Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bundespolizei trojan - Oldtimer log check request

Started by NK14 , Jun 20 2014 10:13 AM
bundespolizei trojan trojan oldtimer ransomware

  • Please log in to reply

#1
NK14
Posted 20 June 2014 - 10:13 AM

NK14

    New Member

  • Member
  • Pip
  • 2 posts

Hi everyone,

 

A couple of days ago my computer may have been infected with a version of the 'Bundespolizei' trojan – basically a German version of the FBI ransomware one which locks your computer/browser and demands that you pay €100 via a PaySafe card. Luckily, the version I encountered only froze my browser, and I eventually managed to close it. Since then, my computer has appeared to run without problems, although I haven't been using it for anything aside from word processing. I've run scans with ESET online, Spybot S+D, Avast!, Malwarebytes Anti-Malware, and AdwCleaner, all of which have found nothing aside from a couple of toolbars. As I'm not sure if this means I got lucky or if I'm missing something, I've run FRST and Oldtimer, and will post the logs below. The main thing I'm concerned about it the changes that Oldtimer shows were made to these two files roughly at the time of the attack:

 

06-18 12:32:35 | 000,674,062 | ---- | M] () -- C:\windows\System32\perfh009.dat

06-18 12:32:35 | 000,126,238 | ---- | M] () -- C:\windows\System32\perfc009.dat

 

As I have limited knowledge, I don't really know if this is something I need to be worried about or not. If anyone has time to look through the logs and let me know if there's anything else I should do, or whether it's safe to use my computer online again, I'd really appreciate it!

 

Thanks in advance,

Ryan

 

Oldtimer log:

 

gfile created on: 20-Jun-14 5:08:47 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Ry\Downloads
 Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17126)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy
 
1.99 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 46.29% Memory free
3.98 Gb Paging File | 2.41 Gb Available in Paging File | 60.62% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 100.00 Gb Total Space | 48.20 Gb Free Space | 48.20% Space Free | Partition Type: NTFS
Drive D: | 183.07 Gb Total Space | 39.60 Gb Free Space | 21.63% Space Free | Partition Type: NTFS
 
Computer Name: RY-PC | User Name: Ry | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014-06-20 16:59:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Ry\Downloads\OTL.exe
PRC - [2014-06-17 11:05:46 | 003,890,208 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\avastui.exe
PRC - [2014-05-12 07:24:42 | 000,860,472 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
PRC - [2014-05-12 07:24:40 | 001,809,720 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
PRC - [2014-05-12 07:24:34 | 006,970,168 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
PRC - [2014-05-08 20:37:20 | 000,050,344 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2014-01-20 00:18:37 | 001,171,968 | ---- | M] (Spotify Ltd) -- C:\Users\Ry\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2013-12-18 20:42:32 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013-10-24 00:39:14 | 001,017,224 | ---- | M] (Flux Software LLC) -- C:\Users\Ry\AppData\Local\FluxSoftware\Flux\flux.exe
PRC - [2013-08-02 02:52:57 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2013-03-27 14:02:42 | 002,447,888 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2013-03-27 13:31:18 | 000,073,832 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2012-11-23 04:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012-11-22 16:33:18 | 000,497,320 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2012-11-22 16:32:54 | 000,738,984 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2012-11-13 15:08:12 | 003,487,240 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
PRC - [2012-11-13 15:07:24 | 000,168,384 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2012-11-13 15:07:20 | 001,369,624 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2012-11-13 15:07:16 | 001,103,392 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2011-04-12 01:08:52 | 000,088,704 | ---- | M] (ASUS) -- C:\Program Files\Common Files\InstantOn\InsOnWMI.exe
PRC - [2011-03-11 03:05:54 | 001,095,080 | ---- | M] (AsusTek Computer Inc.) -- C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
PRC - [2011-03-04 01:33:20 | 000,101,288 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\Asus\HotkeyService\HotKeyMon.exe
PRC - [2011-03-04 01:33:14 | 000,224,680 | ---- | M] () -- C:\Windows\System32\AsusService.exe
PRC - [2011-03-04 01:33:12 | 001,252,272 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\Asus\HotkeyService\HotkeyService.exe
PRC - [2011-02-25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010-11-15 21:27:22 | 000,445,344 | ---- | M] (ASUS) -- C:\Program Files\Asus\CapsHook\CapsHook.exe
PRC - [2010-11-15 21:25:36 | 000,412,600 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\Asus\SHE\SuperHybridEngine.exe
PRC - [2010-05-21 22:42:48 | 000,828,704 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2010-05-21 22:42:48 | 000,652,576 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2009-06-09 10:56:00 | 000,099,632 | ---- | M] () -- C:\Program Files\Stardock\MyColors\WBVista.exe
PRC - [2009-06-09 10:55:58 | 000,230,704 | ---- | M] (Stardock Corporation) -- C:\Program Files\Stardock\MyColors\VistaSrv.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014-01-20 14:17:04 | 000,073,544 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2014-01-20 14:16:38 | 001,044,808 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013-12-07 11:41:35 | 019,336,120 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\libcef.dll
MOD - [2012-01-09 20:43:31 | 001,149,952 | ---- | M] () -- C:\Program Files\WinRAR\WinRAR.exe
MOD - [2010-05-21 22:42:58 | 000,132,384 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
MOD - [2009-06-09 10:55:58 | 000,057,904 | ---- | M] () -- C:\Windows\System32\wbload.dll
 
 
========== Services (SafeList) ==========
 
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDWSCService)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDUpdateService)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDScannerService)
SRV - [2014-05-30 10:28:30 | 000,108,032 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\windows\System32\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV - [2014-05-14 10:31:22 | 000,257,712 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014-05-12 07:24:42 | 000,860,472 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2014-05-12 07:24:40 | 001,809,720 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2014-05-08 20:37:20 | 000,050,344 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2014-05-07 04:27:01 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013-12-18 20:42:32 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013-10-23 09:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013-05-27 06:57:27 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013-03-29 21:53:56 | 000,543,656 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2013-03-27 14:02:42 | 002,447,888 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2012-11-22 16:33:18 | 000,497,320 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2012-01-29 21:13:06 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011-03-04 01:33:14 | 000,224,680 | ---- | M] () [Auto | Running] -- C:\Windows\System32\AsusService.exe -- (AsusService)
SRV - [2010-05-21 22:42:48 | 000,652,576 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2009-06-09 10:55:58 | 000,230,704 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Stardock\MyColors\VistaSrv.exe -- (WindowBlinds)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2014-06-20 15:39:14 | 000,110,296 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\MBAMSwissArmy.sys -- (MBAMSwissArmy)
DRV - [2014-05-19 01:36:03 | 000,777,488 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswsnx.sys -- (aswSnx)
DRV - [2014-05-19 01:36:03 | 000,411,680 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswsp.sys -- (aswSP)
DRV - [2014-05-19 01:36:03 | 000,068,312 | ---- | M] (AVAST Software) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\aswstm.sys -- (aswStm)
DRV - [2014-05-12 07:26:08 | 000,051,928 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV - [2014-05-12 07:25:54 | 000,023,256 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2014-05-08 20:37:39 | 000,180,632 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2014-05-08 20:37:39 | 000,049,944 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2014-05-08 20:37:38 | 000,081,768 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2014-05-08 20:37:38 | 000,067,824 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2014-05-08 20:37:38 | 000,024,184 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\aswHwid.sys -- (aswHwid)
DRV - [2013-03-25 15:41:44 | 000,065,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d)
DRV - [2012-12-13 12:49:38 | 000,454,744 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant)
DRV - [2012-11-22 16:33:30 | 000,027,056 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2010-11-20 12:24:42 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010-11-20 12:24:42 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010-11-20 11:59:46 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010-09-27 09:23:58 | 000,068,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C)
DRV - [2010-08-03 07:20:56 | 000,011,832 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsUpIO.sys -- (AsUpIO)
DRV - [2010-06-28 07:24:00 | 000,011,456 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsIO.sys -- (AsIO)
DRV - [2009-12-30 11:21:18 | 000,027,192 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\revoflt.sys -- (Revoflt)
DRV - [2009-07-22 06:14:58 | 000,081,704 | ---- | M] (CyberLink) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wsvd.sys -- (wsvd)
DRV - [2009-07-20 11:29:40 | 000,013,880 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\kbfiltr.sys -- (kbfiltr)
DRV - [2009-07-14 02:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2009-07-14 02:14:49 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2009-07-14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009-07-14 01:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009-07-14 00:02:46 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009-02-24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008-05-06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wdcsam.sys -- (WDC_SAM)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://eeepc.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://eeepc.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.zoneal...=&tstsId=&ver=
IE - HKCU\..\SearchScopes,DefaultScope = 
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{F8C4CA46-2221-493A-9966-1A8A9B1E33E2}: "URL" = http://search.zoneal...Id=&ver=&&r=409
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:29.0.1
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Web Player Plug-In,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.55.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.55.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Ry\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Ry\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Ry\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Ry\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-05-08 20:37:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 29.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 29.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\WordWeb\WCaptureMoz [2012-05-16 16:22:54 | 000,000,000 | ---D | M]
 
[2014-05-27 17:07:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ry\AppData\Roaming\Mozilla\Extensions
[2012-02-12 23:33:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ry\AppData\Roaming\Mozilla\Firefox\extensions
[2012-02-12 23:33:40 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Users\Ry\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}
[2013-05-21 13:19:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2014-05-27 17:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014-05-27 17:05:11 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: 
CHR - plugin: Error reading preferences file
CHR - Extension: Google Voice Search Hotword (Beta) = C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5019_1\
CHR - Extension: Adblock Plus = C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.8.3_0\
CHR - Extension: avast! Online Security = C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\9.0.2018.95_1\
CHR - Extension: The Great Suspender = C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg\4.74_0\
CHR - Extension: Google Wallet = C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_1\
 
O1 HOSTS File: ([2013-09-17 19:52:21 | 000,449,438 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 15429 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ASUSPRP] C:\Program Files\Asus\APRP\aprp.exe (ASUSTek Computer Inc.)
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CapsHook] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.)
O4 - HKLM..\Run: [HotkeyMon] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.)
O4 - HKLM..\Run: [HotkeyService] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [LiveUpdate] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.)
O4 - HKLM..\Run: [SuperHybridEngine] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [f.lux] C:\Users\Ry\AppData\Local\FluxSoftware\Flux\flux.exe (Flux Software LLC)
O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Ry\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O4 - HKCU..\Run: [Spybot-S&D Cleaning] C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.55.2)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.55.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7ED27E93-A938-4C88-869D-3EA98C33CB8D}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-06-10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014-06-20 15:20:54 | 000,000,000 | ---D | C] -- C:\FRST
[2014-06-18 15:17:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2014-06-18 13:38:21 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014-06-18 13:28:21 | 000,110,296 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\MBAMSwissArmy.sys
[2014-06-18 13:27:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2014-06-18 13:27:19 | 000,074,456 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamchameleon.sys
[2014-06-18 13:27:19 | 000,051,928 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mwac.sys
[2014-06-18 13:27:19 | 000,023,256 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2014-06-18 13:27:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes Anti-Malware
[2014-06-18 13:27:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2014-06-12 00:30:10 | 000,032,256 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\JavaScriptCollectionAgent.dll
[2014-06-12 00:30:09 | 000,108,032 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieetwcollector.exe
[2014-06-12 00:30:09 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieetwproxystub.dll
[2014-06-12 00:30:07 | 000,646,144 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\MsSpellCheckingFacility.exe
[2014-06-12 00:30:02 | 000,112,128 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieUnatt.exe
[2014-06-12 00:30:02 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jsproxy.dll
[2014-06-12 00:30:01 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeeds.dll
[2014-06-12 00:30:01 | 000,368,128 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dxtmsft.dll
[2014-06-12 00:30:01 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iernonce.dll
[2014-06-12 00:30:00 | 002,724,864 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mshtml.tlb
[2014-06-12 00:29:57 | 001,964,544 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\inetcpl.cpl
[2014-06-12 00:29:56 | 000,164,864 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msrating.dll
[2014-06-12 00:29:55 | 000,595,968 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ie4uinit.exe
[2014-06-12 00:29:54 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iesetup.dll
[2014-06-12 00:29:52 | 000,704,512 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieapfltr.dll
[2014-06-12 00:29:52 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieetwcollectorres.dll
[2014-06-12 00:29:47 | 000,242,688 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dxtrans.dll
[2014-06-12 00:29:46 | 000,440,832 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieui.dll
[2014-06-12 00:29:38 | 001,068,032 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mshtmlmedia.dll
[2014-06-12 00:29:32 | 000,592,896 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jscript9diag.dll
[2014-06-12 00:29:24 | 004,244,992 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jscript9.dll
[2014-06-11 11:11:51 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msxml6r.dll
[2014-06-11 11:11:51 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msxml3r.dll
[2014-06-11 11:11:45 | 000,187,840 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\drivers\FWPKCLNT.SYS
[2014-06-11 11:11:42 | 000,391,680 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\aepdu.dll
[2014-06-11 11:11:39 | 000,302,592 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\aeinv.dll
[2014-05-27 17:06:35 | 000,000,000 | ---D | C] -- C:\Users\Ry\AppData\Local\Mozilla
[2014-05-27 17:06:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2014-05-27 17:06:11 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014-06-20 16:47:04 | 000,000,896 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2572986754-2421115835-1037706739-1000UA.job
[2014-06-20 16:30:02 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2014-06-20 15:39:14 | 000,110,296 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\MBAMSwissArmy.sys
[2014-06-20 13:23:28 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014-06-20 13:23:28 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014-06-20 13:13:42 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2014-06-20 13:13:39 | 1602,838,528 | -HS- | M] () -- C:\hiberfil.sys
[2014-06-20 01:58:22 | 000,000,844 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2572986754-2421115835-1037706739-1000Core.job
[2014-06-18 15:02:49 | 000,000,969 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2014-06-18 13:27:35 | 000,001,064 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014-06-18 12:32:35 | 000,674,062 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2014-06-18 12:32:35 | 000,126,238 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2014-06-13 20:38:56 | 000,002,315 | ---- | M] () -- C:\Users\Ry\Desktop\Google Chrome.lnk
[2014-06-09 14:15:08 | 004,915,617 | ---- | M] () -- C:\Users\Ry\117578_Cambridge_English_First__FCE__Handbook.pdf
[2014-06-08 10:48:16 | 000,391,680 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\aepdu.dll
[2014-06-08 10:43:43 | 000,302,592 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\aeinv.dll
[2014-05-30 11:02:39 | 002,724,864 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\mshtml.tlb
[2014-05-30 11:02:03 | 000,004,096 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieetwcollectorres.dll
[2014-05-30 10:43:06 | 000,061,952 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\iesetup.dll
[2014-05-30 10:42:16 | 000,051,200 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieetwproxystub.dll
[2014-05-30 10:34:17 | 000,043,008 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\jsproxy.dll
[2014-05-30 10:33:48 | 000,032,768 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\iernonce.dll
[2014-05-30 10:30:43 | 000,440,832 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieui.dll
[2014-05-30 10:28:33 | 000,112,128 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieUnatt.exe
[2014-05-30 10:28:30 | 000,108,032 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieetwcollector.exe
[2014-05-30 10:27:56 | 000,592,896 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\jscript9diag.dll
[2014-05-30 10:21:36 | 000,646,144 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\MsSpellCheckingFacility.exe
[2014-05-30 10:16:26 | 000,368,128 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dxtmsft.dll
[2014-05-30 10:10:46 | 000,032,256 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\JavaScriptCollectionAgent.dll
[2014-05-30 10:06:06 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\msrating.dll
[2014-05-30 10:02:32 | 000,242,688 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\dxtrans.dll
[2014-05-30 09:57:16 | 000,595,968 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ie4uinit.exe
[2014-05-30 09:56:50 | 004,244,992 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\jscript9.dll
[2014-05-30 09:54:14 | 000,526,336 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\msfeeds.dll
[2014-05-30 09:50:09 | 001,068,032 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\mshtmlmedia.dll
[2014-05-30 09:49:38 | 001,964,544 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\inetcpl.cpl
[2014-05-30 09:13:47 | 000,704,512 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\ieapfltr.dll
[2014-05-27 17:06:22 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014-06-18 13:27:35 | 000,001,064 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014-06-09 14:12:52 | 004,915,617 | ---- | C] () -- C:\Users\Ry\117578_Cambridge_English_First__FCE__Handbook.pdf
[2014-05-27 17:06:22 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2014-05-27 17:06:21 | 000,001,121 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2014-05-08 20:37:50 | 000,024,184 | ---- | C] () -- C:\windows\System32\drivers\aswHwid.sys
[2014-02-18 23:23:13 | 075,719,201 | ---- | C] () -- C:\Users\Ry\Murphy_R_English_Grammar_in_Use.pdf
[2013-11-26 12:29:05 | 000,403,540 | ---- | C] () -- C:\Users\Ry\writing an academic paper - workbook two.pdf
[2013-11-25 23:30:23 | 000,001,769 | ---- | C] () -- C:\windows\Language_trs.ini
[2013-11-20 19:52:32 | 000,000,419 | ---- | C] () -- C:\windows\BRWMARK.INI
[2013-11-20 18:16:06 | 000,000,050 | ---- | C] () -- C:\windows\System32\bridf08b.dat
[2013-05-21 13:54:11 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2013-04-28 08:47:35 | 000,180,632 | ---- | C] () -- C:\windows\System32\drivers\aswVmm.sys
[2013-04-28 08:47:35 | 000,049,944 | ---- | C] () -- C:\windows\System32\drivers\aswRvrt.sys
[2013-04-05 10:10:20 | 001,082,595 | ---- | C] () -- C:\Users\Ry\scan0007.pdf
[2012-05-30 11:56:05 | 000,000,355 | ---- | C] () -- C:\Users\Ry\Favorites - Shortcut.lnk
[2011-04-21 02:56:11 | 000,131,984 | ---- | C] () -- C:\ProgramData\FullRemove.exe
 
========== ZeroAccess Check ==========
 
[2009-07-14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014-03-25 04:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010-11-20 14:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009-07-14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Files - Unicode (All) ==========
[2014-05-30 15:38:39 | 000,000,000 | ---D | M](C:\Users\Ry\Documents\Stories?Ideas?Beginnings) -- C:\Users\Ry\Documents\StoriesIdeasBeginnings
[2012-01-31 01:27:29 | 000,000,000 | ---D | C](C:\Users\Ry\Documents\Stories?Ideas?Beginnings) -- C:\Users\Ry\Documents\StoriesIdeasBeginnings
[2012-01-28 21:32:09 | 000,000,059 | ---- | M] ()(C:\windows\System32\?G) -- C:\windows\System32\Ǧ
[2012-01-28 21:32:09 | 000,000,059 | ---- | C] ()(C:\windows\System32\?G) -- C:\windows\System32\Ǧ
 
< End of report >
 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:16-06-2014
Ran by Ry (administrator) on RY-PC on 20-06-2014 15:21:32
Running from E:\
Platform: Microsoft Windows 7 Starter  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Stardock Corporation) C:\Program Files\Stardock\MyColors\VistaSrv.exe
() C:\Program Files\Stardock\MyColors\WBVista.exe
(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Check Point Software Technologies LTD) C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Windows\System32\AsusService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ASUS) C:\Program Files\Asus\CapsHook\CapsHook.exe
(ASUSTeK Computer Inc.) C:\Program Files\Asus\HotkeyService\HotkeyService.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(AsusTek Computer Inc.) C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
(ASUSTeK Computer Inc.) C:\Program Files\Asus\HotkeyService\HotKeyMon.exe
(ASUSTeK Computer Inc.) C:\Program Files\Asus\SHE\SuperHybridEngine.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(ASUS) C:\Program Files\Common Files\InstantOn\InsOnWMI.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Flux Software LLC) C:\Users\Ry\AppData\Local\FluxSoftware\Flux\flux.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Spotify Ltd) C:\Users\Ry\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [HotkeyMon] => C:\Program Files\ASUS\HotkeyService\HotKeyMon.exe [101288 2011-03-04] (ASUSTeK Computer Inc.)
HKLM\...\Run: [HotkeyService] => C:\Program Files\ASUS\HotkeyService\HotkeyService.exe [1252272 2011-03-04] (ASUSTeK Computer Inc.)
HKLM\...\Run: [SuperHybridEngine] => C:\Program Files\ASUS\SHE\SuperHybridEngine.exe [412600 2010-11-15] (ASUSTeK Computer Inc.)
HKLM\...\Run: [LiveUpdate] => C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe [1095080 2011-03-11] (AsusTek Computer Inc.)
HKLM\...\Run: [CapsHook] => C:\Program Files\ASUS\CapsHook\CapsHook.exe [445344 2010-11-15] (ASUS)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9722472 2010-08-24] (Realtek Semiconductor)
HKLM\...\Run: [ASUSPRP] => C:\Program Files\ASUS\APRP\APRP.EXE [2018032 2011-04-21] (ASUSTek Computer Inc.)
HKLM\...\Run: [ZoneAlarm] => C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe [73832 2013-03-27] (Check Point Software Technologies LTD)
HKLM\...\Run: [ISW] => C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [738984 2012-11-22] (Check Point Software Technologies)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3890208 2014-06-17] (AVAST Software)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-2572986754-2421115835-1037706739-1000\...\Run: [f.lux] => C:\Users\Ry\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
HKU\S-1-5-21-2572986754-2421115835-1037706739-1000\...\Run: [Spotify Web Helper] => C:\Users\Ry\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1171968 2014-01-20] (Spotify Ltd)
HKU\S-1-5-21-2572986754-2421115835-1037706739-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [3713032 2012-11-13] (Safer-Networking Ltd.)
HKU\S-1-5-21-2572986754-2421115835-1037706739-1000\...\Run: [Google Update] => C:\Users\Ry\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Stardock MyColors.lnk
ShortcutTarget: Stardock MyColors.lnk -> C:\Program Files\Stardock\MyColors\SDDelayedLaunch.exe ()
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IconPackager.lnk
ShortcutTarget: IconPackager.lnk -> C:\Program Files\Stardock\MyColors\IconPackager.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IconPackager.lnk
ShortcutTarget: IconPackager.lnk -> C:\Program Files\Stardock\MyColors\IconPackager.exe (Stardock Corporation)
BootExecute: autocheck autochk * sdnclean.exe
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zoneal...=&tstsId=&ver=
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://eeepc.asus.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://eeepc.asus.com
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {F8C4CA46-2221-493A-9966-1A8A9B1E33E2} URL = http://search.zoneal...Id=&ver=&&r=409
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
Toolbar: HKCU - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
 
FireFox:
========
FF ProfilePath: C:\Users\Ry\AppData\Roaming\Mozilla\Firefox\Profiles\adtobpp2.default
FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @divx.com/DivX Web Player Plug-In,version=1.0.0 - C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Ry\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Ry\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Ry\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Ry\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-01-29]
FF HKCU\...\Firefox\Extensions: [[email protected]] - C:\Program Files\WordWeb\WCaptureMoz
FF Extension: WordWeb one-click lookup - C:\Program Files\WordWeb\WCaptureMoz [2012-05-16]
 
Chrome: 
=======
CHR HomePage: 
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (Adblock Plus) - C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-06-01]
CHR Extension: (avast! Online Security) - C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-04-29]
CHR Extension: (The Great Suspender) - C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg [2014-06-16]
CHR Extension: (Google Wallet) - C:\Users\Ry\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-05-08]
CHR HKLM\...\Chrome\Extension: [mjdepfkicdcciagbigfcmdhknnoaaegf] - C:\Program Files\WordWeb\wcxChrome.crx [2012-05-16]
CHR StartMenuInternet: Google Chrome - C:\Users\Ry\AppData\Local\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
R2 AsusService; C:\windows\system32\AsusService.exe [224680 2011-03-04] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-05-08] (AVAST Software)
R2 IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [497320 2012-11-22] (Check Point Software Technologies)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
R2 vsmon; C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [2447888 2013-03-27] (Check Point Software Technologies LTD)
R2 WindowBlinds; C:\Program Files\Stardock\MyColors\VistaSrv.exe [230704 2009-06-09] (Stardock Corporation)
 
==================== Drivers (Whitelisted) ====================
 
R1 AsIO; C:\windows\System32\drivers\AsIO.sys [11456 2010-06-28] ()
R1 AsUpIO; C:\windows\System32\drivers\AsUpIO.sys [11832 2010-08-03] ()
R2 aswHwid; C:\windows\system32\drivers\aswHwid.sys [24184 2014-05-08] ()
R2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [67824 2014-05-08] (AVAST Software)
R1 aswRdr; C:\windows\system32\drivers\aswRdr2.sys [81768 2014-05-08] (AVAST Software)
R0 aswRvrt; C:\windows\system32\Drivers\aswRvrt.sys [49944 2014-05-08] ()
R1 aswSnx; C:\windows\system32\drivers\aswSnx.sys [777488 2014-05-19] (AVAST Software)
R1 aswSP; C:\windows\system32\drivers\aswSP.sys [411680 2014-05-19] (AVAST Software)
R2 aswStm; C:\windows\system32\drivers\aswStm.sys [68312 2014-05-19] (AVAST Software)
R0 aswVmm; C:\windows\system32\Drivers\aswVmm.sys [180632 2014-05-08] ()
S3 btwampfl; C:\windows\System32\drivers\btwampfl.sys [293928 2010-05-21] (Broadcom Corporation.)
R3 ETD; C:\windows\System32\DRIVERS\ETD.sys [109960 2010-04-13] (ELAN Microelectronic Corp.)
R2 ISWKL; C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [27056 2012-11-22] (Check Point Software Technologies)
R3 kbfiltr; C:\windows\System32\DRIVERS\kbfiltr.sys [13880 2009-07-20] ( )
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-06-20] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
R3 mcdbus; C:\windows\System32\DRIVERS\mcdbus.sys [116736 2009-02-24] (MagicISO, Inc.) [File not signed]
R1 Vsdatant; C:\windows\System32\DRIVERS\vsdatant.sys [454744 2012-12-13] (Check Point Software Technologies LTD)
S3 wsvd; C:\windows\System32\DRIVERS\wsvd.sys [81704 2009-07-22] (CyberLink)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-06-20 15:20 - 2014-06-20 15:21 - 00000000 ____D () C:\FRST
2014-06-20 13:13 - 2014-06-20 13:13 - 00000056 _____ () C:\windows\setupact.log
2014-06-20 13:13 - 2014-06-20 13:13 - 00000000 _____ () C:\windows\setuperr.log
2014-06-18 17:02 - 2014-06-18 17:02 - 00001705 _____ () C:\Users\Ry\Documents\ESET scan - 18.6.14.txt
2014-06-18 15:17 - 2014-06-18 15:17 - 00000000 ____D () C:\Program Files\ESET
2014-06-18 15:16 - 2014-06-18 15:16 - 02347384 _____ (ESET) C:\Users\Ry\Downloads\esetsmartinstaller_enu.exe
2014-06-18 15:00 - 2014-06-18 15:01 - 04748896 _____ (Piriform Ltd) C:\Users\Ry\Downloads\ccsetup414.exe
2014-06-18 13:38 - 2014-06-18 13:48 - 00000000 ____D () C:\AdwCleaner
2014-06-18 13:28 - 2014-06-20 13:44 - 00110296 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-18 13:27 - 2014-06-18 13:27 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-06-18 13:27 - 2014-06-18 13:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-18 13:27 - 2014-06-18 13:27 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-06-18 13:27 - 2014-06-18 13:27 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-06-18 13:27 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2014-06-18 13:27 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-06-18 13:27 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2014-06-18 12:49 - 2014-06-18 12:49 - 01333465 _____ () C:\Users\Ry\Downloads\adwcleaner_3.212.exe
2014-06-18 12:49 - 2014-06-18 12:49 - 01016261 _____ (Thisisu) C:\Users\Ry\Downloads\JRT.exe
2014-06-18 12:43 - 2014-06-18 12:44 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Ry\Downloads\mbam-setup-2.0.2.1012.exe
2014-06-12 00:30 - 2014-05-30 11:02 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-06-12 00:30 - 2014-05-30 10:42 - 00051200 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-06-12 00:30 - 2014-05-30 10:34 - 00043008 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-06-12 00:30 - 2014-05-30 10:33 - 00032768 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-06-12 00:30 - 2014-05-30 10:28 - 00112128 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-06-12 00:30 - 2014-05-30 10:28 - 00108032 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-06-12 00:30 - 2014-05-30 10:21 - 00646144 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-06-12 00:30 - 2014-05-30 10:16 - 00368128 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-06-12 00:30 - 2014-05-30 10:10 - 00032256 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-06-12 00:30 - 2014-05-30 09:54 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-06-12 00:30 - 2014-05-30 09:15 - 01143296 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-06-12 00:29 - 2014-05-30 11:18 - 17271296 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-06-12 00:29 - 2014-05-30 11:02 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-06-12 00:29 - 2014-05-30 10:44 - 00455168 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-06-12 00:29 - 2014-05-30 10:43 - 00061952 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-06-12 00:29 - 2014-05-30 10:38 - 02179072 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-06-12 00:29 - 2014-05-30 10:30 - 00440832 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-06-12 00:29 - 2014-05-30 10:27 - 00592896 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-06-12 00:29 - 2014-05-30 10:06 - 00164864 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-06-12 00:29 - 2014-05-30 10:04 - 00069632 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-06-12 00:29 - 2014-05-30 10:02 - 00242688 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-06-12 00:29 - 2014-05-30 09:57 - 00595968 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-06-12 00:29 - 2014-05-30 09:56 - 04244992 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-06-12 00:29 - 2014-05-30 09:50 - 01068032 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-06-12 00:29 - 2014-05-30 09:49 - 01964544 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-06-12 00:29 - 2014-05-30 09:40 - 11725312 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-06-12 00:29 - 2014-05-30 09:21 - 01790976 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-06-12 00:29 - 2014-05-30 09:13 - 00704512 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-06-11 11:11 - 2014-06-08 10:48 - 00391680 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-06-11 11:11 - 2014-06-08 10:43 - 00302592 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-06-11 11:11 - 2014-04-25 04:06 - 00626688 _____ (Microsoft Corporation) C:\windows\system32\usp10.dll
2014-06-11 11:11 - 2014-04-05 04:25 - 01294272 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2014-06-11 11:11 - 2014-04-05 04:24 - 00187840 _____ (Microsoft Corporation) C:\windows\system32\Drivers\FWPKCLNT.SYS
2014-06-11 11:11 - 2014-03-26 16:27 - 01389056 _____ (Microsoft Corporation) C:\windows\system32\msxml6.dll
2014-06-11 11:11 - 2014-03-26 16:27 - 01237504 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2014-06-11 11:11 - 2014-03-26 16:25 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\msxml6r.dll
2014-06-11 11:11 - 2014-03-26 16:25 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\msxml3r.dll
2014-06-09 16:20 - 2014-06-09 16:26 - 69917065 _____ () C:\Users\Ry\Downloads\niggas-on-the-moon.zip
2014-05-27 17:06 - 2014-05-27 17:07 - 00000000 ____D () C:\Users\Ry\AppData\Local\Mozilla
2014-05-27 17:06 - 2014-05-27 17:06 - 00001121 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-05-27 17:06 - 2014-05-27 17:06 - 00001109 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-05-27 17:06 - 2014-05-27 17:06 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-27 17:06 - 2014-05-27 17:06 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
 
==================== One Month Modified Files and Folders =======
 
2014-06-20 15:22 - 2012-01-28 21:29 - 00000000 ____D () C:\Users\Ry\AppData\Local\Temp
2014-06-20 15:21 - 2014-06-20 15:20 - 00000000 ____D () C:\FRST
2014-06-20 15:17 - 2012-01-29 12:24 - 01810063 _____ () C:\windows\WindowsUpdate.log
2014-06-20 14:47 - 2012-07-15 00:02 - 00000896 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2572986754-2421115835-1037706739-1000UA.job
2014-06-20 14:30 - 2013-12-28 12:38 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-06-20 13:44 - 2014-06-18 13:28 - 00110296 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-20 13:23 - 2009-07-14 06:34 - 00009696 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-20 13:23 - 2009-07-14 06:34 - 00009696 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-20 13:14 - 2009-07-14 06:53 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-06-20 13:13 - 2014-06-20 13:13 - 00000056 _____ () C:\windows\setupact.log
2014-06-20 13:13 - 2014-06-20 13:13 - 00000000 _____ () C:\windows\setuperr.log
2014-06-20 01:58 - 2012-07-15 00:02 - 00000844 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2572986754-2421115835-1037706739-1000Core.job
2014-06-18 17:02 - 2014-06-18 17:02 - 00001705 _____ () C:\Users\Ry\Documents\ESET scan - 18.6.14.txt
2014-06-18 15:17 - 2014-06-18 15:17 - 00000000 ____D () C:\Program Files\ESET
2014-06-18 15:16 - 2014-06-18 15:16 - 02347384 _____ (ESET) C:\Users\Ry\Downloads\esetsmartinstaller_enu.exe
2014-06-18 15:02 - 2012-07-05 23:18 - 00000969 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-06-18 15:02 - 2012-01-29 21:49 - 00000000 ____D () C:\Program Files\CCleaner
2014-06-18 15:01 - 2014-06-18 15:00 - 04748896 _____ (Piriform Ltd) C:\Users\Ry\Downloads\ccsetup414.exe
2014-06-18 13:51 - 2012-01-28 23:16 - 00000000 ____D () C:\Users\Ry\AppData\Roaming\CheckPoint
2014-06-18 13:48 - 2014-06-18 13:38 - 00000000 ____D () C:\AdwCleaner
2014-06-18 13:27 - 2014-06-18 13:27 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-06-18 13:27 - 2014-06-18 13:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-18 13:27 - 2014-06-18 13:27 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-06-18 13:27 - 2014-06-18 13:27 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-06-18 12:49 - 2014-06-18 12:49 - 01333465 _____ () C:\Users\Ry\Downloads\adwcleaner_3.212.exe
2014-06-18 12:49 - 2014-06-18 12:49 - 01016261 _____ (Thisisu) C:\Users\Ry\Downloads\JRT.exe
2014-06-18 12:44 - 2014-06-18 12:43 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Ry\Downloads\mbam-setup-2.0.2.1012.exe
2014-06-18 12:32 - 2009-07-27 12:11 - 00797890 _____ () C:\windows\system32\PerfStringBackup.INI
2014-06-18 01:38 - 2009-07-14 04:37 - 00000000 ____D () C:\windows\rescache
2014-06-16 14:21 - 2012-01-28 21:29 - 00000000 ____D () C:\Users\Ry
2014-06-13 20:38 - 2012-07-15 00:03 - 00002315 _____ () C:\Users\Ry\Desktop\Google Chrome.lnk
2014-06-13 13:32 - 2012-01-29 10:50 - 00000000 ____D () C:\Users\Ry\AppData\Roaming\Skype
2014-06-11 23:06 - 2014-05-07 11:27 - 00000000 ___SD () C:\windows\system32\CompatTel
2014-06-11 12:28 - 2013-07-23 23:45 - 00000000 ____D () C:\windows\system32\MRT
2014-06-11 12:22 - 2012-05-16 16:04 - 92708840 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-06-10 14:51 - 2013-11-27 10:01 - 00000000 ____D () C:\Users\Ry\Documents\Freie Universität
2014-06-09 23:51 - 2009-07-14 04:37 - 00000000 ____D () C:\windows\system32\NDF
2014-06-09 23:14 - 2012-02-15 14:45 - 00000000 ____D () C:\Users\Ry\AppData\Roaming\vlc
2014-06-09 13:28 - 2013-03-19 14:27 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-06-08 10:48 - 2014-06-11 11:11 - 00391680 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-06-08 10:43 - 2014-06-11 11:11 - 00302592 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-05-30 15:38 - 2012-01-31 01:27 - 00000000 ____D () C:\Users\Ry\Documents\StoriesIdeasBeginnings
2014-05-30 11:18 - 2014-06-12 00:29 - 17271296 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-05-30 11:02 - 2014-06-12 00:30 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-05-30 11:02 - 2014-06-12 00:29 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-05-30 10:44 - 2014-06-12 00:29 - 00455168 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-05-30 10:43 - 2014-06-12 00:29 - 00061952 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-05-30 10:42 - 2014-06-12 00:30 - 00051200 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-05-30 10:38 - 2014-06-12 00:29 - 02179072 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-05-30 10:34 - 2014-06-12 00:30 - 00043008 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-05-30 10:33 - 2014-06-12 00:30 - 00032768 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-05-30 10:30 - 2014-06-12 00:29 - 00440832 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-05-30 10:28 - 2014-06-12 00:30 - 00112128 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-05-30 10:28 - 2014-06-12 00:30 - 00108032 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-05-30 10:27 - 2014-06-12 00:29 - 00592896 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-05-30 10:21 - 2014-06-12 00:30 - 00646144 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-05-30 10:16 - 2014-06-12 00:30 - 00368128 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-05-30 10:10 - 2014-06-12 00:30 - 00032256 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-05-30 10:06 - 2014-06-12 00:29 - 00164864 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-05-30 10:04 - 2014-06-12 00:29 - 00069632 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-05-30 10:02 - 2014-06-12 00:29 - 00242688 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-05-30 09:57 - 2014-06-12 00:29 - 00595968 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-05-30 09:56 - 2014-06-12 00:29 - 04244992 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-05-30 09:54 - 2014-06-12 00:30 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-05-30 09:50 - 2014-06-12 00:29 - 01068032 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-05-30 09:49 - 2014-06-12 00:29 - 01964544 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-05-30 09:40 - 2014-06-12 00:29 - 11725312 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-05-30 09:21 - 2014-06-12 00:29 - 01790976 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-05-30 09:15 - 2014-06-12 00:30 - 01143296 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-05-30 09:13 - 2014-06-12 00:29 - 00704512 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-05-27 17:07 - 2014-05-27 17:06 - 00000000 ____D () C:\Users\Ry\AppData\Local\Mozilla
2014-05-27 17:07 - 2012-02-12 23:33 - 00000000 ____D () C:\Users\Ry\AppData\Roaming\Mozilla
2014-05-27 17:06 - 2014-05-27 17:06 - 00001121 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-05-27 17:06 - 2014-05-27 17:06 - 00001109 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-05-27 17:06 - 2014-05-27 17:06 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-27 17:06 - 2014-05-27 17:06 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-05-27 17:06 - 2013-05-21 13:19 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-27 14:00 - 2012-10-26 14:36 - 00000000 ____D () C:\Users\Ry\Documents\Tickets
 
Some content of TEMP:
====================
C:\Users\Ry\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\windows\explorer.exe => File is digitally signed
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-06-18 01:29
 
==================== End Of Log ============================

  • 0

Advertisements

#2
RKinner
Posted 21 June 2014 - 08:33 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

No sign of infection other than these two suspicious lines:

 

[2012-01-28 21:32:09 | 000,000,059 | ---- | M] ()(C:\windows\System32\?G) -- C:\windows\System32\Ǧ
[2012-01-28 21:32:09 | 000,000,059 | ---- | C] ()(C:\windows\System32\?G) -- C:\windows\System32\Ǧ
 
and some deadwood:
 
 
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Ry\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll File not found


O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.55.2)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.55.2)

O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
 
Let's run OTL to clean them up:
 
Copy the text in the code box by highlighting and Ctrl + c

:OTL
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Ry\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.55.2)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.55.2)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
[2012-01-28 21:32:09 | 000,000,059 | ---- | M] ()(C:\windows\System32\?G) -- C:\windows\System32\Ǧ
[2012-01-28 21:32:09 | 000,000,059 | ---- | C] ()(C:\windows\System32\?G) -- C:\windows\System32\Ǧ

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.
It appears that Old Timer is now hiding the log in c:\_OTL\MovedFiles\06212014-some number.log so look there if you don't see it.
 
 
 

The two files you are worried about are performance counter files.  There is a nice article on them at http://networkadmink...e-counters.aspx

You could run perfmon and see if it still works OK.

How to run perfmon here:  http://blogs.msdn.co...-windows-7.aspx

 

You might want to install CryptoPrevent to prevent a reinfection.

http://www.foolishIT.../cryptoprevent/

The free version does not update on its own so you should check for updated versions once in a while.  You will see what it does if you run FRST again.
 

Have you run an Avast boot-time scan?  Takes a long time so I usually run it at night:

 

First mute the speakers so it won't wake you up when Windows loads.  Click on the Orange ball.  Click on Scans.  Change Quickscan to Boot-time Scan.  Click on Settings.  Where it says Heuristic Sensitivity click on the last rectangle so that all of them are  orange and it says High.  Check both boxes.  Then change When a threat is found ... to:  Move to Chest.  OK.  Now click on Start.  Close the Avast window and then reboot.  The scan will start.  It will tell you where it will save the report.  Usually it's
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.  When Windows loads Click on the Orange Ball then Scan, Then Scan History (at the bottom of the page). Click on the last scan and then Detailed Report.  If it found anything then open the aswBoot.txt file and copy and paste it.  If you can't find it then take a screen shot of the Detailed Report:


  • 0

#3
NK14
Posted 24 June 2014 - 04:06 PM

NK14

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

Hi RKinner,

 

Thanks for all your help and advice. I did what you suggested, and everything seems to be fine. Avast! Boot Time Scan didn't find anything, and I've posted the OTL fix log below. Thanks again.

 

OTL log:

 

========== OTL ==========

Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon\ deleted successfully.
C:\Windows\System32\Ǧ moved successfully.
File C:\windows\System32\Ǧ not found.
========== COMMANDS ==========
 
[EMPTYFLASH]
 
User: All Users
 
User: Default
->Flash cache emptied: 343 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Public
 
User: Ry
->Flash cache emptied: 887 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
 
[EMPTYJAVA]
 
User: All Users
 
User: Default
 
User: Default User
 
User: Public
 
User: Ry
->Java cache emptied: 46793836 bytes
 
Total Java Files Cleaned = 45.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 06222014_141931

  • 0

#4
RKinner
Posted 24 June 2014 - 11:37 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

I think you were lucky and caught it before it got in too deep.

 

I would clean up System Restore to make sure Windows didn't keep a copy somewhere:

 

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
Right click on OTL and Run As Administrator.   In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.



You can uninstall or delete any tools we had you download and their logs.



OTL has a cleanup tab but DO NOT USE IT!.  There are reports that it leaves the PC unbootable.  Instead just delete  OTL.exe and the folder c:\_OTL.

To hide hidden files again:

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the  checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions.

Unless you have the latest version of Avast which has its own update checker:  To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it.  Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
 Seems to work best if Firefox is the default browser.  Windows always hides its icon so you need to unhide it.  Click on the up arrow to the left of the clock.  Then click on Customize.  Maximize the window so you can see all of the options.  Scroll Down and find the File Hippo UpdateChecker and change its Behaviors to Show Icon and Notifications.  OK.  When you reboot you should see the icon.  It will take it a minute to finish checking then it will put up a bubble if you need to update something. Click on the bubble and it should open in your browser.  (Seems to work best if it uses Firefox.  If you do not use Firefox as your default browser then right click on the icon and click on Settings. Then on Results.  Change the Open Results in Default Browser to Custom Browser and then select the line that has Firefox.exe in it.  While there, also check Hide Beta Versions.  OK. )  You will see a list of programs that have updates with green down arrows next to them.  You do not need to download any Beta Versions.  There is an option Settings to Hide Beta Versions.  I do not advise updating Windows Messenger unless you really use it so I right click on the Icon and Customize Results then find Microsoft Messenger and change Show All Releases to Hide All Releases.  OK.

You can also try Secunia PSI Same kind of info.  You don't need both.
If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on.  Go to adblockplus.org with each browser and get the add-on.

If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox .  Close Chrome/Firefox. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow.

Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.com before you open them.

Due to a recent rise in the number of Crytolocker infections I am now recommending you install:

CryptoPrevent

http://www.foolishIT.../cryptoprevent/

The free version does not update on its own so you should check for updated versions once in a while.



If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

Make sure Windows Updates is turned and that it works.  Go to Control panel, Windows Updates and see if it works.  


My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm
(The name means something like "clean place" in one of the local native-American dialects)

Ron

 
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics


Also tagged with one or more of these keywords: bundespolizei trojan, trojan, oldtimer, ransomware

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP