-11-10 12:44 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll

2015-12-12 09:33 - 2015-11-10 12:37 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll

2015-12-12 09:33 - 2015-11-10 12:36 - 02050560 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2015-12-12 09:33 - 2015-11-10 12:36 - 00687104 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2015-12-12 09:33 - 2015-11-10 12:36 - 00684032 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2015-12-12 09:33 - 2015-11-10 12:35 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll

2015-12-12 09:33 - 2015-11-10 12:17 - 02011136 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2015-12-12 09:33 - 2015-11-10 12:14 - 01311744 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2015-12-12 09:33 - 2015-11-10 12:12 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 02956800 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 02062848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 00573440 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll

2015-12-12 09:32 - 2015-11-21 07:34 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll

2015-12-12 09:32 - 2015-11-21 07:33 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe

2015-12-12 09:32 - 2015-11-21 07:33 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe

2015-12-12 09:32 - 2015-11-21 07:33 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll

2015-12-12 09:32 - 2015-11-06 08:02 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\wshrm.dll

2015-12-12 09:32 - 2015-11-06 08:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll

2015-12-12 09:32 - 2015-11-05 22:48 - 00117760 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys

2015-12-12 09:32 - 2015-11-04 07:56 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll

2015-12-12 09:32 - 2015-11-04 07:55 - 00179712 _____ (Microsoft Corporation) C:\Windows\system32\els.dll

2015-12-10 19:24 - 2015-12-10 19:24 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software

2015-12-10 19:24 - 2015-12-10 19:24 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software

2015-12-01 13:58 - 2015-12-01 13:52 - 00322760 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

2015-12-01 13:55 - 2015-12-01 13:55 - 00002075 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk

2015-12-01 13:55 - 2015-12-01 13:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\AVAST Software

2015-12-01 13:55 - 2015-12-01 13:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software

2015-12-01 13:54 - 2015-12-01 13:52 - 00794952 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys

2015-12-01 13:54 - 2015-12-01 13:52 - 00435464 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys

2015-12-01 13:54 - 2015-12-01 13:52 - 00209432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys

2015-12-01 13:54 - 2015-12-01 13:52 - 00117200 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys

2015-12-01 13:54 - 2015-12-01 13:52 - 00081728 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys

2015-12-01 13:54 - 2015-12-01 13:52 - 00081168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys

2015-12-01 13:54 - 2015-12-01 13:52 - 00049776 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys

2015-12-01 13:54 - 2015-12-01 13:52 - 00024016 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys

2015-12-01 13:52 - 2015-12-01 13:52 - 00043112 _____ (AVAST Software) C:\Windows\avastSS.scr

2015-12-01 13:52 - 2015-12-01 13:52 - 00000000 ____D C:\Users\Administrator\AppData\Local\GWX

2015-12-01 13:48 - 2015-12-01 13:48 - 00000000 ____D C:\Program Files\AVAST Software

2015-12-01 13:47 - 2015-12-01 13:47 - 00000000 ____D C:\ProgramData\AVAST Software

2015-12-01 13:43 - 2015-12-01 13:44 - 05084256 _____ (AVAST Software) C:\Users\Administrator\Downloads\avast_free_antivirus_setup_online_cnet2.exe

2015-11-26 11:05 - 2015-11-26 11:16 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\AVG

2015-11-26 11:04 - 2015-12-10 19:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG

2015-11-26 11:04 - 2015-12-06 05:23 - 00000000 ____D C:\Program Files\Common Files\AV

2015-11-26 11:04 - 2015-11-26 11:04 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\TuneUp Software

2015-11-26 11:03 - 2015-11-26 11:03 - 00000000 ___HD C:\$AVG

2015-11-26 10:57 - 2015-12-20 14:36 - 00000000 ____D C:\ProgramData\MFAData

2015-11-26 10:57 - 2015-11-26 10:57 - 00000908 _____ C:\Users\Public\Desktop\AVG.lnk

2015-11-26 10:57 - 2015-11-26 10:57 - 00000000 ____D C:\Users\Administrator\AppData\Local\MFAData

2015-11-26 10:57 - 2015-11-26 10:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen

2015-11-26 10:56 - 2015-11-26 11:17 - 00000000 ____D C:\ProgramData\Avg

2015-11-26 10:56 - 2015-11-26 11:16 - 00000000 ____D C:\Program Files\AVG

2015-11-26 10:55 - 2015-12-18 14:41 - 00000000 ____D C:\Users\Administrator\AppData\Local\AvgSetupLog

2015-11-26 10:55 - 2015-12-10 19:22 - 00000000 ____D C:\Users\Administrator\AppData\Local\Avg

2015-11-26 10:54 - 2015-11-26 10:55 - 02924672 _____ (AVG Technologies) C:\Users\Administrator\Downloads\AVG_Protection_Free_698.exe

2015-11-26 10:41 - 2015-11-26 10:41 - 00000000 ____D C:\Users\Administrator\AppData\Local\ECRSC

2015-11-20 08:05 - 2015-11-20 08:05 - 00031664 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsshimx.sys

 

==================== One Month Modified files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2015-12-20 14:44 - 2009-07-14 15:37 - 00000000 ____D C:\Windows

2015-12-20 14:38 - 2012-06-28 19:08 - 00000668 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2015-12-20 14:38 - 2009-07-14 17:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2015-12-20 14:36 - 2012-02-05 17:59 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Yahoo!

2015-12-20 14:36 - 2012-02-05 17:59 - 00000000 ____D C:\Users\Administrator\AppData\LocalLow\Yahoo!

2015-12-20 14:33 - 2009-07-14 17:34 - 00006384 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2015-12-20 14:33 - 2009-07-14 17:34 - 00006384 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2015-12-20 14:28 - 2010-11-22 03:01 - 00427982 _____ C:\Windows\system32\perfh012.dat

2015-12-20 14:28 - 2010-11-22 03:01 - 00120076 _____ C:\Windows\system32\perfc012.dat

2015-12-20 14:28 - 2010-11-21 10:01 - 01321768 _____ C:\Windows\system32\PerfStringBackup.INI

2015-12-20 14:28 - 2009-07-14 15:37 - 00000000 ____D C:\Windows\inf

2015-12-20 14:18 - 2012-06-28 19:08 - 00000672 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2015-12-20 14:00 - 2012-05-17 19:01 - 00000622 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2015-12-20 13:04 - 2014-12-04 11:20 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2015-12-20 13:04 - 2014-12-04 11:08 - 00000000 ____D C:\Users\Administrator\Desktop\mbar

2015-12-20 12:36 - 2014-12-22 14:22 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit

2015-12-18 15:39 - 2015-04-04 16:22 - 00000000 ___SD C:\Windows\system32\GWX

2015-12-12 16:14 - 2009-07-14 17:33 - 00356136 _____ C:\Windows\system32\FNTCACHE.DAT

2015-12-12 15:20 - 2012-09-30 16:56 - 00000000 ____D C:\ProgramData\Microsoft Help

2015-12-12 15:20 - 2012-07-02 14:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

2015-12-12 15:19 - 2012-07-02 14:48 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2015-12-12 15:14 - 2013-07-14 18:09 - 00000000 ____D C:\Windows\system32\MRT

2015-12-12 15:08 - 2013-04-13 14:55 - 137798368 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2015-12-09 19:00 - 2012-05-17 19:01 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

2015-12-09 19:00 - 2011-11-22 16:14 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

2015-12-08 15:42 - 2013-02-13 18:31 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google

2015-11-26 11:22 - 2012-10-28 19:26 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\HpUpdate

2015-11-26 11:21 - 2013-06-23 16:32 - 00000000 ____D C:\Windows\Minidump

2015-11-26 11:21 - 2009-07-14 15:37 - 00000000 ____D C:\Windows\system32\sysprep

2015-11-26 10:55 - 2011-11-23 18:36 - 00088832 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

2015-11-26 10:45 - 2009-07-14 17:52 - 00000000 ____D C:\Windows\Downloaded Program Files

2015-11-26 10:44 - 2014-05-26 21:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\ESTsoft

2015-11-26 10:44 - 2014-05-05 19:13 - 00000000 ____D C:\Program Files\ESTsoft

2015-11-26 10:43 - 2014-05-05 19:13 - 00000000 ____D C:\ProgramData\ESTsoft

2015-11-26 10:41 - 2013-11-10 16:02 - 00000000 ____D C:\Program Files\Kakao

2015-11-26 10:40 - 2014-05-05 19:16 - 00000294 _____ C:\Windows\system32\ayboot.ini

2015-11-25 10:43 - 2009-07-14 15:37 - 00000000 ____D C:\Windows\rescache

2015-11-24 12:27 - 2014-12-22 14:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit

2015-11-24 12:27 - 2014-12-22 14:22 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit

 

==================== Files in the root of some directories =======

 

2015-08-29 18:00 - 2015-08-29 18:00 - 6420480 _____ () C:\Program Files\GUT591D.tmp

2012-10-28 19:25 - 2012-10-28 19:25 - 0000057 _____ () C:\ProgramData\Ament.ini

 

Some files in TEMP:

====================

C:\Users\Administrator\AppData\Local\Temp\sqlite3.dll

 

 

==================== Bamital & volsnap =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2015-12-08 14:42

 

==================== End of FRST.txt ============================

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:19-12-2015

Ran by Administrator (2015-12-20 14:45:53)

Running from C:\Users\Administrator\Downloads

Microsoft Windows 7 Ultimate K  Service Pack 1 (X86) (2011-11-22 02:57:03)

Boot Mode: Normal

==========================================================

 

 

==================== Accounts: =============================

 

Administrator (S-1-5-21-1456077899-4243021156-2624550000-500 - Administrator - Enabled) => C:\Users\Administrator

Guest (S-1-5-21-1456077899-4243021156-2624550000-501 - Limited - Disabled)

UpdatusUser (S-1-5-21-1456077899-4243021156-2624550000-1001 - Limited - Enabled) => C:\Users\UpdatusUser

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}

AV: AVG AntiVirus Free Edition (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: AVG AntiVirus Free Edition (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}

AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

 

==================== Installed Programs ======================

 

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

AC3Filter 1.63b (HKLM\...\AC3Filter_is1) (Version: 1.63b - Alexander Vigovsky)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 4.0.0.1390 - Adobe Systems Incorporated)

Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated)

Adobe Reader XI (11.0.12) - Korean (HKLM\...\{AC76BA86-7AD7-1042-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)

Apple Application Support (HKLM\...\{3FA365DF-2D68-45ED-8F83-8C8A33E65143}) (Version: 1.1.0 - Apple Inc.)

Avast Free Antivirus (HKLM\...\Avast) (Version: 11.1.2241 - AVAST Software)

AVG (HKLM\...\AvgZen) (Version: 1.22.1.40089 - AVG Technologies)

AVG (Version: 16.12.7294 - AVG Technologies) Hidden

AVG 2016 (Version: 16.0.4489 - AVG Technologies) Hidden

AVG Protection (HKLM\...\AVG) (Version: 2016.12.7294 - AVG Technologies)

AVG Zen (Version: 1.22.1 - AVG Technologies) Hidden

Canon Utilities PhotoStitch 3.1 (HKLM\...\Canon PhotoStitch 3.1) (Version:  - )

Canon Utilities ZoomBrowser EX (HKLM\...\ZoomBrowserEXDeInstall) (Version:  - )

Chrome (HKLM\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)

Facebook Messenger 2.1.4814.0 (HKLM\...\{7204BDEE-1A48-4D95-A964-44A9250B439E}) (Version: 2.1.4814.0 - Facebook)

FMW 1 (Version: 1.32.2 - AVG Technologies) Hidden

FUJIFILM MyFinePix Studio 3.2 (HKLM\...\MyFinePix Studio_is1) (Version:  - )

Google Earth Plug-in (HKLM\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)

Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden

Google Update Helper (Version: 1.3.29.1 - Google Inc.) Hidden

HP Deskjet 2510 series Setup Guide (HKLM\...\{216C7F38-4BBC-4E9A-8392-C9FA21B54386}) (Version: 27.0.0 - Hewlett Packard)

HP Deskjet 2510 series 기본 장치 소프트웨어 Basic Device Software (HKLM\...\{B3BB8722-6931-4145-8B69-0AD953D73ECF}) (Version: 27.0.847.0 - Hewlett-Packard Co.)

HP Deskjet 2510 series 도움말 Help (HKLM\...\{9F4767D5-E3E3-4946-828C-E1D48718044F}) (Version: 27.0.0 - Hewlett Packard)

HP Deskjet 2510 series 제품 개선 연구 Product improvement reserach (HKLM\...\{0B4CD37D-C7F4-42B2-B5B9-2714F5EB6A25}) (Version: 27.0.847.0 - Hewlett-Packard Co.)

HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.3341 - HP Photo Creations Powered by RocketLife)

HP Update (HKLM\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)

Malwarebytes Anti-Exploit version 1.8.1.1045 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.8.1.1045 - Malwarebytes)

Malwarebytes Anti-Malware 버전 version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)

Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)

Microsoft .NET Framework 4.5.2(한국어 Korean) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042) (Version: 4.5.51209 - Microsoft Corporation)

Microsoft Office Home and Student 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)

Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41105.0 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft 

 

Corporation)

Microsoft Visual Studio 2010 Tools for Office Runtime(x86) 언어 팩 - 한국어 Language pack - Korean (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86) 

 

Language Pack - KOR) (Version: 10.0.50903 - Microsoft Corporation)

NVIDIA 그래픽 드라이버   Graphic driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)

NVIDIA 업데이트 Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)

Platform (Version: 1.34 - VIA Technologies, Inc.) Hidden

QuickTime (HKLM\...\{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}) (Version: 7.65.17.80 - Apple Inc.)

Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-

 

A52B21A49B5B}) (Version:  - Microsoft)

VIA 플랫폼 장치 관리자 Platform Device Manager (HKLM\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.34 - VIA Technologies, Inc.)

Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

곰TV도우미 제거 GOMTVHELP remover(HKLM\...\GomTVHelper) (Version:  - Gretech Corporation)

곰녹음기 GOM recorder (HKLM\...\GomRecorder) (Version: 1.2.3.0400 - Gretech Corporation)

곰플레이어 GOM player (HKLM\...\GOM Player) (Version: 2.1.36.5083 - Gretech Corporation)

 

==================== Custom CLSID (Whitelisted): ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\UpdatusUser\AppData

 

\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{04FE3112-DB93-424D-B958-5E709395693F}\InprocServer32 -> C:\Users\UpdatusUser\AppData

 

\Local\Facebook\Messenger\2.1.4814.0\npFbDesktopPlugin.dll => No File

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{1FD1FE74-9E3C-4C1C-AEEB-AAB592AD770F}\localserver32 -> "C:\Users\민지^W^\AppData\Local

 

\Facebook\Update\FacebookUpdate.exe" => No File

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{5E71E4F3-E8C7-4906-9626-973E418762B6}\InprocServer32 -> C:\Users\UpdatusUser\AppData

 

\Local\Facebook\Update\1.2.205.0\goopdate.dll => No File

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData

 

\Roaming\Dropbox\bin\DropboxExt.22.dll => No File

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData

 

\Roaming\Dropbox\bin\DropboxExt.22.dll => No File

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData

 

\Roaming\Dropbox\bin\DropboxExt.22.dll => No File

CustomCLSID: HKU\S-1-5-21-1456077899-4243021156-2624550000-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\UpdatusUser\AppData

 

\Roaming\Dropbox\bin\DropboxExt.22.dll => No File

 

==================== Restore Points =========================

 

12-12-2015 15:08:06 Windows Update

14-12-2015 19:47:20 Windows 백업

18-12-2015 15:38:47 Windows Update

19-12-2015 20:48:35 Windows Update

 

==================== Hosts content: ===============================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2009-07-14 15:04 - 2009-06-11 10:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

 

 

==================== Scheduled Tasks (Whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

Task: {2DB88CF9-D619-4726-8096-7E94F0539A37} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-12-01] (AVAST 

 

Software)

Task: {4BDCF70D-4BE4-4367-A3B6-BA0E36B2487C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-

 

09] (Adobe Systems Incorporated)

Task: {529CBF28-AA76-4BC8-82E2-2669EDEE2DB8} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2015

 

-12-06] (Microsoft Corporation)

Task: {5F3BDCF0-BDE1-4E01-BFCD-45141562E5E9} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files\AVG\AVG PC TuneUp\tuscanx.exe

Task: {671597EC-40D4-48DC-A3F1-50EB9D216B06} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe 

 

Systems Incorporated)

Task: {684EDBE6-C5C4-4CEF-9243-C71C3CEA92B8} - System32\Tasks\{B3C1BE28-B3E2-48A6-8639-2F6D8EF95186} => Chrome.exe 

Task: {688D4B40-424B-4145-AC8B-D88F3C045D48} - System32\Tasks\{2BEE9E9E-058B-4710-9959-51953C8870C1} => pcalua.exe -a "C:\Program Files\InstallShield Installation 

 

Information\{CDBB2567-5CDD-42C7-9745-4B200DD5E199}\Setup.exe" -c -uninst

Task: {71C21149-44BF-42EA-BA49-ADA0717978B9} - System32\Tasks\Sing_Mini 실행 (Process or start) => C:\Users\Administrator\AppData\Roaming\Sing Mini\MiniSearchDn.exe

Task: {7A8347BB-D8F5-4DF2-9C25-641CD712C3D1} - System32\Tasks\{05A076CB-FA94-402A-B24D-30EE9357D5CD} => pcalua.exe -a F:\SETUP.EXE -d F:\

Task: {7EC1FDBD-8613-4A2B-ACCA-F70A1E7E6F64} - System32\Tasks\HPCustParticipation HP Deskjet 2510 series => C:\Program Files\HP\HP Deskjet 2510 series\Bin

 

\HPCustPartic.exe [2012-01-31] (Hewlett-Packard Co.)

Task: {A4427F7B-84C9-4CED-BF92-CF0BB069BBF6} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => C:\Windows\system32\GWX

 

\GWXUXWorker.exe [2015-12-06] (Microsoft Corporation)

Task: {B97B7E1F-2723-4B28-86CF-B0E6F4E82135} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc)

Task: {CED05C2E-FA75-4798-9252-850877FE893B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc)

Task: {D6CA0423-7945-485F-B05C-622DFCFA1542} - System32\Tasks\AnCamCorder 실행 (I think this word refers to process or performance) => C:\Program Files\\AHNSOFT

 

\AnCamCorder\ancamcorderupdate.exe

Task: {F6CB52AD-6F9F-4148-952E-FDFA5671971D} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe 

 

[2015-12-16] (AVAST Software)

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

 

==================== Shortcuts =============================

 

(The entries could be listed to be restored or removed.)

 

ShortcutWithArgument: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Daum\Daum ActiveX 매니저.Lnk -> C:\Program Files\Internet Explorer

 

\iexplore.exe (Microsoft Corporation) -> hxxp://cs.daum.net/daumfaq/faq_view.jsp?SITE_ID=124&CAT_ID=7912&AT_ID=9731

 

==================== Loaded Modules (Whitelisted) ==============

 

2013-04-13 14:58 - 2013-01-31 22:00 - 00079648 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll

2015-12-01 13:52 - 2015-12-01 13:52 - 00103888 _____ () C:\Program Files\AVAST Software\Avast\log.dll

2015-12-01 13:52 - 2015-12-01 13:52 - 00125512 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll

2015-12-20 09:48 - 2015-12-20 09:48 - 02805760 _____ () C:\Program Files\AVAST Software\Avast\defs\15121901\algo.dll

2015-12-01 13:52 - 2015-12-01 13:52 - 00466448 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll

2012-01-05 11:25 - 2009-05-07 21:50 - 00073728 ____R () C:\Program Files\VIA\VIAudioi\VDeck\QsApoApi.dll

2012-01-05 11:25 - 2009-05-07 21:53 - 00106496 ____R () C:\Program Files\VIA\VIAudioi\VDeck\Dts2ApoApi.dll

2012-01-05 11:25 - 2008-02-14 18:57 - 00094208 ____R () C:\Program Files\VIA\VIAudioi\VDeck\VMicApi.dll

2012-01-05 11:25 - 2009-11-03 16:11 - 47628288 ____R () C:\Program Files\VIA\VIAudioi\VDeck\Skin.dll

2015-11-26 10:56 - 2015-11-26 10:55 - 40500224 _____ () C:\Program Files\AVG\UiDll\2171\libcef.dll

2013-08-07 20:13 - 2013-09-30 12:10 - 00118784 _____ () C:\Windows\system32\Tptmlib.dll

2015-12-01 13:52 - 2015-12-01 13:52 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

2015-12-17 13:21 - 2015-12-11 16:54 - 01583432 _____ () C:\Program Files\Google\Chrome\Application\47.0.2526.106\libglesv2.dll

2015-12-17 13:21 - 2015-12-11 16:54 - 00081224 _____ () C:\Program Files\Google\Chrome\Application\47.0.2526.106\libegl.dll

 

==================== Alternate Data Streams (Whitelisted) =========

 

(If an entry is included in the fixlist, only the ADS will be removed.)

 

 

==================== Safe Mode (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

 

 

==================== EXE Association (Whitelisted) ===============

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

 

 

==================== Internet Explorer trusted/restricted ===============

 

(If an entry is included in the fixlist, it will be removed from the registry.)

 

 

==================== Other Areas ============================

 

(Currently there is no automatic fix for this section.)

 

HKU\S-1-5-21-1456077899-4243021156-2624550000-500\Control Panel\Desktop\\Wallpaper -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes

 

\TranscodedWallpaper.jpg

DNS Servers: 192.168.1.254

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

Windows Firewall is enabled.

 

==================== MSCONFIG/TASK MANAGER disabled items ==

 

(Currently there is no automatic fix for this section.)

 

 

==================== FirewallRules (Whitelisted) ===============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

FirewallRules: [{C6D2C0ED-9550-4A79-A9FF-3E22D43964EF}] => (Allow) C:\Program Files\HP\HP Deskjet 2510 series\Bin\USBSetup.exe

FirewallRules: [TCP Query User{AE4B83B3-92DA-4895-BB36-CF09603FF358}C:\program files\internet explorer\iexplore.exe] => (Allow) C:\program files\internet explorer

 

\iexplore.exe

FirewallRules: [uDP Query User{CC822055-E771-4D7C-BF94-077318CF3371}C:\program files\internet explorer\iexplore.exe] => (Allow) C:\program files\internet explorer

 

\iexplore.exe

FirewallRules: [{79C71642-6491-47FD-A0C8-E94738ECC5DE}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

FirewallRules: [{92B8C8F2-852E-445B-9D50-56013247FE5C}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

FirewallRules: [{901308B4-044A-4383-B869-D44D9AE17096}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

FirewallRules: [{68F21C9F-FBBA-46E9-B58F-629E91780DA3}] => (Allow) C:\Program Files\HP\HP Deskjet 2510 series\Bin\USBSetup.exe

FirewallRules: [{F7843662-6E74-48EB-BB47-10CC41634256}] => (Allow) C:\Program Files\HP\HP Deskjet 2510 series\Bin\USBSetup.exe

FirewallRules: [{B0B29909-DCCF-48CA-9D5B-18F935A63E21}] => (Allow) C:\Program Files\AVG\Av\avgmfapx.exe

FirewallRules: [{35F9A45F-6356-432A-886D-8501666CCD40}] => (Allow) C:\Program Files\AVG\Av\avgmfapx.exe

FirewallRules: [{D69108CA-EE39-420C-B94F-B4A3367AA216}] => (Allow) C:\Program Files\AVG\Av\avgnsx.exe

FirewallRules: [{B5186A24-DDA7-4124-B7D1-D4D726AAF7A1}] => (Allow) C:\Program Files\AVG\Av\avgnsx.exe

FirewallRules: [{1DAEF6D6-838E-48F5-A7B5-EED09EE34C77}] => (Allow) C:\Program Files\AVG\Av\avgdiagex.exe

FirewallRules: [{FB5E2DA4-7ED7-40BF-BA0D-9BF970336CAC}] => (Allow) C:\Program Files\AVG\Av\avgdiagex.exe

FirewallRules: [{ECD6E6A5-BF5E-4727-BE7C-5EF13384D283}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe

FirewallRules: [{22D35F55-A4D7-4A38-9A9F-0DE882AA3427}] => (Allow) C:\Program Files\AVG\Av\avgemcx.exe

FirewallRules: [{9800F9FA-4E31-4DD0-83E3-9E322672C9B3}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (12/18/2015 02:10:41 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )

Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, 

 

Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil . Error code = 0x80070020

 

Error: (12/14/2015 07:49:58 PM) (Source: Windows Backup) (EventID: 4104) (User: )

Description: 백업이 완료되지 않았습니다. 오류: 백업을 저장할 드라이브 공간이 부족합니다. 오래된 백업과 필요 없는 데이터를 삭제하여 드라이브 공간을 확보하거나 백업 설정을 변경하십시오. Back up has not been 

 

completed. Error: There is not enough space in the Driver to save the Backup. Please delete old files or not needed dad and files to increase the Drive space and reset 

 

Back up settings. (0x81000005).

 

Error: (12/07/2015 04:36:29 PM) (Source: Windows Backup) (EventID: 4104) (User: )

Description: 백업이 완료되지 않았습니다. 오류: 백업을 저장할 드라이브 공간이 부족합니다. 오래된 백업과 필요 없는 데이터를 삭제하여 드라이브 공간을 확보하거나 백업 설정을 변경하십시오.  Same as above. 

 

(0x81000005).

 

Error: (11/30/2015 08:12:58 PM) (Source: Windows Backup) (EventID: 4104) (User: )

Description: 백업이 완료되지 않았습니다. 오류: 백업을 저장할 드라이브 공간이 부족합니다. 오래된 백업과 필요 없는 데이터를 삭제하여 드라이브 공간을 확보하거나 백업 설정을 변경하십시오.  Same as above. 

 

(0x81000005).

 

Error: (11/26/2015 11:03:41 AM) (Source: System Restore) (EventID: 8193) (User: )

Description: 복원 지점을 만들지 못했습니다 Unable to create back up point (프로세스 Process = C:\Windows\system32\msiexec.exe /V, 설명 Description = Installed AVG, 오류 Error = 

 

0x80042313).

 

Error: (11/26/2015 11:03:36 AM) (Source: VSS) (EventID: 12297) (User: )

Description: 볼륨 섀도 복사본 서비스 오류 Volume Shadow Copy Service Error: \\?\Volume{960e9098-14b4-11e1-96bd-806e6f6e6963}\ 볼륨에서 섀도 복사본을 만드는 동안에 I/O 쓰기를 플러시할 수 없습

 

니다.  While creating a shadow copy, cannot I/O plush write at Volume. (Hope this is correct translation... I am not very sure what it is referring to)

섀도 복사본 세트에 있는 볼륨 인덱스는 0입니다. Shadow Copy set which exists in Volume's index is 0. 오류 정보 Error description: Open[0x00000000, 작업을 완료했습니다. Completed action. 

], Flush[0x80042302, 볼륨 섀도 복사본 서비스 구성 요소에 예기치 않은 오류가 발생했습니다. An unexpected error occured while creating Volume shadow copy.

자세한 정보는 응용 프로그램 이벤트 로그를 확인하십시오.  For more information please check application event log. 

], Release[0x00000000, 작업을 완료했습니다. Completed action.

], OnRun[0x00000000, 작업을 완료했습니다. Completed action. 

].

 

 

작업: Action:

   비동기 작업 실행 Asynchronous Action Process/Start

컨텍스트: Context:

   현재 상태:Current State:  DoSnapshotSet

 

Error: (11/26/2015 11:03:36 AM) (Source: VSS) (EventID: 12289) (User: )

Description: 볼륨 섀도 복사본 서비스 오류: 예기치 못한 오류 Volume Shadow Copy Service Error DeviceIoControl(\\?\Volume{960e9098-14b4-11e1-96bd-806e6f6e6963} - 

 

0000014C,0x0053c000,00627BB0,0,00629BC0,4096,[0])입니다. hr = 0x80070005, 액세스가 거부되었습니다. Access denied 

.

 

 

작업: (Action)

   비동기 작업 실행 Asynchronous Action Process/Start

 

컨텍스트: (Context)

   (Current state)현재 상태: calling flush-and-hold IOCTL

     (Current state) 현재 상태: flush-and-hold writes

   (Volume name) 볼륨 이름: \\?\Volume{960e9098-14b4-11e1-96bd-806e6f6e6963}\

 

Error: (11/26/2015 11:03:23 AM) (Source: VSS) (EventID: 12297) (User: )

Description: 볼륨 섀도 복사본 서비스 오류 (Volume shadow Copy service error): \\?\Volume{960e9098-14b4-11e1-96bd-806e6f6e6963}\ 볼륨에서 섀도 복사본을 만드는 동안에 I/O 쓰기를 플러시할 수 없

 

습니다. (While creating shadow copy at volume, we cannot plush I/O writing)

섀도 복사본 세트에 있는 볼륨 인덱스는 0입니다. (Shadow copy in the set volume index is 0)오류 정보(Error Description) : Open[0x00000000, 작업을 완료했습니다 Action completed

], Flush[0x80042302, 볼륨 섀도 복사본 서비스 구성 요소에 예기치 않은 오류가 발생했습니다. (Unexpected error while creating volume shadow copy)

자세한 정보는 응용 프로그램 이벤트 로그를 확인하십시오. (For more information please check application event log)

], Release[0x00000000, 작업을 완료했습니다. Action completed

], OnRun[0x00000000, 작업을 완료했습니다. Action completed

].

 

 

작업: Action: 

   비동기 작업 실행  Asynchronous Action Process/ Start

 

컨텍스트: Context:

   현재 상태: Current State: DoSnapshotSet

 

Error: (11/26/2015 11:03:23 AM) (Source: VSS) (EventID: 12289) (User: )

Description: 볼륨 섀도 복사본 서비스 오류:  Volume Shadow Copy Service Error: 예기치 못한 오류 Unexpected error: DeviceIoControl(\\?\Volume{960e9098-14b4-11e1-96bd-806e6f6e6963} 

 

- 0000029C,0x0053c000,00627BB0,0,00629BC0,4096,[0])입니다. hr = 0x80070005, 액세스가 거부되었습니다. Access denied.

.

 

 

작업: (Action)

   비동기 작업 실행 (Asynchronous Action Process/ Start)

 

컨텍스트: (Context)

   (Current State)현재 상태: calling flush-and-hold IOCTL

   (Current State) 현재 상태: flush-and-hold writes

   (Volume name) 볼륨 이름: \\?\Volume{960e9098-14b4-11e1-96bd-806e6f6e6963}\

 

Error: (11/26/2015 11:03:09 AM) (Source: VSS) (EventID: 12297) (User: )

Description: 볼륨 섀도 복사본 서비스 오류: \\?\Volume{960e9098-14b4-11e1-96bd-806e6f6e6963}\ 볼륨에서 섀도 복사본을 만드는 동안에 I/O 쓰기를 플러시할 수 없습니다.

섀도 복사본 세트에 있는 볼륨 인덱스는 0입니다. 오류 정보: Open[0x00000000, 작업을 완료했습니다.

], Flush[0x80042302, 볼륨 섀도 복사본 서비스 구성 요소에 예기치 않은 오류가 발생했습니다.

자세한 정보는 응용 프로그램 이벤트 로그를 확인하십시오.

], Release[0x00000000, 작업을 완료했습니다.

], OnRun[0x00000000, 작업을 완료했습니다.

].

 

(Exact same error and messages from above)

 

작업: Action:

   비동기 작업 실행 Asynchronous Action Process

 

컨텍스트: Context:

   현재 상태: Current State: DoSnapshotSet

 

 

System errors:

=============

Error: (12/20/2015 02:39:00 PM) (Source: Service Control Manager) (EventID: 7009) (User: )

Description: Surf Protect 서비스 연결을 기다리는 동안 제한 시간에 도달했습니다 Arrived at limit time while waiting for the service. (30000밀리초 Millisecond).

 

Error: (12/20/2015 02:37:12 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: 다음 오류로 인해 Due to the following error: Print Spooler 서비스를 시작하지 못했습니다. Service could not start.

%%1069

 

Error: (12/20/2015 02:37:12 PM) (Source: Service Control Manager) (EventID: 7038) (User: )

Description: 다음 오류 때문에 현재 구성된 암호를 사용하여 (Due to the following error, we could not log in to NT AUTHORITY\SYSTEM using a password currently created, at Spooler 

 

service.)서비스에서 (으)로 로그온할 수 없습니다. 

%%50

 

서비스가 올바르게 구성되었는지 확인하려면 MMC(Microsoft Management Console)에서 서비스 스냅인을 사용하십시오. (To check if the Service has been created correctly, use service snap in at

MMC)

 

Error: (12/20/2015 02:36:44 PM) (Source: Service Control Manager) (EventID: 7032) (User: )

Description: Windows Search 서비스가 예기치 않게 종료된 후에 서비스 제어 관리자가 수정 작업(서비스 다시 시작)을 시도했으나, 다음 오류 때문에 이 작업이 실패했습니다. (After Windows Search Service has unexpectly closed, attempted to restart the service how ever due to the following error, this action has failed)

%%1056

 

Error: (12/20/2015 02:36:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: Windows Modules Installer 서비스가 예기치 않게 1번 종료되었습니다. 120000밀리초 안에 다음 수정 작업을 합니다. 서비스 다시 시작. (Windows Modules Installer Service has 

 

unexpectedly shutdown once. Within 120000millisecond the editing process begins. Services restarted)

 

Error: (12/20/2015 02:36:14 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: NVIDIA Update Service Daemon 서비스가 예기치 않게 종료되었습니다. 이것이 1번째입니다. (NVIDIA update service Daemon unexpected shutdown. This is the first time)

 

Error: (12/20/2015 02:36:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: Windows Search 서비스가 예기치 않게 1번 종료되었습니다. 30000밀리초 안에 다음 수정 작업을 합니다. 서비스 다시 시작. (Windows Search Service has unexpectedly shutdown once. Within 

 

3000millisecond the editing process begins. Services restarted)

 

Error: (12/20/2015 02:36:14 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: TsService 서비스가 예기치 않게 종료되었습니다. 이것이 1번째입니다. (TsService unexpected shutdown. This is the first time)

 

Error: (12/20/2015 02:36:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: Malwarebytes Anti-Exploit Service 서비스가 예기치 않게 1번 종료되었습니다. 120000밀리초 안에 다음 수정 작업을 합니다. 서비스 다시 시작.  (Malwarebytes Anti-Exploit Service has 

 

unexpectedly shutdown once. Within 120000millisecond the editing process begins. Services restarted)

 

Error: (12/20/2015 02:36:13 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: AVG Service 서비스가 예기치 않게 1번 종료되었습니다. 0밀리초 안에 다음 수정 작업을 합니다. 서비스 다시 시작. (AVG Service has unexpectedly shutdown once. Within 0millisecond the 

 

editing process begins. Services restarted)

 

 

CodeIntegrity:

===================================

  Date: 2015-03-12 21:10:21.593

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\bootalyac.exe because the set of per-page 

 

image hashes could not be found on the system.

 

  Date: 2015-03-12 21:08:43.203

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\bootalyac.exe because the set of per-page 

 

image hashes could not be found on the system.

 

  Date: 2015-03-11 18:59:28.765

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\bootalyac.exe because the set of per-page 

 

image hashes could not be found on the system.

 

  Date: 2015-03-10 22:03:34.484

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\bootalyac.exe because the set of per-page 

 

image hashes could not be found on the system.

 

  Date: 2015-03-10 20:10:52.556

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\ESTsoft\ALYac\plugin\realtime\bootalyac.exe 

 

because the set of per-page image hashes could not be found on the system.

 

  Date: 2015-03-10 20:10:52.353

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\ESTsoft\ALYac\plugin\realtime\bootalyac.exe 

 

because the set of per-page image hashes could not be found on the system.

 

  Date: 2015-03-10 20:10:52.150

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\ESTsoft\ALYac\plugin\realtime\bootalyac.exe 

 

because the set of per-page image hashes could not be found on the system.

 

  Date: 2015-03-10 20:10:51.947

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\ESTsoft\ALYac\plugin\realtime\bootalyac.exe 

 

because the set of per-page image hashes could not be found on the system.

 

  Date: 2015-03-10 20:10:51.759

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\ESTsoft\ALYac\plugin\realtime\bootalyac.exe 

 

because the set of per-page image hashes could not be found on the system.

 

  Date: 2015-03-10 19:40:00.625

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\bootalyac.exe because the set of per-page 

 

image hashes could not be found on the system.

 

 

==================== Memory info =========================== 

 

Processor: AMD Phenom 8450 Triple-Core Processor

Percentage of memory in use: 45%

Total physical RAM: 3327.3 MB

Available physical RAM: 1801.96 MB

Total Virtual: 6652.92 MB

Available Virtual: 4889.73 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:97.66 GB) (Free:59.9 GB) NTFS ==>[drive with boot components (obtained from BCD)]

Drive d: (디스크) (Fixed) (Total:172.79 GB) (Free:0.01 GB) NTFS

Drive e: (새 볼륨) (Fixed) (Total:195.31 GB) (Free:147.35 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: DA08DCEB)

Partition 1: (Not Active) - (Size=172.8 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=195.3 GB) - (Type=07 NTFS)

Partition 3: (Active) - (Size=97.7 GB) - (Type=07 NTFS)

 

==================== End of Addition.txt ============================

 

There is some Korean in this logs, since I am Korean. So i have either written them in english next to the strange words and also in brackets. I had them crossed out but then later due to some problems they disappeared. Sorry about that. This took like 3 hours. Hope that's fine. 

I saw some mysterious files and folders and such on adwcleaner.... Hope you have some answers on how to get rid of them, as well as any noticeable malware and rootkits and all those nasty viruses!

 

If you got any questions regarding the Korean stuff, just ask me!

Cheers,

 

Angel11. 

Link to post
Share on other sites

Oh, I forgot to mention:

 

==================== Restore Points =========================
 
12-12-2015 15:08:06 Windows Update
14-12-2015 19:47:20 Windows 백업 - This refers to BACKUP
18-12-2015 15:38:47 Windows Update
19-12-2015 20:48:35 Windows Update
 
==================== Hosts content: ===============================
This is part of the FRST.txt.
 
And another thing - i do not have any illegal program and things that i know of which i have downloaded on to this computer. Just saying. Some of the programs you see in this log, you many have not heard of them before, but i am sure you will know they are legal when you have looked into it further by googling them. 
Link to post
Share on other sites

To attach files or images etc.. Select "More Reply Options" tab under the reply box, a new reply window will open. Select "Browse" to locate the file you want, double click direct on that file to upload, then select "Attach This File" to do just that. Repeat if required...

 

Please do not alter any script in the logs, just leave them as they are produced, I have no problems with Korean language. There are two security systems installed and active, AVG and Avast. That action is counterproductive, two AV programs will clash and cause major issues for the operating system and each other. It is essential to remove one asap.... Your choice..

 

Avast removal tool - https://www.avast.com/uninstall-utility

 

AVG removal tool  - http://www.avg.com/us-en/utilities

 

Pleae use the removal tool for whichever AV you will remove.... only remove one, not both....

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

dr_web_cureit_zpse80d87bf.jpg
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://support.eset.com/kb2268/
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning


    drwebselect.JPG

  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats


    drwebfolders.JPG

  • Press start scan
  • The scan will now commence


    drwebscan.JPG

  • Once the scan has finished click open report <<<--- Do not miss this step


    drwebscancomplete.JPG

  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop



This log will be excessive,  Please attach it to your next reply…

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....
 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin

 

 

 

 

Fixlist.txt

Link to post
Share on other sites
Hello Kevinf80, 

 

Thanks for your help. I have removed AVG, and attached four logs (.txt. files) in this post.

 

I have another concern besides this problem. I have noticed there was some files and folders which was not deleted during the scan by AdwCleaner (from the previous post). I will attach this log as well to this post, so you can tell me what is going on and if it is a problem e.g. a virus and how to remove it or if it was removed during this process? (this is the last one which i have attached)

 

For the last instruction (the new FRST.txt and Addition.txt), i did the scan during normal mode, not safe mode. 

 

Thank you again for your help!

 

Note: Also, after i have removed the AVG, the message saying that there is a problem with the rootkit driver dda does not appear any more.... Is this a sign that everything is fine as well? But i still have doubts due to the some strange things from the AdwCleaner.

 

 

Fixlog.txt

cureit.log

Addition.txt

FRST.txt

AdwCleanerC1.txt

Link to post
Share on other sites

Continue as follows please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
 

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

 

Post those logs, also let me know if any remaining issues or concerns...

 

Thank you,

 

Kevin

 

 

Fixlist.txt

Link to post
Share on other sites

Hello Kevin. 

 

Thanks for your reply. Just an update, i just shut off the computer and turned it on again to follow the instructions. I just incase clicked on malwarebytes again, did not give any message on the anti-rootkit dda driver error. I thought this will be important for you to know, that i tried the second time, but it did not come up. 

 

Logs attached.

 

Thank you for your help. 

Fixlog.txt

JRT.txt

mrt.log

Link to post
Share on other sites

What is the current status of your system, any remaining issues or concerns.... If none clean up as follows:

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

 

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif


 

Link to post
Share on other sites

Thank you verymuch Kevin for all your help! Hope that will delete all the malware, rootkits and other things on the computer.

 

I was just making sure for future reference, you have earlier said to "Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop",

however, the browser did not allow me to do that straight away, so i moved the file to the desk top after being downloaded. Is that fine? Also some of the program i did not install it onto my desktop but just kept it in the downloads. Is that fine also?

 

Whoops and also i ran it not as an adminster by accident at first... just realised. I have downloaded the thing again and ran it again.. I guess its fine right? But after doing that the process was much quicker. 

 

Before doing any thing else you have told me to do, i have clicked on the malwarebytes anti-malware once, and it has not given me the message. Second time, it did not either. 

 

After following all the instructions, there are no messages about the anti-rootkit dda driver error! So thank you again :)

 

Cheers!

Link to post
Share on other sites

Is no big deal where downloads are normally saved, it just makes it easier when we help you to have downloads go straight to your Desktop:

 

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Settings.JPG
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

MS new Browser "Edge" is a bit more intense for changes, information at following link: http://www.thewindowsclub.com/change-default-download-location-edge

 

It was a pleasure to work with you, if you need help again in the future do not hesitate to comeback.....

 

Regards,

 

Kevin....

Link to post
Share on other sites
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.