Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus-rootkit infection, can't uptdate windows [Closed]


  • This topic is locked This topic is locked

#1
samidelcueva

samidelcueva

    Member

  • Member
  • PipPip
  • 67 posts

Hi

 

i've got infected by a rootkit, and my pc was running slowly, and before Windows starts the screen turns blue, and after that starts normally, so i follow another malware fórums removal guides, but when i enter in safe mode, the antiviruses they scaned very fast, so i think something were blocking to scan normally, so in normal mode, i run TDSS Killer, and they found a rootkit (sorry, i dont write the name of the rootkit), so, i delete, and then restart, and scan again, and again found a rootkit, i do the same thing that ido before, and again scan, and they found nothing, but my computer was the same.

i scan with emsisoft emergency kit, and found some malicious registry entries, but my computer was still slow, so i format my computer, (i have Windows 8.1), and everything was normally till i notice that i have some adwares in my browser, i run JRT and ADW cleaner, but found nothing, next, i notice tan my computer didnt install any updates, y try over and over again, but still i cant, so i reset my computer and notice that, before starting, the screen have a color light blue, and were slow to start, so i format my computer again, but when i was configurating my computer for begin to use it, it freeze and reboot, so i had to do it all again, and now my computer starts normally.

so the situation right now is: my computer is not slow (only the start up, and is son cases, but less than before), and still i can't update Windows, so i think im still infected. 

 

Thanks

I really apreciate the help

 

i attach de FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by al123_000 (administrator) on SAMUEL on 23-07-2015 09:32:35
Running from C:\Users\al123_000\Desktop
Loaded Profiles: al123_000 (Available Profiles: al123_000)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSWinService.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
(ASUS) C:\Program Files\ASUS\ASUS FlipLock\TransformService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ASUSTek Computer INC.) C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(STMicroelectronics) C:\Program Files (x86)\ST Microelectronics\ST_ACCEL\FFP_Manager.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmServiceHelper.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17031_none_fa50b3979b1bcb4a\TiWorker.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ASUS HDD Protection Tray Application] => C:\Program Files (x86)\ST Microelectronics\ST_ACCEL\FFP_Manager.exe [54272 2013-12-03] (STMicroelectronics)
HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\Windows\system32\DptfPolicyLpmServiceHelper.exe [114048 2013-10-17] (Intel Corporation)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [1080992 2014-05-14] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\ASUSWSLoader.exe [63296 2014-02-24] ()
HKLM-x32\...\RunOnce: [{09092FC0-909C-4845-B39B-597989454A63}] => cmd.exe /C start /D "C:\Users\AL123_~1\AppData\Local\Temp" /B {09092FC0-909C-4845-B39B-597989454A63}.exe -accepteula -accepteulaksn -postboot
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://espanol.yahoo.com?fr=fp-comodo
HKU\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus13.msn.com/?pc=ASJB
SearchScopes: HKU\S-1-5-21-401314101-946683506-2006832327-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-401314101-946683506-2006832327-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2012-06-01] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 200.94.160.248
Tcpip\..\Interfaces\{EEF98F8E-5F9D-4000-8E8A-75D19401AA9D}: [DhcpNameServer] 200.94.160.248

FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-10-23] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-10-23] (Intel Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-05] ()

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSWinService.exe [71680 2014-02-24] (ASUS Cloud Corporation) [File not signed]
R2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe [432528 2013-05-02] (Nuance Communications, Inc.)
R2 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [117704 2013-10-17] (Intel Corporation)
R2 DptfPolicyConfigTDPService; C:\Windows\system32\DptfPolicyConfigTDPService.exe [116680 2013-10-17] (Intel Corporation)
R2 DptfPolicyLpmService; C:\Windows\system32\DptfPolicyLpmService.exe [126952 2013-10-17] (Intel Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-01-27] (WildTangent)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282072 2014-03-17] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [827392 2013-09-02] (Intel® Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-10-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-10-23] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 TransformService; C:\Program Files\ASUS\ASUS FlipLock\TransformService.exe [69776 2014-04-30] (ASUS)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2014-05-14] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-05-14] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U0 20840607; C:\Windows\System32\drivers\66315839.sys [248728 2015-07-23] (Kaspersky Lab, Yury Parshin)
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [71952 2014-03-31] (ASUS Corporation)
S3 AX88772; C:\Windows\system32\DRIVERS\ax88772.sys [113864 2013-07-18] (ASIX Electronics Corp.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R3 DptfDevProc; C:\Windows\system32\DRIVERS\DptfDevProc.sys [289744 2013-10-17] (Intel Corporation)
R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [494296 2013-10-17] (Intel Corporation)
R3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-08-08] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [99320 2013-08-08] (Intel Corporation)
R3 INVN_MotionApps; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-05] ( )
R3 m76usb; C:\Windows\System32\drivers\m76usb.sys [539336 2014-04-28] (Ralink Technology Corp.)
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [109272 2015-06-18] (Malwarebytes Corporation)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [113880 2015-07-23] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-10-23] (Intel Corporation)
R3 SensorsAlsDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 SensorsServiceDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 ST_ACCEL; C:\Windows\system32\DRIVERS\ST_Accel.sys [83456 2013-09-14] (STMicroelectronics)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2014-05-14] (Microsoft Corporation)
U0 msahci; system32\drivers\msahci.sys

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-23 10:17 - 2015-07-23 10:17 - 00028672 ___SH C:\WINDOWS\system32\config\BCD-Template.LOG
2015-07-23 09:32 - 2015-07-23 09:33 - 00011494 _____ C:\Users\al123_000\Desktop\FRST.txt
2015-07-23 09:32 - 2015-07-23 09:32 - 00000000 ____D C:\FRST
2015-07-23 09:31 - 2015-07-23 09:31 - 02135552 _____ (Farbar) C:\Users\al123_000\Desktop\FRST64.exe
2015-07-23 09:11 - 2015-07-23 09:11 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-23 09:11 - 2015-07-23 09:11 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-23 09:11 - 2015-07-23 09:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-23 09:11 - 2015-07-23 09:11 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-23 09:11 - 2015-07-23 09:11 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-23 09:11 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-07-23 09:11 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-23 09:10 - 2015-07-23 09:10 - 00248728 _____ (Kaspersky Lab, Yury Parshin) C:\WINDOWS\system32\Drivers\66315839.sys
2015-07-23 09:10 - 2015-07-23 09:10 - 00000000 ____D C:\Users\al123_000\Desktop\mbam-chameleon-3.1.25.0
2015-07-23 09:10 - 2015-07-23 09:10 - 00000000 ____D C:\TDSSKiller_Quarantine
2015-07-23 09:10 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-23 09:09 - 2015-07-23 09:09 - 06383209 _____ C:\Users\al123_000\Desktop\mbam-chameleon-3.1.25.0.zip
2015-07-23 09:08 - 2015-07-23 09:08 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\al123_000\Desktop\tdsskiller.exe
2015-07-23 09:06 - 2011-03-02 19:56 - 37943240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MRT.exe
2015-07-23 09:02 - 2015-07-23 09:02 - 00000000 ____D C:\Users\al123_000\AppData\Roaming\Macromedia
2015-07-23 08:49 - 2015-07-05 03:08 - 00300704 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-07-23 08:43 - 2015-07-23 08:51 - 00007591 _____ C:\Users\al123_000\AppData\Local\Resmon.ResmonCfg
2015-07-23 08:42 - 2015-07-23 08:42 - 00003934 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{5B64FCD7-1E4D-4174-BAC6-20AD17F1427E}
2015-07-23 08:42 - 2015-07-23 08:42 - 00000000 __SHD C:\Users\al123_000\AppData\Local\EmieUserList
2015-07-23 08:42 - 2015-07-23 08:42 - 00000000 __SHD C:\Users\al123_000\AppData\Local\EmieSiteList
2015-07-23 08:38 - 2015-07-23 09:17 - 00003594 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-401314101-946683506-2006832327-1001
2015-07-23 08:37 - 2015-07-23 08:37 - 00000000 ____D C:\Users\al123_000\AppData\Roaming\WebStorage
2015-07-23 08:36 - 2015-07-23 08:36 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_User_LocationProvider_01_11_00.Wdf
2015-07-23 08:36 - 2015-07-23 08:36 - 00000000 ____D C:\Users\al123_000\AppData\Local\GWX
2015-07-23 08:35 - 2015-07-23 08:35 - 00000000 __RDO C:\Users\al123_000\OneDrive
2015-07-23 08:32 - 2015-07-23 08:33 - 00000000 ____D C:\Users\al123_000\AppData\Local\PackageStaging
2015-07-23 08:32 - 2015-07-23 08:32 - 00000000 ____D C:\WINDOWS\System32\Tasks\WPD
2015-07-23 08:31 - 2015-07-23 08:31 - 00001444 _____ C:\Users\al123_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-23 08:31 - 2015-07-23 08:31 - 00000188 _____ C:\WINDOWS\FixPatch.log
2015-07-23 08:31 - 2015-07-23 08:31 - 00000093 _____ C:\Users\al123_000\AppData\Roaming\sp_data.sys
2015-07-23 08:31 - 2015-07-23 08:31 - 00000000 ____D C:\Users\al123_000\AppData\Roaming\Adobe
2015-07-23 08:31 - 2015-07-23 08:31 - 00000000 ____D C:\Users\al123_000\AppData\Local\VirtualStore
2015-07-23 08:31 - 2015-07-23 08:31 - 00000000 ____D C:\ProgramData\USBChargerPlus
2015-07-23 08:30 - 2015-07-23 08:33 - 00000000 ____D C:\Users\al123_000\AppData\Local\Packages
2015-07-23 08:30 - 2015-07-23 08:30 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2015-07-23 08:29 - 2015-07-23 08:31 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-07-23 08:29 - 2015-07-23 08:29 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-07-23 08:27 - 2015-07-09 12:51 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-07-23 08:27 - 2015-07-09 11:40 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll
2015-07-23 08:27 - 2015-07-09 09:03 - 03701760 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-07-23 08:27 - 2015-07-09 08:54 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-07-23 08:27 - 2015-07-09 08:53 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-07-23 08:27 - 2015-07-09 08:50 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-07-23 08:27 - 2015-07-09 08:50 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-07-23 08:27 - 2015-07-09 08:48 - 00891904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-07-23 08:27 - 2015-07-09 08:46 - 02229248 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-07-23 08:27 - 2015-07-09 08:38 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-07-23 08:27 - 2015-07-09 08:37 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-07-23 08:27 - 2015-07-09 08:35 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-07-23 08:27 - 2015-07-09 08:34 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-07-23 08:27 - 2015-06-26 20:08 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2015-07-23 08:27 - 2015-06-26 20:08 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
2015-07-23 08:27 - 2015-06-26 19:14 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
2015-07-23 08:27 - 2015-06-02 10:47 - 02502928 _____ (Microsoft Corporation) C:\WINDOWS\explorer.exe
2015-07-23 08:27 - 2015-06-02 10:47 - 02209080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe
2015-07-23 08:27 - 2015-06-02 10:47 - 00129120 _____ (Microsoft Corporation) C:\WINDOWS\system32\RestoreOptIn.exe
2015-07-23 08:27 - 2015-06-02 10:47 - 00110576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\RestoreOptIn.exe
2015-07-23 08:27 - 2015-03-13 18:51 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wu.upgrade.ps.dll
2015-07-23 08:27 - 2015-03-13 17:09 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2015-07-23 08:27 - 2014-10-17 23:50 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaext.dll
2015-07-23 08:26 - 2015-07-23 08:35 - 00000000 ____D C:\Users\al123_000
2015-07-23 08:26 - 2015-07-23 08:26 - 00000020 ___SH C:\Users\al123_000\ntuser.ini
2015-07-23 08:26 - 2014-05-14 22:36 - 00000000 ___RD C:\Users\al123_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-07-23 08:26 - 2014-03-18 03:33 - 00000000 ___RD C:\Users\al123_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-07-23 08:26 - 2014-03-18 03:13 - 00000369 _____ C:\Users\al123_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2015-07-23 08:26 - 2014-03-18 03:13 - 00000369 _____ C:\Users\al123_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2015-07-23 08:26 - 2013-08-22 08:36 - 00000000 ___RD C:\Users\al123_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-07-23 08:26 - 2013-08-22 08:36 - 00000000 ____D C:\Users\al123_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-23 10:17 - 2013-08-22 08:36 - 00262144 _____ C:\WINDOWS\system32\config\BCD-Template
2015-07-23 09:32 - 2014-10-25 08:36 - 02078432 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-23 09:26 - 2013-08-22 08:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-07-23 09:02 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-07-23 08:49 - 2013-08-22 06:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2015-07-23 08:40 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-07-23 08:36 - 2013-08-22 07:46 - 00021635 _____ C:\WINDOWS\setupact.log
2015-07-23 08:35 - 2014-10-25 08:57 - 00003400 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update1
2015-07-23 08:35 - 2014-10-25 08:57 - 00003390 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update2
2015-07-23 08:35 - 2014-03-18 03:03 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-23 08:31 - 2014-05-14 22:37 - 00000000 ____D C:\WINDOWS\Panther
2015-07-23 08:31 - 2014-05-14 21:58 - 00000000 ____D C:\WINDOWS\Log
2015-07-23 08:30 - 2013-08-22 07:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-23 08:29 - 2013-08-22 07:44 - 00336632 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-07-23 08:29 - 2013-08-22 06:36 - 00000000 ____D C:\WINDOWS\system32\AdvancedInstallers
2015-07-23 08:29 - 2013-08-22 06:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-07-23 08:27 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\restore
2015-07-23 08:25 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\rescache

==================== Files in the root of some directories =======

2015-07-23 08:31 - 2015-07-23 08:31 - 0000093 _____ () C:\Users\al123_000\AppData\Roaming\sp_data.sys
2015-07-23 08:43 - 2015-07-23 08:51 - 0007591 _____ () C:\Users\al123_000\AppData\Local\Resmon.ResmonCfg
2014-10-25 08:48 - 2014-10-25 08:48 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-10-25 09:00 - 2014-03-25 18:11 - 0000137 _____ () C:\ProgramData\RefreshReg.vbs
2014-05-14 21:43 - 2014-03-26 13:50 - 0000124 _____ () C:\ProgramData\SetStretch.cmd
2014-05-14 21:43 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-14 21:43 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

Files to move or delete:
====================
C:\ProgramData\RefreshReg.vbs
C:\ProgramData\SetStretch.VBS


Some files in TEMP:
====================
C:\Users\al123_000\AppData\Local\Temp\{09092FC0-909C-4845-B39B-597989454A63}.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-23 09:18

==================== End of log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:20-07-2015
Ran by al123_000 at 2015-07-23 09:33:40
Running from C:\Users\al123_000\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-401314101-946683506-2006832327-500 - Administrator - Disabled)
al123_000 (S-1-5-21-401314101-946683506-2006832327-1001 - Administrator - Enabled) => C:\Users\al123_000
Guest (S-1-5-21-401314101-946683506-2006832327-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Alcor Micro USB Card Reader Driver  (HKLM-x32\...\InstallShield_{5CA55DFC-2008-460F-B7A7-FB92100C4494}) (Version: 20.4.10117.43857 - Alcor Micro Corp.)
Alcor Micro USB Card Reader Driver  (x32 Version: 20.4.10117.43857 - Alcor Micro Corp.) Hidden
ASUS FlipLock (HKLM\...\{9BF8EF7C-4AA1-4CA7-93DB-8F543EB35F4E}) (Version: 1.0.3 - ASUS)
ASUS Live Update (HKLM-x32\...\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}) (Version: 3.2.8 - ASUS)
ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 2.2.14 - ASUS)
ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 3.01.0003 - ASUS)
ASUS USB Charger Plus (HKLM-x32\...\{A859E3E5-C62F-4BFA-AF1D-2B95E03166AF}) (Version: 3.1.9 - ASUS)
ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0034 - ASUS)
Dragon Assistant Application en-US version 1.5.7 (HKLM-x32\...\{1CCBE73F-4948-4711-8D12-22E2FD65D706}_is1) (Version: 1.5.7 - Nuance Communications, Inc.)
Dragon Assistant Core Recognition Service version 1.1.10 (HKLM-x32\...\{E97BA7A6-46FC-4EBF-B24A-B8362948C696}_is1) (Version: 1.1.10 - Nuance Communications, Inc.)
Dragon Assistant Language Data en-US version 1.1.3 (HKLM-x32\...\{4C0C1E4E-D3B1-4496-98EC-DA14D45EC855}_is1) (Version: 1.1.3 - Nuance Communications, Inc.)
Dragon Assistant version 1.5.7 (HKLM-x32\...\{D57A8269-3BE5-4D10-B882-64D0F2D448BF}_is1) (Version: 1.5.7 - Nuance Communications, Inc.)
Game Explorer Categories - casual (HKLM-x32\...\WildTangentGameProvider-asus-casual) (Version: 3.2.0.6 - WildTangent, Inc.)
Game Explorer Categories - enthusiast (HKLM-x32\...\WildTangentGameProvider-asus-enthusiast) (Version: 3.2.0.6 - WildTangent, Inc.)
Game Explorer Categories - family (HKLM-x32\...\WildTangentGameProvider-asus-family) (Version: 3.2.0.6 - WildTangent, Inc.)
Game Explorer Categories - kids (HKLM-x32\...\WildTangentGameProvider-asus-kids) (Version: 3.2.0.6 - WildTangent, Inc.)
Game Explorer Categories - touch (HKLM-x32\...\WildTangentGameProvider-asus-touch) (Version: 3.2.0.6 - WildTangent, Inc.)
Intel® Dynamic Platform and Thermal Framework (HKLM-x32\...\FFD10ECE-F715-4a86-9BD8-F6F47DA5DA1C) (Version: 7.1.0.2105 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.6.0.1038 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3496 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 1.1.165.0 - Intel Corporation)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Mediatek Bluetooth (HKLM\...\{878D7C14-18BD-7A70-9292-C0B3CE374125}) (Version: 11.0.754.0 - Mediatek)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Ralink RT2860 Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}) (Version: 5.0.47.0 - Ralink)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7266 - Realtek Semiconductor Corp.)
ST Microelectronics 3 Axis Digital Accelerometer Solution (HKLM-x32\...\{9C24F411-9CA7-4A8A-91F3-F08A4A38EB31}) (Version: 4.07.0054 - ST Microelectronics)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
WebStorage (HKLM-x32\...\WebStorage) (Version: 2.1.2.301 - ASUS Cloud Corporation)
WildTangent Games App (HKLM-x32\...\{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-asus) (Version: 4.0.11.2 - WildTangent)
Windows Driver Package - ASUS (ATP) Mouse  (03/17/2014 1.0.0.207) (HKLM\...\AA2CC56D4BBEE037DC99871F5F6551133D2A0CC3) (Version: 03/17/2014 1.0.0.207 - ASUS)
WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 2.42.0 - ASUS)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-401314101-946683506-2006832327-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)

==================== Restore Points =========================

23-07-2015 08:27:48 Windows Modules Installer

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {001BB766-6DA0-41A3-99E4-1664D2817727} - System32\Tasks\Update Checker => C:\Program Files (x86)\ASUS\ASUS Live Update\UpdateChecker.exe [2014-03-11] ()
Task: {0FFDDC0C-549B-4CC4-9721-EBBBCF6A3DF5} - System32\Tasks\ASUS Smart Gesture Launcher => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [2014-03-31] (AsusTek)
Task: {3ABD43C8-56AB-403D-9B8D-DA59FC6679A7} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2014-05-26] (Realtek Semiconductor)
Task: {4595F95B-A9E5-4060-A7F4-E491554E0916} - System32\Tasks\ASUS Splendid ACMON => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [2014-04-02] (ASUS)
Task: {516B07E3-96D7-45E5-98EB-966B8F5295D2} - System32\Tasks\RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2014-06-04] (Realtek Semiconductor)
Task: {70FDE9A1-0F80-41CC-9E5C-AE34F502A7C1} - System32\Tasks\ATK Package 36D18D69AFC3 => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\SimAppExec.exe [2014-01-14] (ASUSTek Computer Inc.)
Task: {7279527C-EC73-4C08-A802-47284E8354A2} - System32\Tasks\ASUS Patch for Touch Panel => C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe [2013-01-09] (ASUSTek Computer INC.)
Task: {876C85D5-B8AA-4D01-BFD1-ACC54599764A} - System32\Tasks\ASUS Live Update2 => C:\Program Files (x86) [2015-07-23] ()
Task: {A7DB30D1-E065-4F88-AF93-6B80914BEA7E} - System32\Tasks\ASUS Live Update1 => C:\Program Files (x86) [2015-07-23] ()
Task: {BC2169AB-DF8F-47BE-B3B3-DE2BFF08D0B5} - System32\Tasks\ASUS USB Charger Plus => C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe [2014-03-27] (ASUSTek Computer Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (Whitelisted) ==============

2014-10-25 08:57 - 2012-03-09 21:51 - 00243200 _____ () C:\Program Files (x86)\ST Microelectronics\ST_ACCEL\FFP_DT.dll
2014-10-25 09:00 - 2013-05-02 11:26 - 00387984 _____ () C:\Program Files (x86)\Nuance\Dragon Assistant\Core\fl_core.dll
2014-10-25 09:00 - 2013-05-02 11:26 - 01165712 _____ () C:\Program Files (x86)\Nuance\Dragon Assistant\Core\vocon3200_asr.dll
2014-10-25 09:00 - 2013-05-02 11:26 - 00199056 _____ () C:\Program Files (x86)\Nuance\Dragon Assistant\Core\vocon3200_base.dll
2014-10-25 09:00 - 2013-05-02 11:26 - 01132944 _____ () C:\Program Files (x86)\Nuance\Dragon Assistant\Core\vocon3200_pron.dll
2014-10-25 09:00 - 2013-05-02 11:26 - 00035216 _____ () C:\Program Files (x86)\Nuance\Dragon Assistant\Core\vocon3200_platform.dll
2014-10-25 09:00 - 2013-05-02 11:26 - 00229264 _____ () C:\Program Files (x86)\Nuance\Dragon Assistant\Core\sdxg.dll
2014-10-25 09:00 - 2013-05-02 11:25 - 00027648 _____ () C:\Program Files (x86)\Nuance\Dragon Assistant\Core\WASAPIResamplingStreamCOMServer.dll
2014-04-30 14:33 - 2014-04-30 14:33 - 00009216 _____ () C:\Program Files\ASUS\ASUS FlipLock\WMIProc.dll
2014-04-02 14:46 - 2014-04-02 14:46 - 00117248 _____ () C:\Program Files (x86)\ASUS\Splendid\CCTAdjust.dll
2014-04-02 14:46 - 2014-04-02 14:46 - 00037936 _____ () C:\Program Files (x86)\ASUS\Splendid\DetectDisplayDC.dll
2014-04-02 14:46 - 2014-04-02 14:46 - 00018992 _____ () C:\Program Files (x86)\ASUS\Splendid\AMDColorEnhance.dll
2014-04-02 14:46 - 2014-04-02 14:46 - 00020528 _____ () C:\Program Files (x86)\ASUS\Splendid\AMDRegammaAndGamut.dll
2014-10-25 08:45 - 2013-10-23 13:44 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\al123_000\OneDrive:ms-properties

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\20840607.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\20840607.sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-401314101-946683506-2006832327-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\al123_000\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\windows photo viewer wallpaper.jpg
DNS Servers: 200.94.160.248
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/23/2015 08:23:07 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program msoobe.exe version 6.3.9600.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 39c

Start Time: 01d0c5633b1b115a

Termination Time: 16

Application Path: C:\WINDOWS\system32\oobe\msoobe.exe

Report Id: ac4f348c-314e-11e5-825e-ec0ec4292244

Faulting package full name:

Faulting package-relative application ID:

Error: (07/23/2015 09:22:05 AM) (Source: Windows Search Service Profile Notification) (EventID: 2) (User: )
Description: Unable to remove Windows Search Service indexed data for user '<Event xmlns='http://schemas.micro...ystem><ProviderName='Microsoft-Windows-Search-ProfileNotify' Guid='{FC6F77DD-769A-470E-BCF9-1B6555A118BE}' EventSourceName='Windows Search Service Profile Notification'/><EventID Qualifiers='49152'>2</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2015-07-23T16:22:05.000000000Z'/><EventRecordID>9</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>Samuel</Computer><Security/></System><ProcessingErrorData><ErrorCode>15005</ErrorCode><DataItemName>__binLength</DataItemName><EventPayload>530061006D00750065006C005C00410064006D0069006E006900730074007200610074006F00720000003000780038003000300034003200310030003300000000000000</EventPayload></ProcessingErrorData></Event>' in response to user profile deletion.  Error code %2.

%3.


System errors:
=============
Error: (07/23/2015 09:17:57 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!


Microsoft Office:
=========================
Error: (07/23/2015 08:23:07 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: msoobe.exe6.3.9600.1638439c01d0c5633b1b115a16C:\WINDOWS\system32\oobe\msoobe.exeac4f348c-314e-11e5-825e-ec0ec4292244

Error: (07/23/2015 09:22:05 AM) (Source: Windows Search Service Profile Notification) (EventID: 2) (User: )
Description: <Event xmlns='http://schemas.micro...ystem><ProviderName='Microsoft-Windows-Search-ProfileNotify' Guid='{FC6F77DD-769A-470E-BCF9-1B6555A118BE}' EventSourceName='Windows Search Service Profile Notification'/><EventID Qualifiers='49152'>2</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2015-07-23T16:22:05.000000000Z'/><EventRecordID>9</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>Samuel</Computer><Security/></System><ProcessingErrorData><ErrorCode>15005</ErrorCode><DataItemName>__binLength</DataItemName><EventPayload>530061006D00750065006C005C00410064006D0069006E006900730074007200610074006F00720000003000780038003000300034003200310030003300000000000000</EventPayload></ProcessingErrorData></Event>


==================== Memory info ===========================

Processor: Intel® Core™ i3-4030U CPU @ 1.90GHz
Percentage of memory in use: 41%
Total physical RAM: 5579.43 MB
Available physical RAM: 3257.22 MB
Total Virtual: 7179.43 MB
Available Virtual: 4683.08 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:444.65 GB) (Free:416.5 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: B4FA98D2)

Partition: GPT Partition Type.

==================== End of log ============================

Attached Files


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi sorry for the delay

Do you still require assistance ?
If so could you run a fresh FRST scan please
  • 0

#3
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

no problem thanks, because now Im totally sure that im infected

 

I have format my computer again, because it were getting worse, after every restart, so my computer only have now malware scanners, and I realize after 3 formats, that in every new format computer, the malware scanner found the same things, EEK found this always:

 

Scan start: 7/24/2015 9:42:33 PM
Value: HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Scanned 66089
Found 2

 

And junkware removal tool found this:

 

~~~ Files

Successfully deleted: [File] C:\Users\samuel\AppData\Roaming\sp_data.sys

 

panda also detect some malware, but I didn't record that, and Kaspersky found one rootkit, two times, (in the same number of "format computer"), but I didn't record that two,  

and the others scanners found nothing.

 

And I think my computer get infected by a usb, because in my famly we have a computer that its infected, and that usb that infected me, were used on that infected machine, in the moment I use the usb I forgot that :upset:, and now the two computers have the same symptoms: 

 

-Slow machine

-slow start up

- freezes,

-forced resets

- very slow opening of browsers,etc

 

my computer now recently formatted, don't have some of these symptoms (but still I have slow start up, some freezes, and detect the scanners detect the same stuff, after every new format) , but the thing is that In the past formatting, I thought "now my computer its okey" , and download everything I need but with every download, every reset, the pc were getting slower, after 2 formats, so now I will leave my computer, until Its totally clean,

 

thanks for the help   


Edited by samidelcueva, 25 July 2015 - 10:49 AM.

  • 0

#4
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Last minute symptom: I cant download malware scanners until I run rkill

 

this is the FRST logs, of my recently formatted computer

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-07-2015
Ran by samuel (administrator) on LOL (25-07-2015 09:26:18)
Running from C:\Users\samuel\Desktop
Loaded Profiles: samuel (Available Profiles: samuel)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSWinService.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
(ASUS) C:\Program Files\ASUS\ASUS FlipLock\TransformService.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUSTek Computer INC.) C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(STMicroelectronics) C:\Program Files (x86)\ST Microelectronics\ST_ACCEL\FFP_Manager.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmServiceHelper.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSPanel.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ASUS HDD Protection Tray Application] => C:\Program Files (x86)\ST Microelectronics\ST_ACCEL\FFP_Manager.exe [54272 2013-12-03] (STMicroelectronics)
HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\Windows\system32\DptfPolicyLpmServiceHelper.exe [114048 2013-10-17] (Intel Corporation)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12312432 2015-07-23] (Zemana Ltd.)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [1080992 2014-05-14] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\ASUSWSLoader.exe [63296 2014-02-24] ()
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus13.msn.com/?pc=ASJB
HKU\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus13.msn.com/?pc=ASJB
SearchScopes: HKU\S-1-5-21-401314101-946683506-2006832327-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-401314101-946683506-2006832327-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2012-06-01] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 200.94.160.248
Tcpip\..\Interfaces\{EEF98F8E-5F9D-4000-8E8A-75D19401AA9D}: [DhcpNameServer] 200.94.160.248

FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-10-23] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-10-23] (Intel Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-05] ()

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSWinService.exe [71680 2014-02-24] (ASUS Cloud Corporation) [File not signed]
R2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe [432528 2013-05-02] (Nuance Communications, Inc.)
R2 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [117704 2013-10-17] (Intel Corporation)
R2 DptfPolicyConfigTDPService; C:\Windows\system32\DptfPolicyConfigTDPService.exe [116680 2013-10-17] (Intel Corporation)
R2 DptfPolicyLpmService; C:\Windows\system32\DptfPolicyLpmService.exe [126952 2013-10-17] (Intel Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-01-27] (WildTangent)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-07-24] (SurfRight B.V.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282072 2014-03-17] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [827392 2013-09-02] (Intel® Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-10-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-10-23] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 TransformService; C:\Program Files\ASUS\ASUS FlipLock\TransformService.exe [69776 2014-04-30] (ASUS)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2014-05-14] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-05-14] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12312432 2015-07-23] (Zemana Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [71952 2014-03-31] (ASUS Corporation)
S3 AX88772; C:\Windows\system32\DRIVERS\ax88772.sys [113864 2013-07-18] (ASIX Electronics Corp.)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R3 DptfDevProc; C:\Windows\system32\DRIVERS\DptfDevProc.sys [289744 2013-10-17] (Intel Corporation)
R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [494296 2013-10-17] (Intel Corporation)
R1 epp64; C:\EEK\bin\epp64.sys [136456 2015-07-25] (Emsisoft GmbH)
R3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-08-08] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [99320 2013-08-08] (Intel Corporation)
R3 INVN_MotionApps; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-05] ( )
S3 m76usb; C:\Windows\System32\drivers\m76usb.sys [539336 2014-04-28] (Ralink Technology Corp.)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-10-23] (Intel Corporation)
R3 SensorsAlsDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 SensorsServiceDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 ST_ACCEL; C:\Windows\system32\DRIVERS\ST_Accel.sys [83456 2013-09-14] (STMicroelectronics)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2014-05-14] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [109432 2015-07-24] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [109432 2015-07-24] (Zemana Ltd.)
U0 msahci; system32\drivers\msahci.sys

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-25 09:26 - 2015-07-25 09:26 - 00011515 _____ C:\Users\samuel\Desktop\FRST.txt
2015-07-25 09:25 - 2015-07-25 09:26 - 00000000 ____D C:\FRST
2015-07-25 09:25 - 2015-07-25 09:25 - 02146816 _____ (Farbar) C:\Users\samuel\Desktop\FRST64.exe
2015-07-25 08:59 - 2015-07-25 08:59 - 00000000 ____D C:\ProgramData\dbg
2015-07-25 08:57 - 2015-07-25 08:57 - 00000093 _____ C:\Users\samuel\AppData\Roaming\sp_data.sys
2015-07-24 21:32 - 2015-07-24 21:32 - 00000000 ____D C:\Users\samuel\Doctor Web
2015-07-24 21:31 - 2015-07-24 21:31 - 00000679 _____ C:\Users\samuel\Desktop\JRT.txt
2015-07-24 21:27 - 2015-07-24 21:27 - 00028672 ___SH C:\WINDOWS\system32\config\BCD-Template.LOG
2015-07-24 21:25 - 2015-07-24 21:26 - 00000000 ____D C:\ProgramData\HitmanPro
2015-07-24 21:25 - 2015-07-24 21:25 - 00001907 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-07-24 21:25 - 2015-07-24 21:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-07-24 21:25 - 2015-07-24 21:25 - 00000000 ____D C:\Program Files\HitmanPro
2015-07-24 21:25 - 2015-07-24 21:25 - 00000000 ____D C:\KVRT_Data
2015-07-24 21:23 - 2015-07-24 21:32 - 00109432 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2015-07-24 21:23 - 2015-07-24 21:32 - 00109432 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2015-07-24 21:23 - 2015-07-24 21:23 - 00001162 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2015-07-24 21:23 - 2015-07-24 21:23 - 00000000 ____D C:\Users\samuel\AppData\Local\Zemana
2015-07-24 21:23 - 2015-07-24 21:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2015-07-24 21:23 - 2015-07-24 21:23 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-07-24 21:21 - 2015-07-24 21:21 - 00001135 _____ C:\Users\Public\Desktop\herdProtect.lnk
2015-07-24 21:21 - 2015-07-24 21:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\herdProtect
2015-07-24 21:21 - 2015-07-24 21:21 - 00000000 ____D C:\Program Files\Reason
2015-07-24 21:19 - 2015-07-24 21:22 - 100992160 _____ (Kaspersky Lab ZAO) C:\Users\samuel\Desktop\KVRT.exe
2015-07-24 21:18 - 2015-07-25 09:10 - 00000000 ____D C:\EEK
2015-07-24 21:18 - 2015-07-24 21:18 - 00000757 _____ C:\Users\samuel\Desktop\Start Emsisoft Emergency Kit.lnk
2015-07-24 21:12 - 2015-07-24 21:15 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-24 21:12 - 2015-07-24 21:12 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-24 21:12 - 2015-07-24 21:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-24 21:12 - 2015-07-24 21:12 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-24 21:12 - 2015-07-24 21:12 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-24 21:12 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-07-24 21:12 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-24 21:12 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-24 21:03 - 2015-07-24 21:03 - 00000000 ____D C:\Belkin
2015-07-24 20:59 - 2015-07-24 21:09 - 168135896 _____ C:\Users\samuel\Desktop\sj34l0jj.exe
2015-07-24 20:54 - 2015-07-24 20:54 - 01798288 _____ (Malwarebytes Corporation) C:\Users\samuel\Desktop\JRT.exe
2015-07-24 20:50 - 2015-07-24 20:50 - 04404952 _____ (Kaspersky Lab ZAO) C:\Users\samuel\Desktop\TDSSKiller.exe
2015-07-24 20:50 - 2015-07-24 20:50 - 00000000 ____D C:\Users\samuel\Desktop\tdsskiller
2015-07-24 20:49 - 2015-07-24 20:49 - 04383777 _____ C:\Users\samuel\Desktop\tdsskiller.zip
2015-07-24 20:47 - 2015-07-25 09:02 - 00003594 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-401314101-946683506-2006832327-1001
2015-07-24 20:45 - 2015-07-24 21:29 - 00002342 _____ C:\Users\samuel\Desktop\Rkill.txt
2015-07-24 20:45 - 2015-07-24 20:45 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\samuel\Desktop\rkill.exe
2015-07-24 20:44 - 2015-07-25 09:04 - 00003910 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{5AE1F404-CFE1-4EA2-AAAF-FEC3889C8BBF}
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieUserList
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieSiteList
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 ____D C:\Users\samuel\AppData\Roaming\Macromedia
2015-07-24 20:39 - 2015-07-24 20:39 - 00000000 ____D C:\Users\samuel\AppData\Roaming\WebStorage
2015-07-24 20:37 - 2015-07-24 20:37 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2015-07-24 20:37 - 2015-07-24 20:37 - 00000000 ____D C:\WINDOWS\pss
2015-07-24 20:35 - 2015-07-24 20:42 - 00000000 ____D C:\ProgramData\USBChargerPlus
2015-07-24 20:33 - 2015-07-24 20:33 - 00000000 ____D C:\WINDOWS\System32\Tasks\WPD
2015-07-24 20:32 - 2015-07-24 20:35 - 00000000 ____D C:\Users\samuel\AppData\Local\Packages
2015-07-24 20:32 - 2015-07-24 20:32 - 00001444 _____ C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-24 20:32 - 2015-07-24 20:32 - 00000196 _____ C:\WINDOWS\FixPatch.log
2015-07-24 20:32 - 2015-07-24 20:32 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2015-07-24 20:32 - 2015-07-24 20:32 - 00000000 ____D C:\Users\samuel\AppData\Roaming\ASUS Flip
2015-07-24 20:32 - 2015-07-24 20:32 - 00000000 ____D C:\Users\samuel\AppData\Roaming\Adobe
2015-07-24 20:32 - 2015-07-24 20:32 - 00000000 ____D C:\Users\samuel\AppData\Local\VirtualStore
2015-07-24 20:31 - 2015-07-25 08:54 - 00000000 ____D C:\Users\samuel
2015-07-24 20:31 - 2015-07-24 20:31 - 00000020 ___SH C:\Users\samuel\ntuser.ini
2015-07-24 20:31 - 2014-05-14 22:36 - 00000000 ___RD C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-07-24 20:31 - 2014-03-18 03:33 - 00000000 ___RD C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-07-24 20:31 - 2014-03-18 03:13 - 00000369 _____ C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2015-07-24 20:31 - 2014-03-18 03:13 - 00000369 _____ C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2015-07-24 20:31 - 2013-08-22 08:36 - 00000000 ___RD C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-07-24 20:31 - 2013-08-22 08:36 - 00000000 ____D C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-25 09:14 - 2014-10-25 08:36 - 00299707 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-25 09:02 - 2014-10-25 08:57 - 00003400 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update1
2015-07-25 09:02 - 2014-10-25 08:57 - 00003390 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update2
2015-07-25 09:02 - 2014-03-18 03:03 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-25 09:00 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-07-25 08:56 - 2013-08-22 07:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-25 08:54 - 2014-03-18 02:54 - 00082526 _____ C:\WINDOWS\PFRO.log
2015-07-24 21:43 - 2013-08-22 06:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-07-24 21:27 - 2013-08-22 08:36 - 00262144 _____ C:\WINDOWS\system32\config\BCD-Template
2015-07-24 20:37 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-07-24 20:37 - 2013-08-22 07:46 - 00021599 _____ C:\WINDOWS\setupact.log
2015-07-24 20:32 - 2014-05-14 22:37 - 00000000 ____D C:\WINDOWS\Panther
2015-07-24 20:32 - 2014-05-14 21:58 - 00000000 ____D C:\WINDOWS\Log
2015-07-24 20:29 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\rescache
2015-07-24 20:28 - 2013-08-22 07:44 - 00335784 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-07-24 20:28 - 2013-08-22 06:36 - 00000000 __RHD C:\Users\Default

==================== Files in the root of some directories =======

2015-07-25 08:57 - 2015-07-25 08:57 - 0000093 _____ () C:\Users\samuel\AppData\Roaming\sp_data.sys
2014-10-25 08:48 - 2014-10-25 08:48 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-10-25 09:00 - 2014-03-25 18:11 - 0000137 _____ () C:\ProgramData\RefreshReg.vbs
2014-05-14 21:43 - 2014-03-26 13:50 - 0000124 _____ () C:\ProgramData\SetStretch.cmd
2014-05-14 21:43 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-14 21:43 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

Files to move or delete:
====================
C:\ProgramData\RefreshReg.vbs
C:\ProgramData\SetStretch.VBS

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-07-24 20:28

==================== End of log ============================

 

 

and the addition:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-07-2015
Ran by samuel (administrator) on LOL (25-07-2015 09:26:18)
Running from C:\Users\samuel\Desktop
Loaded Profiles: samuel (Available Profiles: samuel)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSWinService.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
(ASUS) C:\Program Files\ASUS\ASUS FlipLock\TransformService.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUSTek Computer INC.) C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(STMicroelectronics) C:\Program Files (x86)\ST Microelectronics\ST_ACCEL\FFP_Manager.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmServiceHelper.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSPanel.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ASUS HDD Protection Tray Application] => C:\Program Files (x86)\ST Microelectronics\ST_ACCEL\FFP_Manager.exe [54272 2013-12-03] (STMicroelectronics)
HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\Windows\system32\DptfPolicyLpmServiceHelper.exe [114048 2013-10-17] (Intel Corporation)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12312432 2015-07-23] (Zemana Ltd.)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [1080992 2014-05-14] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\ASUSWSLoader.exe [63296 2014-02-24] ()
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.1.2.301\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus13.msn.com/?pc=ASJB
HKU\S-1-5-21-401314101-946683506-2006832327-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus13.msn.com/?pc=ASJB
SearchScopes: HKU\S-1-5-21-401314101-946683506-2006832327-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-401314101-946683506-2006832327-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2012-06-01] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 200.94.160.248
Tcpip\..\Interfaces\{EEF98F8E-5F9D-4000-8E8A-75D19401AA9D}: [DhcpNameServer] 200.94.160.248

FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-10-23] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-10-23] (Intel Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-05] ()

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.1.2.301\AsusWSWinService.exe [71680 2014-02-24] (ASUS Cloud Corporation) [File not signed]
R2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe [432528 2013-05-02] (Nuance Communications, Inc.)
R2 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [117704 2013-10-17] (Intel Corporation)
R2 DptfPolicyConfigTDPService; C:\Windows\system32\DptfPolicyConfigTDPService.exe [116680 2013-10-17] (Intel Corporation)
R2 DptfPolicyLpmService; C:\Windows\system32\DptfPolicyLpmService.exe [126952 2013-10-17] (Intel Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-01-27] (WildTangent)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-07-24] (SurfRight B.V.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282072 2014-03-17] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [827392 2013-09-02] (Intel® Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-10-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-10-23] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 TransformService; C:\Program Files\ASUS\ASUS FlipLock\TransformService.exe [69776 2014-04-30] (ASUS)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2014-05-14] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-05-14] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12312432 2015-07-23] (Zemana Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [71952 2014-03-31] (ASUS Corporation)
S3 AX88772; C:\Windows\system32\DRIVERS\ax88772.sys [113864 2013-07-18] (ASIX Electronics Corp.)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R3 DptfDevProc; C:\Windows\system32\DRIVERS\DptfDevProc.sys [289744 2013-10-17] (Intel Corporation)
R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [494296 2013-10-17] (Intel Corporation)
R1 epp64; C:\EEK\bin\epp64.sys [136456 2015-07-25] (Emsisoft GmbH)
R3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-08-08] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [99320 2013-08-08] (Intel Corporation)
R3 INVN_MotionApps; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-05] ( )
S3 m76usb; C:\Windows\System32\drivers\m76usb.sys [539336 2014-04-28] (Ralink Technology Corp.)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-10-23] (Intel Corporation)
R3 SensorsAlsDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 SensorsServiceDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
R3 ST_ACCEL; C:\Windows\system32\DRIVERS\ST_Accel.sys [83456 2013-09-14] (STMicroelectronics)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2014-05-14] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [109432 2015-07-24] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [109432 2015-07-24] (Zemana Ltd.)
U0 msahci; system32\drivers\msahci.sys

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-25 09:26 - 2015-07-25 09:26 - 00011515 _____ C:\Users\samuel\Desktop\FRST.txt
2015-07-25 09:25 - 2015-07-25 09:26 - 00000000 ____D C:\FRST
2015-07-25 09:25 - 2015-07-25 09:25 - 02146816 _____ (Farbar) C:\Users\samuel\Desktop\FRST64.exe
2015-07-25 08:59 - 2015-07-25 08:59 - 00000000 ____D C:\ProgramData\dbg
2015-07-25 08:57 - 2015-07-25 08:57 - 00000093 _____ C:\Users\samuel\AppData\Roaming\sp_data.sys
2015-07-24 21:32 - 2015-07-24 21:32 - 00000000 ____D C:\Users\samuel\Doctor Web
2015-07-24 21:31 - 2015-07-24 21:31 - 00000679 _____ C:\Users\samuel\Desktop\JRT.txt
2015-07-24 21:27 - 2015-07-24 21:27 - 00028672 ___SH C:\WINDOWS\system32\config\BCD-Template.LOG
2015-07-24 21:25 - 2015-07-24 21:26 - 00000000 ____D C:\ProgramData\HitmanPro
2015-07-24 21:25 - 2015-07-24 21:25 - 00001907 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-07-24 21:25 - 2015-07-24 21:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-07-24 21:25 - 2015-07-24 21:25 - 00000000 ____D C:\Program Files\HitmanPro
2015-07-24 21:25 - 2015-07-24 21:25 - 00000000 ____D C:\KVRT_Data
2015-07-24 21:23 - 2015-07-24 21:32 - 00109432 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2015-07-24 21:23 - 2015-07-24 21:32 - 00109432 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2015-07-24 21:23 - 2015-07-24 21:23 - 00001162 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2015-07-24 21:23 - 2015-07-24 21:23 - 00000000 ____D C:\Users\samuel\AppData\Local\Zemana
2015-07-24 21:23 - 2015-07-24 21:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2015-07-24 21:23 - 2015-07-24 21:23 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-07-24 21:21 - 2015-07-24 21:21 - 00001135 _____ C:\Users\Public\Desktop\herdProtect.lnk
2015-07-24 21:21 - 2015-07-24 21:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\herdProtect
2015-07-24 21:21 - 2015-07-24 21:21 - 00000000 ____D C:\Program Files\Reason
2015-07-24 21:19 - 2015-07-24 21:22 - 100992160 _____ (Kaspersky Lab ZAO) C:\Users\samuel\Desktop\KVRT.exe
2015-07-24 21:18 - 2015-07-25 09:10 - 00000000 ____D C:\EEK
2015-07-24 21:18 - 2015-07-24 21:18 - 00000757 _____ C:\Users\samuel\Desktop\Start Emsisoft Emergency Kit.lnk
2015-07-24 21:12 - 2015-07-24 21:15 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-24 21:12 - 2015-07-24 21:12 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-24 21:12 - 2015-07-24 21:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-24 21:12 - 2015-07-24 21:12 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-24 21:12 - 2015-07-24 21:12 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-24 21:12 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-07-24 21:12 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-24 21:12 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-24 21:03 - 2015-07-24 21:03 - 00000000 ____D C:\Belkin
2015-07-24 20:59 - 2015-07-24 21:09 - 168135896 _____ C:\Users\samuel\Desktop\sj34l0jj.exe
2015-07-24 20:54 - 2015-07-24 20:54 - 01798288 _____ (Malwarebytes Corporation) C:\Users\samuel\Desktop\JRT.exe
2015-07-24 20:50 - 2015-07-24 20:50 - 04404952 _____ (Kaspersky Lab ZAO) C:\Users\samuel\Desktop\TDSSKiller.exe
2015-07-24 20:50 - 2015-07-24 20:50 - 00000000 ____D C:\Users\samuel\Desktop\tdsskiller
2015-07-24 20:49 - 2015-07-24 20:49 - 04383777 _____ C:\Users\samuel\Desktop\tdsskiller.zip
2015-07-24 20:47 - 2015-07-25 09:02 - 00003594 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-401314101-946683506-2006832327-1001
2015-07-24 20:45 - 2015-07-24 21:29 - 00002342 _____ C:\Users\samuel\Desktop\Rkill.txt
2015-07-24 20:45 - 2015-07-24 20:45 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\samuel\Desktop\rkill.exe
2015-07-24 20:44 - 2015-07-25 09:04 - 00003910 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{5AE1F404-CFE1-4EA2-AAAF-FEC3889C8BBF}
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieUserList
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieSiteList
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 ____D C:\Users\samuel\AppData\Roaming\Macromedia
2015-07-24 20:39 - 2015-07-24 20:39 - 00000000 ____D C:\Users\samuel\AppData\Roaming\WebStorage
2015-07-24 20:37 - 2015-07-24 20:37 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2015-07-24 20:37 - 2015-07-24 20:37 - 00000000 ____D C:\WINDOWS\pss
2015-07-24 20:35 - 2015-07-24 20:42 - 00000000 ____D C:\ProgramData\USBChargerPlus
2015-07-24 20:33 - 2015-07-24 20:33 - 00000000 ____D C:\WINDOWS\System32\Tasks\WPD
2015-07-24 20:32 - 2015-07-24 20:35 - 00000000 ____D C:\Users\samuel\AppData\Local\Packages
2015-07-24 20:32 - 2015-07-24 20:32 - 00001444 _____ C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-24 20:32 - 2015-07-24 20:32 - 00000196 _____ C:\WINDOWS\FixPatch.log
2015-07-24 20:32 - 2015-07-24 20:32 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2015-07-24 20:32 - 2015-07-24 20:32 - 00000000 ____D C:\Users\samuel\AppData\Roaming\ASUS Flip
2015-07-24 20:32 - 2015-07-24 20:32 - 00000000 ____D C:\Users\samuel\AppData\Roaming\Adobe
2015-07-24 20:32 - 2015-07-24 20:32 - 00000000 ____D C:\Users\samuel\AppData\Local\VirtualStore
2015-07-24 20:31 - 2015-07-25 08:54 - 00000000 ____D C:\Users\samuel
2015-07-24 20:31 - 2015-07-24 20:31 - 00000020 ___SH C:\Users\samuel\ntuser.ini
2015-07-24 20:31 - 2014-05-14 22:36 - 00000000 ___RD C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-07-24 20:31 - 2014-03-18 03:33 - 00000000 ___RD C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-07-24 20:31 - 2014-03-18 03:13 - 00000369 _____ C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2015-07-24 20:31 - 2014-03-18 03:13 - 00000369 _____ C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2015-07-24 20:31 - 2013-08-22 08:36 - 00000000 ___RD C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-07-24 20:31 - 2013-08-22 08:36 - 00000000 ____D C:\Users\samuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-25 09:14 - 2014-10-25 08:36 - 00299707 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-25 09:02 - 2014-10-25 08:57 - 00003400 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update1
2015-07-25 09:02 - 2014-10-25 08:57 - 00003390 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update2
2015-07-25 09:02 - 2014-03-18 03:03 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-25 09:00 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-07-25 08:56 - 2013-08-22 07:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-25 08:54 - 2014-03-18 02:54 - 00082526 _____ C:\WINDOWS\PFRO.log
2015-07-24 21:43 - 2013-08-22 06:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-07-24 21:27 - 2013-08-22 08:36 - 00262144 _____ C:\WINDOWS\system32\config\BCD-Template
2015-07-24 20:37 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-07-24 20:37 - 2013-08-22 07:46 - 00021599 _____ C:\WINDOWS\setupact.log
2015-07-24 20:32 - 2014-05-14 22:37 - 00000000 ____D C:\WINDOWS\Panther
2015-07-24 20:32 - 2014-05-14 21:58 - 00000000 ____D C:\WINDOWS\Log
2015-07-24 20:29 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\rescache
2015-07-24 20:28 - 2013-08-22 07:44 - 00335784 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-07-24 20:28 - 2013-08-22 06:36 - 00000000 __RHD C:\Users\Default

==================== Files in the root of some directories =======

2015-07-25 08:57 - 2015-07-25 08:57 - 0000093 _____ () C:\Users\samuel\AppData\Roaming\sp_data.sys
2014-10-25 08:48 - 2014-10-25 08:48 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-10-25 09:00 - 2014-03-25 18:11 - 0000137 _____ () C:\ProgramData\RefreshReg.vbs
2014-05-14 21:43 - 2014-03-26 13:50 - 0000124 _____ () C:\ProgramData\SetStretch.cmd
2014-05-14 21:43 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-14 21:43 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

Files to move or delete:
====================
C:\ProgramData\RefreshReg.vbs
C:\ProgramData\SetStretch.VBS

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-07-24 20:28

==================== End of log ============================


Edited by samidelcueva, 25 July 2015 - 10:57 AM.

  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets do this a stage at a time

FIRST

Clear the USB

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

NEXT

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
2015-07-25 08:57 - 2015-07-25 08:57 - 00000093 _____ C:\Users\samuel\AppData\Roaming\sp_data.sys
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieUserList
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieSiteList
2015-07-24 20:32 - 2015-07-24 20:32 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2014-10-25 09:00 - 2014-03-25 18:11 - 0000137 _____ () C:\ProgramData\RefreshReg.vbs
2014-05-14 21:43 - 2014-03-26 13:50 - 0000124 _____ () C:\ProgramData\SetStretch.cmd
2014-05-14 21:43 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-14 21:43 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

FINALLY

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan

AswMBR%20scan.JPG


On completion of the scan click save log, save it to your desktop and post in your next reply
  • 0

#6
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

MC Shield log:

note: I have to say, that I used 3 usb because I were doing some rescue cd, and so I format the usb several times

 

aswMBR, is still scanning, as soon it ends I will post the log

 

>>> MCShield AllScans.txt <<<

-----------------------------

 

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

7/25/2015 10:08:21 AM > Unidad C: - análisis comenzó (OS ~445 GB, NTFS HDD )...

 

=> El disco está limpio.

 

 

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

7/25/2015 10:10:52 AM > Unidad D: - análisis comenzó (Ninguna designación ~7437 MB, FAT32 memoria flash )...

 

=> El disco está limpio.

 

 

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

7/25/2015 10:11:24 AM > Unidad D: - análisis comenzó (Ninguna designación ~3828 MB, FAT32 memoria flash )...

 

=> El disco está limpio.

 

 

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

7/25/2015 10:16:58 AM > Unidad C: - análisis comenzó (OS ~445 GB, NTFS HDD )...

 

=> El disco está limpio.

7/25/2015 10:16:58 AM > Unidad D: - análisis comenzó (Ninguna designación ~3828 MB, FAT32 memoria flash )...

 

=> El disco está limpio.

 

 

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

7/25/2015 10:21:27 AM > Unidad E: - análisis comenzó (HITMANPRO ~3812 MB, FAT32 memoria flash )...

 

=> El disco está limpio.

 

 

and the FRST fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-07-2015
Ran by samuel at 2015-07-25 10:13:47 Run:1
Running from C:\Users\samuel\Desktop
Loaded Profiles: samuel (Available Profiles: samuel)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
2015-07-25 08:57 - 2015-07-25 08:57 - 00000093 _____ C:\Users\samuel\AppData\Roaming\sp_data.sys
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieUserList
2015-07-24 20:44 - 2015-07-24 20:44 - 00000000 __SHD C:\Users\samuel\AppData\Local\EmieSiteList
2015-07-24 20:32 - 2015-07-24 20:32 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2014-10-25 09:00 - 2014-03-25 18:11 - 0000137 _____ () C:\ProgramData\RefreshReg.vbs
2014-05-14 21:43 - 2014-03-26 13:50 - 0000124 _____ () C:\ProgramData\SetStretch.cmd
2014-05-14 21:43 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-14 21:43 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

*****************

Restore point was successfully created.
C:\Users\samuel\AppData\Roaming\sp_data.sys => moved successfully.
C:\Users\samuel\AppData\Local\EmieUserList => moved successfully.
C:\Users\samuel\AppData\Local\EmieSiteList => moved successfully.
C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat => moved successfully.
C:\ProgramData\RefreshReg.vbs => moved successfully.
C:\ProgramData\SetStretch.cmd => moved successfully.
C:\ProgramData\SetStretch.exe => moved successfully.
C:\ProgramData\SetStretch.VBS => moved successfully.

=========  netsh advfirewall reset =========

Ok.

========= End of CMD: =========

=========  netsh advfirewall set allprofiles state ON =========

Ok.

========= End of CMD: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  netsh int ip reset c:\resetlog.txt =========

Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.

========= End of CMD: =========

=========  ipconfig /release =========

Windows IP Configuration

No operation can be performed on Local Area Connection* 2 while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::cd32:5781:adb4:ec1e%4
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.{EEF98F8E-5F9D-4000-8E8A-75D19401AA9D}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:103c:3582:3f57:fffb
   Link-local IPv6 Address . . . . . : fe80::103c:3582:3f57:fffb%10
   Default Gateway . . . . . . . . . : ::

========= End of CMD: =========

=========  ipconfig /renew =========

Windows IP Configuration

No operation can be performed on Local Area Connection* 2 while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::cd32:5781:adb4:ec1e%4
   IPv4 Address. . . . . . . . . . . : 192.168.0.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

Tunnel adapter isatap.{EEF98F8E-5F9D-4000-8E8A-75D19401AA9D}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:1039:f3c:3f57:fffb
   Link-local IPv6 Address . . . . . : fe80::1039:f3c:3f57:fffb%10
   Default Gateway . . . . . . . . . : ::

========= End of CMD: =========

=========  netsh int ipv4 reset =========

Resetting Interface, OK!
Resetting , failed.
Access is denied.

Restart the computer to complete this action.

========= End of CMD: =========

=========  netsh int ipv6 reset =========

Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-401314101-946683506-2006832327-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-401314101-946683506-2006832327-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {7410E4DE-0E68-49E0-9433-D310E97AACEC}.
Unable to cancel {D67FE499-7F83-4915-B03A-97CC9397D60A}.
Unable to cancel {C9687A76-0B88-4604-8EF4-300C3DCD8615}.
Unable to cancel {4537A04B-A51E-4473-A97A-D27835ACA52A}.
Unable to cancel {817F96AD-4622-4D7A-9606-30B2305B8BE4}.
Unable to cancel {5F1F1A28-6830-458F-8C90-4E1D0E060CE0}.
Unable to cancel {DF9BFA9A-51D9-4171-8229-397C3C4C65CB}.
Unable to cancel {E020F2A3-4F3E-4DBF-A4FD-8A38D33CE6EB}.
Unable to cancel {81F9D81B-9DBF-4AB3-A526-E5716C3F5528}.
Unable to cancel {6B2A872B-D6E7-4F98-AF85-DB3618F12C3D}.
Unable to cancel {AE554679-11DC-4016-89FC-EE85F014071C}.
Unable to cancel {28FB4F44-B418-4292-B386-497660DC5C0C}.
Unable to cancel {D6664A68-BF0F-4210-A769-D42888234001}.
Unable to cancel {A9F4663D-4170-42A1-888A-FE891D1E299B}.
Unable to cancel {1D92B013-CF12-4872-A5A2-C97DDEBBD79D}.
Unable to cancel {AD23E7D8-B124-4A2F-8F99-68EDE6A82677}.
Unable to cancel {89F48310-DBEE-4241-8799-07C150ABFE96}.
Unable to cancel {DCD89DCA-E0F3-4AAC-A683-98E3FE72ED8C}.
Unable to cancel {F2548588-EF03-435D-A1AD-E72FC11A11A8}.
Unable to cancel {70DE5FBA-1EC3-4BDD-B645-A65387503C66}.
Unable to cancel {C6887D88-27A8-48DE-836A-C7377B846EB0}.
Unable to cancel {E19AA8DC-857B-47D3-B732-949EB86C7D2F}.
Unable to cancel {6D078784-618B-45BC-BB50-0DAC72AB4FAD}.
Unable to cancel {80F5596B-D12F-44AC-998E-F07F81252387}.
Unable to cancel {79236FB7-470C-402D-97B6-579EAE13F725}.
Unable to cancel {20A14258-5651-4A77-9BDC-D6CCC13265F0}.
Unable to cancel {01BE2EFD-7070-4760-9B20-602511C14700}.
Unable to cancel {3FDCE06C-BBC2-4B53-BC5E-8F5C3965789B}.
Unable to cancel {CC919644-2EF4-4492-8E37-5861AED41F7E}.
Unable to cancel {1FD6C3BD-F302-4BF2-BFBF-DEA4090EC525}.
Unable to cancel {8E747808-38B6-4CA0-AFA4-6EDF57B59BC2}.
Unable to cancel {AAAC205C-E5B1-45F2-A176-068E35DCCBE8}.
Unable to cancel {EEB476AF-8CD7-4F6B-B9F6-E024AF63F66F}.
Unable to cancel {6AE2B063-6FCD-4629-953A-E99B710159A7}.
Unable to cancel {0A634F17-4A2D-49B2-AB85-C4D71D82B3C0}.
Unable to cancel {AAF2E258-F892-48D8-A194-219F5F58320F}.
0 out of 36 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 385.5 MB temporary data Removed.

The system needed a reboot..

==== End of Fixlog 10:14:22 ====


  • 0

#7
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

aswMBR log:

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2015-07-25 10:19:13
-----------------------------
10:19:13.383    OS Version: Windows x64 6.2.9200
10:19:13.383    Number of processors: 4 586 0x4501
10:19:13.383    ComputerName: LOL  UserName:
10:19:17.571    Initialize success
10:19:17.680    VM: initialized successfully
10:19:17.680    VM: Intel CPU supported
10:19:19.973    VM: disk I/O iaStorA.sys
10:22:39.430    AVAST engine defs: 15072500
10:23:17.212    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000035
10:23:17.212    Disk 0 Vendor: TOSHIBA_MQ01ABF050 AM0B1J Size: 476940MB BusType: 11
10:23:17.368    Disk 0 MBR read successfully
10:23:17.368    Disk 0 MBR scan
10:23:17.384    Disk 0 unknown MBR code
10:23:17.384    Disk 0 Partition 1 00     EE            GPT           2097151 MB offset 1
10:23:17.571    Disk 0 scanning C:\WINDOWS\system32\drivers
10:23:30.978    Service scanning
10:24:47.026    Modules scanning
10:24:47.026    Disk 0 trace - called modules:
10:24:47.057    ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys storport.sys hal.dll iaStorA.sys
10:24:47.057    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0011e2ee770]
10:24:47.072    3 CLASSPNP.SYS[fffff8008fb6aabb] -> nt!IofCallDriver -> [0xffffe0011e2ee040]
10:24:47.072    5 stdcfltn.sys[fffff800901a8d12] -> nt!IofCallDriver -> [0xffffe0011c4c8040]
10:24:47.072    7 ACPI.sys[fffff8008f0077aa] -> nt!IofCallDriver -> [0xffffe0011c4caa00]
10:24:47.072    9 ACPI.sys[fffff8008f0077aa] -> nt!IofCallDriver -> \Device\00000035[0xffffe0011c4ca060]
10:24:47.791    AVAST engine scan C:\WINDOWS
10:24:50.369    AVAST engine scan C:\WINDOWS\system32
10:27:47.575    AVAST engine scan C:\WINDOWS\system32\drivers
10:28:12.091    AVAST engine scan C:\Users\samuel
10:28:48.888    AVAST engine scan C:\ProgramData
10:29:10.482    Disk 0 statistics 2795128/0/0 @ 11.82 MB/s
10:29:10.498    Scan finished successfully
10:34:33.385    Disk 0 MBR has been saved successfully to "C:\Users\samuel\Desktop\MBR.dat"
10:34:33.385    The log file has been saved successfully to "C:\Users\samuel\Desktop\aswMBR.txt"

 


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you now post the log that TDSSKiller generated showing the rootkit
  • 0

#9
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

:upset:  I will have a problem with that because I didn't save the log file, or the name of the rootkit, because I formatted my computer and now, did not find nothing except this


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
As it stands I can see nothing untoward

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application
    tdss%20start.JPG
  • Then click on Change parameters.

    tdss%20Change%20param.JPG
  • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
  • Click the Start Scan button.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    tdss%20threat.JPG
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  • Get the report by selecting Reports

    tdss%20report.JPG
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
  • 0

Advertisements


#11
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Here is the tdss killer log,

 

before I run tdss killer, I had to restart my computer because a update, it was to slow to restart, and when finally restart I notice that my computer was more slow, so I run rkill, and I attach the results too

Attached Files


  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
So the main problem at the moment then is speed is that correct

Download and run farbar service scanner

fssscan.JPG

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0

#13
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

yeap its slowness the main problem, and the  * C:\Users\samuel\AppData\Local\Temp\{8C1DA5C2-2D99-4E33-9868-3E6D4532CD23}.exe (PID: 3544) [T-HEUR], that rkill found
 

 

Farbar Service Scanner Version: 25-07-2015
Ran by samuel (administrator) on 25-07-2015 at 12:02:44
Running from "C:\Users\samuel\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****


  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That should have gone when I emptied the temps, but lets just make sure


CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint:
C:\Users\samuel\AppData\Local\Temp\{8C1DA5C2-2D99-4E33-9868-3E6D4532CD23}.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
  • 0

#15
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

here is the log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-07-2015
Ran by samuel at 2015-07-25 12:46:08 Run:2
Running from C:\Users\samuel\Desktop
Loaded Profiles: samuel (Available Profiles: samuel)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Users\samuel\AppData\Local\Temp\{8C1DA5C2-2D99-4E33-9868-3E6D4532CD23}.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers

*****************

Restore point was successfully created.
C:\Users\samuel\AppData\Local\Temp\{8C1DA5C2-2D99-4E33-9868-3E6D4532CD23}.exe => moved successfully.

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 407.3 MB temporary data Removed.

The system needed a reboot..

==== End of Fixlog 12:46:24 ====


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP