Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Erratic Scrollbar [Solved]

Possible Malware Infection

  • This topic is locked This topic is locked

#16
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Should be a FRST.txt to post as well?


  • 0

Advertisements


#17
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Like I said in the last post, there wasn't. It was empty. Here's another one I just did. Something this time:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:30-07-2015
Ran by David (administrator) on DAVID-PC (14-09-2015 21:51:23)
Running from C:\Users\David\Desktop
Loaded Profiles: David (Available Profiles: David)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Microsoft Device Health\DhMachineSvc.exe
() C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN32\IcbcDaemon.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.28.13\GoogleCrashHandler.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(KARPOLAN) C:\Program Files\Touchpad Blocker\TouchpadBlocker.exe
(BitTorrent Inc.) C:\Users\David\AppData\Roaming\uTorrent\uTorrent.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Astrill) C:\Program Files\Astrill\astrill.exe
(Astrill) C:\Program Files\Astrill\ASProxy.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
() C:\Program Files\WordWeb\wweb32.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [782008 2015-08-26] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2015-04-07] (Apple Inc.)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [66936 2015-08-13] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-1483477416-240000409-50094224-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6815512 2015-07-31] (SUPERAntiSpyware)
HKU\S-1-5-21-1483477416-240000409-50094224-1000\...\Run: [ctfmon] => C:\Windows\system32\ctfmon.exe [8704 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-1483477416-240000409-50094224-1000\...\Run: [TouchpadBlocker.exe] => C:\Program Files\Touchpad Blocker\TouchpadBlocker.exe [881152 2013-04-17] (KARPOLAN)
HKU\S-1-5-21-1483477416-240000409-50094224-1000\...\Run: [uTorrent] => C:\Users\David\AppData\Roaming\uTorrent\uTorrent.exe [1696096 2015-08-29] (BitTorrent Inc.)
HKU\S-1-5-21-1483477416-240000409-50094224-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil32_16_0_0_305_ActiveX.exe [960688 2015-02-23] (Adobe Systems Incorporated)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-01-05] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-1483477416-240000409-50094224-1000] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-1483477416-240000409-50094224-1000] => http=127.0.0.1:3213;https=127.0.0.1:3213
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\S-1-5-21-1483477416-240000409-50094224-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\S-1-5-21-1483477416-240000409-50094224-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://startpage.com/
SearchScopes: HKLM -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
SearchScopes: HKU\S-1-5-21-1483477416-240000409-50094224-1000 -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
SearchScopes: HKU\S-1-5-21-1483477416-240000409-50094224-1000 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
SearchScopes: HKU\S-1-5-21-1483477416-240000409-50094224-1000 -> {D324CCA8-121A-4A83-9D29-DD22139B7073} URL =
BHO: ICBC Anti-Phishing class -> {BB4491A2-D11A-4c6b-91C0-B53246A3122B} -> C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN32\Icbc_AntiPhishing.dll [2014-06-20] (中国工商银行)
DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} https://b2c.icbc.com...CBC_NetSign.dll
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\..\Interfaces\{0C4906D3-3EB2-4CF9-9E98-BB59F23E3143}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{2E0B22CA-3CDF-4399-8F09-35325D02A04F}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{7A68112E-49F5-4B97-A388-A9BFFD471AD0}: [DhcpNameServer] 198.18.8.1
Tcpip\..\Interfaces\{B69EE329-2CA7-4807-B85B-14C2398B23F2}: [NameServer] 221.7.128.68 221.7.136.68

FireFox:
========
FF ProfilePath: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881
FF DefaultSearchEngine: StartPage - English
FF SelectedSearchEngine: Startpage HTTPS
FF NetworkProxy: "http", "127.0.0.1"
FF NetworkProxy: "http_port", 3213
FF NetworkProxy: "ssl", "127.0.0.1"
FF NetworkProxy: "ssl_port", 3213
FF NetworkProxy: "type", 1
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-19] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin: @icbc.com/npChromeClientBinding,ver=1.0.0.0 -> C:\Program Files\ICBCEbankTools\ICBCChromeExtension\npChromeClientBinding.dll [2013-12-05] (ICBC)
FF Plugin: @icbc.com/npChromeFullScreen,ver=1.0.0.1 -> C:\Program Files\ICBCEbankTools\ICBCChromeExtension\npChromeFullScreen.dll [2013-12-05] (ICBC)
FF Plugin: @icbc.com/npChromeSubmit,ver=1.0.0.2 -> C:\Program Files\ICBCEbankTools\ICBCChromeExtension\npChromeSubmit.dll [2014-11-07] (ICBC)
FF Plugin: @icbc.com/npChromeXXin,ver=1.0.0.2 -> C:\Program Files\ICBCEbankTools\ICBCChromeExtension\npChromeXXin.dll [2015-01-23] (Industrial and Commercial Bank of China)
FF Plugin: @icbc/icbc_ms_npClCache,Version=1.0.0.2 -> C:\Program Files\ICBCEbankTools\FirefoxPlugins\npClCache.dll [2014-07-29] ()
FF Plugin: @icbc/icbc_ms_npClientBinding,Version=1.0.0.2 -> C:\Program Files\ICBCEbankTools\FirefoxPlugins\npClientBinding.dll [2014-07-29] ( )
FF Plugin: @icbc/icbc_ms_npFullScreen,Version=1.0.0.2 -> C:\Program Files\ICBCEbankTools\FirefoxPlugins\npFullScreen.dll [2014-07-29] ()
FF Plugin: @icbc/icbc_ms_npsubmit,Version=1.0.0.8 -> C:\Program Files\ICBCEbankTools\FirefoxPlugins\npsubmit.dll [2014-11-07] ( )
FF Plugin: @icbc/icbc_ms_npxxin,Version=1.0.0.10 -> C:\Program Files\ICBCEbankTools\FirefoxPlugins\npxxin.dll [2015-01-23] ( )
FF Plugin: @icbc/npAssistComm,Version=1.0.0.1 -> C:\Program Files\ICBCEbankTools\ICBCSetupIntegration\npAssistComm.dll [2013-12-17] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-09-01] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-09-01] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-12-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-12-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-12-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-12-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-12-17] (Apple Inc.)
FF SearchPlugin: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\searchplugins\startpage---english.xml [2015-09-06]
FF SearchPlugin: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\searchplugins\startpage-https.xml [2015-09-13]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\startpage-https.xml [2014-04-08]
FF Extension: Astrill Proxy Switcher - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\Extensions\[email protected] [2015-05-02]
FF Extension: ICBCClrCache - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\Extensions\[email protected] [2014-12-07]
FF Extension: Empty Cache Button - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\Extensions\{4cc4a13b-94a6-7568-370d-5f9de54a9c7f} [2015-05-30]
FF Extension: YouTube Downloader Plus - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\Extensions\[email protected] [2015-09-09]
FF Extension: Zhong Wen - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\Extensions\{bbfec13e-8cb4-53f4-c852-999eb2a852cb}.xpi [2015-08-27]
FF Extension: Adblock Plus - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\towcca1s.default-1416752358881\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-05-21]
FF Extension: DVDVideoSoft YouTube MP3 and Video Download - C:\Program Files\Mozilla Firefox\browser\extensions\{B64D9B05-48E1-4CEB-BF58-E0643994E900}.xpi [2015-08-28]
FF HKU\S-1-5-21-1483477416-240000409-50094224-1000\...\Firefox\Extensions: [[email protected]] - C:\Program Files\WordWeb\WCaptureMoz
FF Extension: WordWeb one-click lookup - C:\Program Files\WordWeb\WCaptureMoz [2014-01-03]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-08-28]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\npcryptokit_certenrollment_boc_plugins.js [2015-08-28]

Chrome:
=======
CHR Profile: C:\Users\David\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Zhongwen: A Chinese-English Popup Dictionary) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkmlkkjojmombglmlpbpapmhcaljjkde [2015-01-20]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-22]
CHR Extension: (ICBCChromeExtension) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\lehjanbmddecbhgnnncapflmglinppcj [2014-08-06]
CHR Extension: (Google Wallet) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-06]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.goo...ice/update2/crx
CHR HKLM\...\Chrome\Extension: [lehjanbmddecbhgnnncapflmglinppcj] - C:\Program Files\ICBCEbankTools\ICBCChromeExtension\ICBCChromeExtension.crx [2013-07-02]

Opera:
=======
OPR StartupUrls: "hxxp://startpage.com/"
OPR Extension: (淘淘搜比价(淘同款)) - C:\Users\David\AppData\Roaming\Opera Software\Opera Stable\Extensions\kgjdldamaclconkgicdehfijmmkplcih [2014-05-20]

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-08-13] (SUPERAntiSpyware.com)
S2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc7.exe [887128 2015-08-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [461672 2015-08-26] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [461672 2015-08-26] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\avwebg7.exe [1213072 2015-08-26] (Avira Operations GmbH & Co. KG)
S3 ASOVPNHelper; C:\Program Files\Astrill\ASOvpnSvc.exe [434016 2015-03-26] (Astrill)
R3 ASProxy; C:\Program Files\Astrill\ASProxy.exe [2497048 2015-03-26] (Astrill)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [228104 2015-08-13] (Avira Operations GmbH & Co. KG)
R2 DeviceHealth; C:\Program Files\Microsoft Device Health\DhMachineSvc.exe [85664 2014-06-06] ()
R2 ICBC Daemon Service; C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN32\IcbcDaemon.exe [370824 2014-06-20] ()
S2 LiveUpdateSvc; C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe [2152736 2014-05-04] (IObit)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdide; C:\Windows\System32\DRIVERS\amdide.sys [11832 2014-05-21] (Advanced Micro Devices Inc.)
R3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [25856 2014-05-17] (Astrill)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108448 2015-08-04] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136728 2015-08-04] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37896 2015-05-24] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [37896 2015-03-10] (Avira Operations GmbH & Co. KG)
S3 D-Vitec; C:\Windows\System32\DRIVERS\dvitdcnt.sys [281344 2012-07-26] (D-vitec)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
R3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [204432 2014-06-23] (Realtek Semiconductor Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [31848 2015-06-16] (Avira Operations GmbH & Co. KG)
R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [26624 2011-07-01] (The OpenVPN Project)
S3 catchme; \??\C:\Users\David\AppData\Local\Temp\catchme.sys [X]
S3 massfilter; system32\drivers\massfilter.sys [X]
S1 qutmipc; \??\C:\Windows\system32\drivers\qutmipc.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [X]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [X]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-13 20:20 - 2015-09-13 20:20 - 00000112 _____ C:\Windows\setupact.log
2015-09-13 20:20 - 2015-09-13 20:20 - 00000000 _____ C:\Windows\setuperr.log
2015-09-11 18:06 - 2015-09-14 20:04 - 00005958 _____ C:\Windows\WindowsUpdate.log
2015-09-10 22:25 - 2015-09-10 23:03 - 00050176 ____T C:\Users\David\Desktop\IELTS 7 Zwo.ppt
2015-09-10 21:51 - 2015-09-10 21:53 - 23072843 _____ C:\Users\David\Desktop\IELTS Speaking band score 6.0 candidate_ Marie.mp4
2015-09-09 20:33 - 2015-09-14 21:51 - 00018291 _____ C:\Users\David\Desktop\FRST.txt
2015-09-09 20:29 - 2015-09-09 20:33 - 00032143 _____ C:\Users\David\Desktop\Addition.txt
2015-09-06 20:50 - 2015-09-06 20:50 - 00012288 _____ C:\Users\David\Desktop\David.xls
2015-08-29 22:44 - 2015-08-29 22:49 - 65208320 _____ C:\Users\David\Downloads\calibre-2.36.0.msi
2015-08-28 18:41 - 2015-09-03 13:24 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-08-26 13:00 - 2015-09-13 08:01 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2015-08-26 12:58 - 2015-08-26 12:58 - 01190104 _____ (Adobe Systems Incorporated) C:\Users\David\Downloads\flashplayer18pp_fa_install.exe
2015-08-24 21:25 - 2015-08-24 21:25 - 00007565 _____ C:\Users\David\Desktop\JRT.txt
2015-08-24 21:08 - 2015-08-24 21:09 - 01605632 _____ C:\Users\David\Desktop\AdwCleaner.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-14 21:52 - 2014-01-02 23:20 - 00000000 ____D C:\Users\David\AppData\Roaming\uTorrent
2015-09-14 21:51 - 2014-03-15 15:11 - 00000000 ____D C:\FRST
2015-09-14 21:41 - 2014-03-18 15:03 - 00000398 _____ C:\Windows\Tasks\WpsUpdateTask_David.job
2015-09-14 21:41 - 2014-03-18 15:03 - 00000398 _____ C:\Windows\Tasks\WpsNotifyTask_David.job
2015-09-14 20:53 - 2014-08-06 10:10 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-14 18:05 - 2014-01-10 10:43 - 00388386 _____ C:\Windows\system32\prfh0804.dat
2015-09-14 18:05 - 2014-01-10 10:43 - 00123864 _____ C:\Windows\system32\prfc0804.dat
2015-09-14 18:05 - 2014-01-02 22:20 - 01276504 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-14 08:52 - 2014-08-06 10:10 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-13 14:42 - 2014-01-03 16:54 - 00000000 ____D C:\Users\David\AppData\Roaming\vlc
2015-09-13 12:34 - 2014-11-03 10:33 - 00000000 ____D C:\Users\David\Desktop\SCICIE
2015-09-11 18:12 - 2009-07-14 12:34 - 00021024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-11 18:12 - 2009-07-14 12:34 - 00021024 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-11 18:09 - 2014-02-14 13:43 - 00003696 _____ C:\Windows\system32\ASProxyOff.ini
2015-09-11 18:07 - 2014-01-02 22:41 - 00000000 ____D C:\ProgramData\Package Cache
2015-09-11 18:06 - 2009-07-14 12:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-07 23:14 - 2015-03-03 17:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-09-07 21:57 - 2014-01-02 22:31 - 00000000 ____D C:\Program Files\Opera
2015-09-06 16:32 - 2014-01-02 23:40 - 00000000 ____D C:\Users\David\Documents\Calibre Library
2015-09-04 19:49 - 2014-03-21 23:04 - 00000000 ____D C:\AdwCleaner
2015-09-03 13:29 - 2014-01-03 18:26 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-09-03 13:24 - 2014-01-03 10:11 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-08-30 19:38 - 2014-01-02 23:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2015-08-30 19:38 - 2014-01-02 23:39 - 00000000 ____D C:\Program Files\Calibre2
2015-08-26 19:20 - 2014-01-02 23:19 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-26 13:00 - 2014-11-04 09:56 - 00000000 ____D C:\Users\David\AppData\Local\Adobe
2015-08-26 12:59 - 2014-01-02 23:19 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-08-26 12:59 - 2014-01-02 23:19 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-08-25 08:07 - 2009-07-14 10:37 - 00000000 ____D C:\Windows\rescache
2015-08-25 00:06 - 2014-08-04 11:11 - 00000000 ____D C:\Users\David\Desktop\Desktopstuff
2015-08-24 21:20 - 2014-01-02 23:22 - 00000000 ____D C:\ProgramData\IObit
2015-08-24 21:20 - 2014-01-02 23:20 - 00000000 ____D C:\Users\David\AppData\Roaming\IObit
2015-08-19 07:42 - 2009-07-14 10:37 - 00000000 ____D C:\Windows\AppCompat

==================== Files in the root of some directories =======

2014-01-04 09:32 - 2014-06-23 21:40 - 0001078 _____ () C:\Users\David\AppData\Roaming\base64.cer
2014-07-20 18:02 - 2014-07-22 11:31 - 1411790 _____ () C:\ProgramData\TestPreferences

Some files in TEMP:
====================
C:\Users\David\AppData\Local\temp\avgnt.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-09-11 18:43

==================== End of log ============================


  • 0

#18
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Like I said in the last post, there wasn't. It was empty. Here's another one I just did.


Oh, my mistake, I didn't realize you were meaning that there was no FRST.txt.

Moving on

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Windows 8 & 8.1 users may face another warning from the Windows SmartScreen Protection - please click More information and Run.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you may need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

Disable your security programs.
  • Click the blue Run ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
     then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow/install to install. If your firewall asks whether you want to allow installation, say yes. If asked, click yes to allow the program to run on your computer.
  • Check "Enable detection of potentially unwanted applications"
  • Click on Start and say yes to allow the program to proceed.
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed click "List of found threats" and click again on Copy to clipboard. Open notepad and past in the clipboard list. Save it as ESET log somewhere that you can find .
  • After that click the button "Back"
  • Select and check Uninstall application on close and Delete quarantined files.
  • Then click on: Finish
  • Copy and paste the ESET log back here and tell me how your machine is now.

 
  • 0

#19
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Hi emeraldnzl,

 

No threats found after five hours. Computer still turns itself on in the mornings around 6am. Mozilla still 'not responding' intermittently, Shockwave hanging.  Mouse erratic so not using it. Ho, hum.

 

Daba


  • 0

#20
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Okay this is now a technical problem.

 

Let's remove the tools we have been using. After that I will give you some ideas to fix Mozilla Firefox that I have used in the past. If they don't work then I will direct you to the appropriate technical forum for help. :)

 

Now

 

Follow these steps to uninstall Combofix. This will also clean out and reset your Restore Points.

  • Press the Windows Key and R on your keyboard. This will bring up the Run window.
  • Now type Combofix /Uninstall in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

CF_Uninstall-1.jpg


  • Follow the prompts to uninstall Combofix.

Once done you will receive a message saying Combofix was uninstalled successfully.

 

 

Next

 

To clear away the other tools we have been using download Delfix from here. You will be taken to the download page. Just wait and shortly the download will appear.

Put a check (tick) in the following box:
 

  • Remove disinfection tools

 

Then click Run

The tool will run for a short time. When completed a notepad window will open with a log. Please copy and paste the log back here.
 


  • 0

#21
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Hello emeraldnzl,

 

Thanks for your perseverance. There appeared to be a glitch when removing Combo. It seemed to start a scan again but when I repeated the remove instructions it said it couldn't be found so, go figure. Guess it worked.

 

Here's the scan and thanks once again for your help. 'Dum spiro, spero' Whilst I breathe, I hope.

 

Daba

 

# DelFix v1.011 - Logfile created 02/10/2015 at 10:49:24
# Updated 18/08/2015 by Xplode
# Username : David - DAVID-PC
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\Combofix
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\ComboFix.txt
Deleted : C:\Users\David\Desktop\AdwCleaner.exe
Deleted : C:\Users\David\Desktop\ComboFix.exe
Deleted : C:\Users\David\Desktop\esetsmartinstaller_enu.exe
Deleted : C:\Users\David\Desktop\FRST.exe
Deleted : C:\Users\David\Desktop\JRT.exe
Deleted : C:\Users\David\Downloads\esetsmartinstaller_enu(1).exe
Deleted : C:\Users\David\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKCU\console_combofixbackup
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart
Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys

~ Cleaning system restore ...


New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 


  • 0

#22
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Hi again,

 

Can you plse tell me how to restore the icons I had in the bottom right hand corner. Many of them have disappeared and the bar has changed. Enabling them (some where don't know where it was) has brought some back, but not all. Thanks.

 

Daba


  • 0

#23
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Hello emeraldnzl,

 

Me again. I'm not a happy camper. Since I actioned your last instruction, a new taskbar has appeared on my laptop and it is missing the system tray up arrow. It's just not there. It's causing me a lot of hassle because my Touchpad Blocker program is also no longer functioning and I'm playing default pacman in effect as I try and type this and any other work. It's all messed up! Plus I used to have my VPN icon which I'm always opening and closing as I toggle between China pages and western,necessary here in China in there too,all gone.  PLEASE HELP!

 

Daba


  • 0

#24
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Disregard last 2 posts. Found a fix on the interwebs.


  • 0

#25
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Hello daba,

 

Unfortunately I have been traveling and missed your posts about losing your icons.

 

Was that the case even after a reboot?

 

And

 

Are you still having problems with your Mozilla browser?


  • 0

Advertisements


#26
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Hello Emeraldnzl,

 

Apologies for the delayed response: crazy busy at work. I sorted the icon problem but I have still got my machine automatically turning on at 6am. It's making my Chinese neighbours nervous, it would seem. My landlord asked: Are you writing stuff in the middle of the night to the West?

 

Yes, Mozilla and shockwave keep crashing despite the latest upgrade. I don't want to switch to another browser bcoz I have a lot of bookmarks.

 

David


  • 0

#27
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Hello David,
 
 

but I have still got my machine automatically turning on at 6am.


That looks like you have something set on your machine to wake it. Check out the links below to see if you can identify the cause:

http://www.sevenforu...viewer-log.html
 

http://www.sevenforu...ke-command.html

 

Yes, Mozilla and shockwave keep crashing despite the latest upgrade.


Did you try the methods I outlined in the second half of my post number 8?

I had the same problem. Although I would manage to get rid of it for periods by following one or other of the options outlined there it didn't go away permanently until after I upgraded to Windows 10.

You could try opening a topic in the technical section here. Someone may know something that will help.


  • 0

#28
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Hi emeraldnzl,

 

Thanks. I did try your outlined methods... in vain. I've just done the wake source thing: ACPI Lid presumably that means the laptop lid. But I'm still asleep at 6am, it doesn't move at all. Or does it refer to something else? The plot thickens...

 

David


  • 0

#29
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Hello David,
 
As I mentioned earlier this doesn't appear to be a malware problem. Unfortunately it is outside my skills to find an answer.
 
Go here and open a new topic, explain your problem and hopefully one of the technical people will have a solution for you. :)


  • 0

#30
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts

Thanks for all your sterling efforts anyway emeraldnzl.

 

Daba


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP