This topic is lockedStill dont see it
When you go to More Reply Options > Choose File and wait until it loads , then Attach this File
But go ahead and run RogueKilller
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93097 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
101 replies to this topic
#31
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 28 July 2016 - 03:29 PM
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
Register to Remove
#32
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 28 July 2016 - 04:58 PM
RogueKiller V12.4.1.0 (x64) [Jul 28 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bud Parker [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 07/28/2016 17:19:15
¤¤¤ Processes : 3 ¤¤¤
[Suspicious.Path|Proc.Injected|VT.Unknown] Lamzap.exe(4712) -- C:\ProgramData\Lamzap\Lamzap.exe[-] -> Found
[Proc.Injected] firefox.exe(5652) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[PUP|VT.Dropper.Generic9.AILM] (SVC) Lamzap -- C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a[x] -> Found
¤¤¤ Registry : 19 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\mtLamzap -> Found
[Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cad59fc9af939f2528d349888eab9565 -> Found
[PUP|Suspicious.Path|VT.Dropper.Generic9.AILM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lamzap (C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a) -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Partizan (system32\drivers\Partizan.sys) -> Found
[Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cad59fc9af939f2528d349888eab9565 -> Found
[PUP|Suspicious.Path|VT.Dropper.Generic9.AILM] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lamzap (C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Foobquf ("C:\Users\Bud Parker\AppData\Roaming\FudropHhset\Pumei.exe" -cms) -> Found
[PUP|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Partner Service ("C:\ProgramData\Partner\Partner.exe") -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9MlTM_8ZcX8IN4Qoi_tSRqk6-2J1dDO_JHaLMVOS-w--CGZIVWyy3ULudU-fYP5nBQp2vqq_LS4XumQStFDqrSWsU-x -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9MlTM_8ZcX8IN4Qoi_tSRqk6-2J1dDO_JHaLMVOS-w--CGZIVWyy3ULudU-fYP5nBQp2vqq_LS4XumQStFDqrSWsU-x -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv78&r=273603164505l03g4z125a4872v290 -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv78&r=273603164505l03g4z125a4872v290 -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found
[Suspicious.Path|VT.PUP.Optional.Linkury] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:\ProgramData\Lamzap\Hayfan.dll [-] -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 6 ¤¤¤
[Hj.Shortcut][File] C:\Users\Bud Parker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe %SNP% -> Found
[Hj.Shortcut][File] C:\Users\Bud Parker\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe %SNP% -> Found
[Hj.Shortcut][File] C:\Users\Bud Parker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe %SNP% -> Found
[PUP][Folder] C:\ProgramData\Lamzap -> Found
[PUP][Folder] C:\ProgramData\Lamzaps -> Found
[Hj.Shortcut][File] C:\Users\Bud Parker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe %SNP% -> Found
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] kjqunreh.default : user_pref("browser.startup.homepage", "C:\ProgramData\Lamzaps\ff.HP"); -> Found
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD7500BPKX-00HPJT0 ATA Device +++++
--- User ---
[MBR] 6a3f25c3d70cdc74d14f1b347b7090d1
[BSP] 1de81a45c15919a65b80ee5e5dac114a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715402 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Disk drive +++++
--- User ---
[MBR] 1dbfae835883833d641466db3bbadbd3
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 38208 | Size: 31183 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
Top
US Army, Retired
#33
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 28 July 2016 - 05:23 PM
Close all programs
Right-click RogueKiller and select "Run as Administrator"
After it has completed it's prescan, click on Scan
Click on the “Process” tab
Make sure the following entries there are checked:
[Suspicious.Path|Proc.Injected|VT.Unknown] Lamzap.exe(4712) -- C:\ProgramData\Lamzap\Lamzap.exe[-] -> Found
[PUP|VT.Dropper.Generic9.AILM] (SVC) Lamzap -- C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a[x] -> Found
Click on the “Web Browsers” tab and place a checkmark next to these:
[PUM.HomePage][FIREFX:Config] kjqunreh.default : user_pref("browser.startup.homepage", "C:\ProgramData\Lamzaps\ff.HP"); -> Found
Click on the “Registry” tab and place a checkmark next to these:
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\mtLamzap -> Found
[Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cad59fc9af939f2528d349888eab9565 -> Found
[PUP|Suspicious.Path|VT.Dropper.Generic9.AILM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lamzap (C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a) -> Found
[Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cad59fc9af939f2528d349888eab9565 -> Found
[PUP|Suspicious.Path|VT.Dropper.Generic9.AILM] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lamzap (C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9MlTM_8ZcX8IN4Qoi_tSRqk6-2J1dDO_JHaLMVOS-w--CGZIVWyy3ULudU-fYP5nBQp2vqq_LS4XumQStFDqrSWsU-x -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9MlTM_8ZcX8IN4Qoi_tSRqk6-2J1dDO_JHaLMVOS-w--CGZIVWyy3ULudU-fYP5nBQp2vqq_LS4XumQStFDqrSWsU-x -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Found
[Suspicious.Path|VT.PUP.Optional.Linkury] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:\ProgramData\Lamzap\Hayfan.dll [-] -> Found
Then press the Delete button and post the log it produces
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#34
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 28 July 2016 - 10:19 PM
Here is the RogueKiller report after the deletion process. . .
RogueKiller V12.4.1.0 (x64) [Jul 28 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bud Parker [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 07/28/2016 23:10:13
¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path|Proc.Injected|VT.Dropper.Generic9.AILM] Lamzap.exe(5424) -- C:\ProgramData\Lamzap\Lamzap.exe[-] -> Killed [TermProc]
[PUP|VT.Dropper.Generic9.AILM] (SVC) Lamzap -- C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a[-] -> ERROR [6d]
¤¤¤ Registry : 11 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\mtLamzap -> Deleted
[PUP|Suspicious.Path|VT.Dropper.Generic9.AILM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lamzap (C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a) -> Deleted
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Partizan (system32\drivers\Partizan.sys) -> Deleted
[PUP|Suspicious.Path|VT.Dropper.Generic9.AILM] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lamzap (C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a) -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9MlTM_8ZcX8IN4Qoi_tSRqk6-2J1dDO_JHaLMVOS-w--CGZIVWyy3ULudU-fYP5nBQp2vqq_LS4XumQStFDqrSWsU-x -> Replaced (http://go.microsoft..../?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9MlTM_8ZcX8IN4Qoi_tSRqk6-2J1dDO_JHaLMVOS-w--CGZIVWyy3ULudU-fYP5nBQp2vqq_LS4XumQStFDqrSWsU-x -> Replaced (http://go.microsoft..../?LinkId=255141)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Replaced (http://go.microsoft....k/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Replaced (http://go.microsoft....k/?LinkId=54896)
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPhuTaZ17vJ3frYn59HrL-X3ClkPrJO7VoWVZ3t7tPNQGvKjF72C367JmhiWsudzFrQPH9hVxOGkdTp9-MDd2zs5uzDEDtGzS4DPOrAODx9rEDelr3silyCuq64nA6VLMHJFa_etccP_CjtghLSPL2CdCJFMetLM5Ci4qvNkbi&q={searchTerms} -> Replaced (http://search.msn.com/spbasic.htm)
[Suspicious.Path|VT.PUP.Optional.Linkury] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:\ProgramData\Lamzap\Redfan.dll [-] -> Replaced ()
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 3 ¤¤¤
[Hj.Shortcut][File] C:\Users\Bud Parker\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe %SNP% -> No replacement found
[PUP][Folder] C:\ProgramData\Lamzap -> Removed at reboot [91]
[PUP][File] C:\ProgramData\Lamzap\CofTam.bin -> Deleted
[PUP][File] C:\ProgramData\Lamzap\conf.config -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Config.xml -> Deleted
[PUP][File] C:\ProgramData\Lamzap\DripFan.dll -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Fixkix.exe -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Fixkix.exe.config -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Fixtouch.dat -> Deleted
[PUP][File] C:\ProgramData\Lamzap\GeoDamtop.dat -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Lamdax.bin -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Lamzap.d.dat -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Lamzap.dat -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Lamzap.exe -> Deleted
[PUP][File] C:\ProgramData\Lamzap\md.xml -> Deleted
[PUP][Folder] C:\ProgramData\Lamzap\ondemand -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Redfan.dll -> Removed at reboot [5]
[PUP][File] C:\ProgramData\Lamzap\Ronlex.bin -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Singlehome.bin -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Solorandax.exe -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Solorandax.exe.config -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Sonflex.bin -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Tinremstock.dat -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Trio-Nix.bin -> Deleted
[PUP][File] C:\ProgramData\Lamzap\uninstall.dat -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Voyalex.exe -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Voyalex.exe.config -> Deleted
[PUP][File] C:\ProgramData\Lamzap\Zonity.bin -> Deleted
[PUP][Folder] C:\ProgramData\Lamzaps -> Deleted
[PUP][File] C:\ProgramData\Lamzaps\ff.HP -> Deleted
[PUP][File] C:\ProgramData\Lamzaps\ff.NT -> Deleted
[PUP][File] C:\ProgramData\Lamzaps\snp.sc -> Deleted
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] kjqunreh.default : user_pref("browser.startup.homepage", "C:\ProgramData\Lamzaps\ff.HP"); -> Replaced (about:home)
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD7500BPKX-00HPJT0 ATA Device +++++
--- User ---
[MBR] 6a3f25c3d70cdc74d14f1b347b7090d1
[BSP] 1de81a45c15919a65b80ee5e5dac114a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715402 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Disk drive +++++
--- User ---
[MBR] 1dbfae835883833d641466db3bbadbd3
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 38208 | Size: 31183 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
Top
US Army, Retired
#35
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 29 July 2016 - 04:01 AM
Good Morning
Looking good.
Open Malwarebytes and on the dashboard go to History > Quarantine and Delete All
Then lets remove all that AdwCleaner found, if we need this program again I will provide a link
Double click on AdwCleaner.exe to run the tool again.
- Click on the Uninstall button.
- Click Yes when asked are you sure you want to uninstall.
- Both AdwCleaner.exe, its folder and all logs will be removed.
Download Avast-browser-cleanup to your desktop
- There is nothing to install, just right click on it and Run As Adminstrator
- When its finished scanning it will list Browser Add ONs
- If if finds Lamzap or any other bogus toolbars
- Just high light them and select REMOVE
- Close out the program
- Reboot your system and test your browsers
====================================================================
Lets set your three browsers back to Defaults
- Open IE
- Go to Tools> Internet Options > Advanced Tab
- Reset Internet Explorer Setting
- Reset
- This will take a few seconds
- Close IE and then reopen it and see if it helped
- Click the Chrome menu
on the browser toolbar.
- Select Settings.
- Scroll down to Show advanced settings...
- Down on the bottom you will see an option for RESET BROWSER SETTINGS
- Click on it and it will set Chome back to defaults
- Open Firefox
- Click on Help > Troubleshooting Information > Refresh Firefox
Let me know if your still seeing traces of Lamzap ??
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#36
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 29 July 2016 - 08:41 AM
I see you're up early! Of course, I don't know what time zone you're in!
I did as you suggested in the previous post. I don't have Chrome so I suppose it is in pristine condition, somewhere. . .
When I started Firefox after the browser cleaning it actually loaded without the search.safefinder. Hooray!
I looked in the directory ProgramData and the Lamzap & Lamzaps folders are still there along with the files...
Top
US Army, Retired
#37
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 29 July 2016 - 09:11 AM
I'm in the Eastern time zone
Where making some progress but it seems as the programs we run remove entries some of them return, lets run combofix and see if it can pick up the culprit
Download ComboFix to your DESKTOP <<< Important
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
- You can get help on disabling your protection programs HERE
- Right Click on ComboFix.exe and select "RUN AS ADMINISTRATOR" & follow the prompts.
- Your desktop may go blank. This is normal. It will return when ComboFix is done.
- Combofix may need to reboot your computer more than once to do its job this is normal.
- Do not mouseclick combofix's window whilst it's running, this may cause Combofix to stall.
- When finished, it shall produce a log for you. Post that log in your next reply.
- If you lose your internet connection after running Combofix, just reboot your computer.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#38
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 29 July 2016 - 01:01 PM
ComboFix 16-07-25.01 - Bud Parker 07/29/2016 13:05:53.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4026.2353 [GMT -5:00]
Running from: c:\users\Bud Parker\Downloads\ComboFix.exe
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
c:\users\Bud Parker\AppData\Local\assembly\tmp
c:\users\Bud Parker\AppData\Roaming\.#
c:\windows\146286.dll
c:\windows\security\logs\scecomp.log
c:\windows\SysWow64\DEBUG.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NEWDRIVER
-------\Service_NEWDRIVER
.
.
((((((((((((((((((((((((( Files Created from 2016-06-28 to 2016-07-29 )))))))))))))))))))))))))))))))
.
.
2016-07-29 14:19 . 2016-07-29 14:19 -------- d-----w- C:\AdwCleaner
2016-07-29 14:07 . 2016-07-29 14:07 -------- d-----w- c:\users\Bud Parker\O-techno
2016-07-29 14:07 . 2016-07-29 14:07 -------- d-----w- c:\users\Bud Parker\AppData\Local\Lotzumbam
2016-07-29 14:07 . 2016-07-29 14:07 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Fasedom
2016-07-29 14:04 . 2016-07-29 14:04 -------- d-----w- c:\program files\Funlam
2016-07-29 04:15 . 2016-07-29 04:15 -------- d-----w- c:\program files\Strongcon
2016-07-29 04:15 . 2016-07-29 04:15 -------- d-----w- c:\users\Bud Parker\lineholdings
2016-07-29 04:15 . 2016-07-29 04:15 -------- d-----w- c:\program files\Common Files\zotelectronics
2016-07-29 04:15 . 2016-07-29 18:19 -------- d-----w- c:\programdata\LAMZAP.del
2016-07-29 04:14 . 2016-07-29 04:14 -------- d-----w- c:\users\Bud Parker\Vialux
2016-07-29 02:59 . 2016-07-29 02:59 -------- d-----w- c:\program files\Faxlane
2016-07-29 02:58 . 2016-07-29 02:58 -------- d-----w- c:\users\Bud Parker\AppData\Local\Resontaxon
2016-07-29 02:58 . 2016-07-29 02:58 -------- d-----w- c:\program files\Runron
2016-07-29 02:57 . 2016-07-29 02:57 -------- d-----w- c:\windows\Cone-plus
2016-07-28 23:06 . 2016-07-28 23:06 -------- d-----w- c:\program files\Common Files\Zamnix
2016-07-28 23:04 . 2016-07-28 23:04 -------- d-----w- c:\users\Bud Parker\AppData\Local\Donelectrics
2016-07-28 21:03 . 2016-07-29 14:43 28272 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2016-07-28 21:02 . 2016-07-28 21:02 -------- d-----w- c:\program files\RogueKiller
2016-07-28 21:02 . 2016-07-28 21:02 -------- d-----w- c:\programdata\RogueKiller
2016-07-28 19:41 . 2016-07-28 19:41 -------- d-----w- c:\program files\Common Files\Tamcan
2016-07-28 19:41 . 2016-07-28 19:41 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\zunfind
2016-07-28 19:39 . 2016-07-28 19:39 -------- d-----w- c:\program files\Quocane
2016-07-28 19:30 . 2016-07-28 19:30 -------- d-----w- c:\users\Bud Parker\kongreen
2016-07-28 19:30 . 2016-07-28 19:30 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\unaelectrics
2016-07-28 19:29 . 2016-07-28 19:29 -------- d-----w- c:\program files\Vaiatech
2016-07-28 19:03 . 2016-07-28 19:03 -------- d-----w- c:\programdata\Runron
2016-07-28 19:03 . 2016-07-28 19:03 -------- d-----w- c:\windows\Geocode
2016-07-28 19:03 . 2016-07-28 19:03 -------- d-----w- c:\programdata\Zerron
2016-07-28 19:02 . 2016-07-28 19:02 -------- d-----w- c:\programdata\Zaamphase
2016-07-28 17:42 . 2016-07-28 17:42 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Donice
2016-07-28 17:41 . 2016-07-28 17:41 -------- d-----w- c:\users\Bud Parker\AppData\Local\Dongphase
2016-07-28 17:41 . 2016-07-28 17:41 -------- d-----w- c:\users\Bud Parker\Vaiatech
2016-07-28 15:44 . 2016-07-28 15:44 -------- d-----w- c:\program files (x86)\Greatis
2016-07-28 15:38 . 2016-07-28 15:38 -------- d-----w- c:\programdata\Indigo-code
2016-07-28 15:35 . 2016-07-28 17:37 -------- d-----w- c:\users\TEMP
2016-07-28 15:27 . 2016-07-28 15:27 -------- d-----w- c:\windows\Flextouch
2016-07-28 15:26 . 2016-07-28 15:26 -------- d-----w- c:\users\Bud Parker\Technotouch
2016-07-28 15:26 . 2016-07-28 19:30 -------- d-----w- c:\users\Bud Parker\Stantexon
2016-07-28 15:24 . 2016-07-28 15:24 -------- d-----w- c:\users\Bud Parker\AppData\Local\Funlam
2016-07-28 14:16 . 2016-07-28 14:16 -------- d-----w- c:\users\Bud Parker\AppData\Local\Zumhow
2016-07-28 14:16 . 2016-07-28 14:16 -------- d-----w- c:\programdata\Donice
2016-07-28 00:30 . 2016-07-28 00:30 -------- d-----w- c:\users\Bud Parker\AppData\Local\Iceit
2016-07-28 00:30 . 2016-07-28 00:30 -------- d-----w- c:\program files\Stripcity
2016-07-27 23:54 . 2016-07-29 18:20 59776 ----a-w- c:\windows\system32\drivers\farflt.sys
2016-07-27 23:54 . 2016-07-27 23:54 -------- d-----w- c:\program files\Malwarebytes
2016-07-27 22:43 . 2016-07-28 19:38 -------- d-----w- C:\FRST
2016-07-27 18:43 . 2016-07-27 18:43 -------- d-----w- c:\users\Bud Parker\AppData\Local\Hexice
2016-07-27 18:43 . 2016-07-28 14:10 -------- d-----w- c:\windows\kongreen
2016-07-27 18:43 . 2016-07-27 18:43 -------- d-----w- c:\users\Bud Parker\Lamdex
2016-07-27 18:42 . 2016-07-27 18:42 -------- d-----w- c:\program files\Common Files\Quotom
2016-07-27 18:30 . 2016-07-27 18:30 -------- d-----w- c:\program files\Common Files\Dongphase
2016-07-27 18:30 . 2016-07-27 18:30 -------- d-----w- c:\program files\Canesolozap
2016-07-27 18:30 . 2016-07-27 18:30 -------- d-----w- c:\users\Bud Parker\AppData\Local\Zathplanet
2016-07-27 18:29 . 2016-07-27 18:29 -------- d-----w- c:\programdata\Quotezoom
2016-07-27 18:21 . 2016-07-27 18:21 -------- d-----w- c:\programdata\Overtechi
2016-07-27 18:21 . 2016-07-27 18:21 -------- d-----w- c:\program files\Common Files\O-techno
2016-07-27 18:21 . 2016-07-27 18:21 -------- d-----w- c:\users\Bud Parker\Kon-bam
2016-07-27 18:20 . 2016-07-27 18:20 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Codelane
2016-07-27 16:05 . 2016-07-28 17:40 -------- d-----w- c:\programdata\Bluetex
2016-07-27 16:05 . 2016-07-27 16:05 -------- d-----w- c:\users\Bud Parker\Donquote
2016-07-27 16:05 . 2016-07-27 16:05 -------- d-----w- c:\users\Bud Parker\Quocane
2016-07-27 16:03 . 2016-07-27 16:03 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\E-zoplex
2016-07-27 14:04 . 2016-07-27 14:04 -------- d-----w- c:\users\Bud Parker\doubleholding
2016-07-27 14:04 . 2016-07-27 14:04 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Vivacon
2016-07-27 14:04 . 2016-07-27 14:04 -------- d-----w- c:\program files\Sumdrill
2016-07-27 14:03 . 2016-07-27 14:03 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Subcorporation
2016-07-27 13:04 . 2016-07-27 13:04 -------- d-----w- c:\windows\unolab
2016-07-27 13:02 . 2016-07-27 13:02 -------- d-----w- c:\users\Bud Parker\Tranzone
2016-07-27 12:33 . 2016-07-27 12:33 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Zerron
2016-07-27 12:33 . 2016-07-27 12:33 -------- d-----w- c:\users\Bud Parker\Bigholding
2016-07-27 12:32 . 2016-07-27 15:49 -------- d-----w- c:\windows\Saocore
2016-07-27 12:30 . 2016-07-27 12:30 -------- d-----w- c:\program files\Common Files\Joymedbase
2016-07-27 12:25 . 2016-07-06 03:23 49608 ----a-w- c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2016-07-27 12:25 . 2016-07-06 03:23 892976 ----a-w- c:\program files (x86)\Mozilla Firefox\uninstall\helper.exe
2016-07-27 12:25 . 2016-07-06 03:23 191432 ----a-w- c:\program files (x86)\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll
2016-07-27 12:25 . 2016-07-06 03:22 392136 ----a-w- c:\program files (x86)\Mozilla Firefox\firefox.exe
2016-07-27 03:07 . 2016-07-29 17:02 -------- d-----w- C:\@RestoreQuarantine
2016-07-27 03:02 . 2016-07-27 03:02 -------- d-----w- c:\programdata\Mathkix
2016-07-27 03:02 . 2016-07-27 03:02 -------- d-----w- c:\users\Bud Parker\AppData\Local\Zerzim
2016-07-27 03:01 . 2016-07-27 03:01 -------- d-----w- c:\users\Bud Parker\AppData\Local\Zaamcom
2016-07-26 22:50 . 2016-07-26 22:50 -------- d-----w- c:\users\Bud Parker\AppData\Local\Refind
2016-07-26 22:50 . 2016-07-26 22:50 -------- d-----w- c:\program files\Common Files\Kondrill
2016-07-26 22:49 . 2016-07-26 22:49 -------- d-----w- c:\users\Bud Parker\AppData\Local\J-bela
2016-07-26 22:15 . 2016-07-26 22:15 -------- d-----w- c:\program files\Flexplex
2016-07-26 22:14 . 2016-07-26 22:14 -------- d-----w- c:\programdata\Freetaway
2016-07-26 22:11 . 2016-07-26 22:11 -------- d-----w- c:\users\Bud Parker\Overtechi
2016-07-26 21:36 . 2016-07-28 17:10 -------- d-----w- c:\programdata\RegRun
2016-07-26 21:34 . 2016-07-26 21:34 40304 ----a-w- c:\windows\SysWow64\drivers\Partizan.sys
2016-07-26 21:33 . 2016-07-07 18:06 15016 ----a-w- c:\windows\SysWow64\drivers\UnHackMeDrv.sys
2016-07-26 21:33 . 2015-12-28 16:32 49968 ----a-w- c:\windows\system32\partizan.exe
2016-07-26 21:33 . 2016-07-28 15:44 -------- d-----w- c:\program files (x86)\UnHackMe
2016-07-26 21:11 . 2016-07-26 21:11 -------- d-----w- c:\windows\howtrans
2016-07-26 21:11 . 2016-07-26 21:11 -------- d-----w- c:\users\Bud Parker\Medialam
2016-07-26 21:10 . 2016-07-26 21:10 -------- d-----w- c:\programdata\Techijob
2016-07-26 21:07 . 2016-07-26 21:07 -------- d-----w- c:\windows\Kon-bam
2016-07-26 20:39 . 2016-07-26 20:39 -------- d-----w- c:\program files\Solo-job
2016-07-26 20:39 . 2016-07-26 20:39 -------- d-----w- c:\users\Bud Parker\AppData\Local\Ronlux
2016-07-26 20:39 . 2016-07-26 20:39 -------- d-----w- c:\program files\Common Files\Ronlux
2016-07-26 20:38 . 2016-07-26 20:45 -------- d-----w- c:\users\Bud Parker\AppData\Local\Canunoing
2016-07-26 20:38 . 2016-07-26 20:38 -------- d-----w- c:\users\Bud Parker\AppData\Local\Roundtouch
2016-07-26 18:18 . 2016-07-26 18:18 -------- d-----w- c:\programdata\Stantexon
2016-07-26 18:17 . 2016-07-28 14:16 -------- d-----w- c:\users\Bud Parker\zunfind
2016-07-26 18:15 . 2016-07-28 19:30 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Toughstreet
2016-07-26 18:15 . 2016-07-28 19:30 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Sumdrill
2016-07-26 18:14 . 2016-07-28 19:30 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\Ronzafind
2016-07-26 15:58 . 2016-07-26 15:58 31232 ----a-w- c:\windows\system32\drivers\tap0901.sys
2016-07-26 14:47 . 2016-07-26 17:33 -------- d-----w- c:\windows\SysWow64\databases-incognito
2016-07-26 14:06 . 2016-07-26 14:06 -------- d-----w- c:\users\Bud Parker\AppData\Local\Apps
2016-07-26 13:51 . 2016-07-26 13:51 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\c
2016-07-26 13:50 . 2016-07-29 13:28 -------- d--h--w- c:\program files (x86)\tai
2016-07-24 13:21 . 2016-07-24 13:21 -------- d-----w- c:\program files\McAfee Security Scan
2016-07-24 03:14 . 2016-07-24 03:14 -------- d-----w- c:\programdata\McAfee Security Scan
2016-07-19 17:26 . 2016-07-19 17:27 -------- d-----w- c:\program files\iTunes
2016-07-18 02:40 . 2016-07-18 02:40 -------- d-----w- c:\users\Bud Parker\AppData\Roaming\DiskAid
2016-07-15 03:19 . 2016-07-26 21:33 2 --shatr- c:\windows\winstart.bat
2016-07-14 14:08 . 2016-06-26 00:27 756736 ----a-w- c:\windows\system32\win32spl.dll
2016-07-14 14:07 . 2016-06-26 00:27 1208320 ----a-w- c:\windows\system32\aeinv.dll
2016-07-14 14:07 . 2016-06-17 18:24 544256 ----a-w- c:\windows\system32\devinv.dll
2016-07-14 14:07 . 2016-06-17 18:24 219136 ----a-w- c:\windows\system32\aepic.dll
2016-07-14 14:07 . 2016-06-17 18:24 1490432 ----a-w- c:\windows\system32\appraiser.dll
2016-07-14 14:07 . 2016-06-26 00:35 41704 ----a-w- c:\windows\system32\CompatTelRunner.exe
2016-07-14 14:07 . 2016-06-22 13:06 268800 ----a-w- c:\windows\system32\centel.dll
2016-07-14 14:07 . 2016-06-17 18:24 571904 ----a-w- c:\windows\system32\generaltel.dll
2016-07-14 14:07 . 2016-06-17 18:24 294912 ----a-w- c:\windows\system32\invagent.dll
2016-07-14 14:07 . 2016-06-17 18:24 76800 ----a-w- c:\windows\system32\acmigration.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-07-29 18:20 . 2016-06-10 15:34 217328 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-07-27 03:15 . 2016-03-23 00:27 144749672 ----a-w- c:\windows\system32\MRT.exe
2016-07-24 03:14 . 2016-03-30 01:18 796352 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2016-07-24 03:14 . 2016-03-30 01:18 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-07-21 18:23 . 2016-03-27 02:35 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2016-06-14 23:27 . 2016-06-14 23:27 15202040 ----a-w- c:\windows\system32\YamahaAE3.dll
2016-06-14 23:27 . 2016-06-14 23:27 3299824 ----a-w- c:\windows\system32\YamahaAE2.dll
2016-06-14 23:27 . 2016-06-14 23:27 2190992 ----a-w- c:\windows\system32\YamahaAE.dll
2016-06-14 23:27 . 2016-06-14 23:27 962056 ----a-w- c:\windows\system32\tosasfapo64.dll
2016-06-14 23:27 . 2016-06-14 23:27 873472 ----a-w- c:\windows\system32\tadefxapo264.dll
2016-06-14 23:27 . 2016-06-14 23:27 75544 ----a-w- c:\windows\system32\tepeqapo64.dll
2016-06-14 23:27 . 2016-06-14 23:27 582016 ----a-w- c:\windows\system32\tossaemaxapo64.dll
2016-06-14 23:27 . 2016-06-14 23:27 570096 ----a-w- c:\windows\system32\tbb_waves.dll
2016-06-14 23:27 . 2016-06-14 23:27 532384 ----a-w- c:\windows\system32\SRSTSX64.dll
2016-06-14 23:27 . 2016-06-14 23:27 447104 ----a-w- c:\windows\system32\toseaeapo64.dll
2016-06-14 23:27 . 2016-06-14 23:27 221976 ----a-w- c:\windows\system32\SRSTSH64.dll
2016-06-14 23:27 . 2016-06-14 23:27 2110600 ----a-w- c:\windows\system32\WavesGUILib64.dll
2016-06-14 23:27 . 2016-06-14 23:27 209544 ----a-w- c:\windows\system32\SRSHP64.dll
2016-06-14 23:27 . 2016-06-14 23:27 166208 ----a-w- c:\windows\system32\SRSWOW64.dll
2016-06-14 23:27 . 2016-06-14 23:27 158704 ----a-w- c:\windows\system32\tadefxapo.dll
2016-06-14 23:27 . 2016-06-14 23:27 1435152 ----a-w- c:\windows\system32\SRRPTR64.dll
2016-06-14 23:27 . 2016-06-14 23:27 1382240 ----a-w- c:\windows\system32\tosade.dll
2016-06-14 23:27 . 2016-06-14 23:27 1336544 ----a-w- c:\windows\system32\tossaeapo64.dll
2016-06-14 23:27 . 2016-06-14 23:27 381416 ----a-w- c:\windows\system32\SRCOM64.dll
2016-06-14 23:27 . 2016-06-14 23:27 467168 ----a-w- c:\windows\system32\SRAPO64.dll
2016-06-14 23:27 . 2016-06-14 23:27 341152 ----a-w- c:\windows\SysWow64\SRCOM.dll
2016-06-14 23:27 . 2016-06-14 23:27 341152 ----a-w- c:\windows\system32\SRCOM.dll
2016-06-14 23:27 . 2016-06-14 23:27 258864 ----a-w- c:\windows\system32\slprp64.dll
2016-06-14 23:27 . 2016-06-14 23:27 2477520 ----a-w- c:\windows\system32\sltech64.dll
2016-06-14 23:27 . 2016-06-14 23:27 1847888 ----a-w- c:\windows\system32\slcnt64.dll
2016-06-14 23:27 . 2016-06-14 23:27 1023240 ----a-w- c:\windows\system32\sl3apo64.dll
2016-06-14 23:27 . 2016-06-14 23:27 965032 ----a-w- c:\windows\system32\SFSS_APO.dll
2016-06-14 23:27 . 2016-06-14 23:27 927424 ----a-w- c:\windows\system32\SEHDRA64.dll
2016-06-14 23:27 . 2016-06-14 23:27 90920 ----a-w- c:\windows\system32\SFCOM64.dll
2016-06-14 23:27 . 2016-06-14 23:27 88328 ----a-w- c:\windows\system32\SFAPO64.dll
2016-06-14 23:27 . 2016-06-14 23:27 83632 ----a-w- c:\windows\SysWow64\SFCOM.dll
2016-06-14 23:27 . 2016-06-14 23:27 716112 ----a-w- c:\windows\system32\SECOMN64.dll
2016-06-14 23:27 . 2016-06-14 23:27 589072 ----a-w- c:\windows\SysWow64\SECOMN32.DLL
2016-06-14 23:27 . 2016-06-14 23:27 5085952 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2016-06-14 23:27 . 2016-06-14 23:27 450128 ----a-w- c:\windows\system32\SEAPO64.dll
2016-06-14 23:27 . 2016-06-14 23:27 343712 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2016-06-14 23:27 . 2016-06-14 23:27 3199232 ----a-w- c:\windows\system32\RtPgEx64.dll
2016-06-14 23:27 . 2016-06-14 23:27 2895104 ----a-w- c:\windows\system32\RTSnMg64.cpl
2016-06-14 23:27 . 2016-06-14 23:27 231920 ----a-w- c:\windows\system32\SFNHK64.dll
2016-06-14 23:27 . 2016-06-14 23:27 88352 ----a-w- c:\windows\system32\RTEEG64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 689888 ----a-w- c:\windows\system32\RtDataProc64.dll
2016-06-14 23:27 . 2016-06-14 23:27 387320 ----a-w- c:\windows\system32\RTEEP64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 3283248 ----a-w- c:\windows\system32\RtkApi64.dll
2016-06-14 23:27 . 2016-06-14 23:27 23696 ----a-w- c:\windows\system32\RtkCoLDR64.dll
2016-06-14 23:27 . 2016-06-14 23:27 214832 ----a-w- c:\windows\system32\RTEED64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 192984 ----a-w- c:\windows\system32\RtkCfg64.dll
2016-06-14 23:27 . 2016-06-14 23:27 1355616 ----a-w- c:\windows\system32\RTCOM64.dll
2016-06-14 23:27 . 2016-06-14 23:27 110984 ----a-w- c:\windows\system32\RTEEL64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 321720 ----a-w- c:\windows\system32\RP3DHT64.dll
2016-06-14 23:27 . 2016-06-14 23:27 321720 ----a-w- c:\windows\system32\RP3DAA64.dll
2016-06-14 23:27 . 2016-06-14 23:27 3094704 ----a-w- c:\windows\system32\RltkAPO64.dll
2016-06-14 23:27 . 2016-06-14 23:27 2725392 ----a-w- c:\windows\SysWow64\RltkAPO.dll
2016-06-14 23:27 . 2016-06-14 23:27 72520720 ----a-w- c:\windows\system32\RCoRes64.dat
2016-06-14 23:27 . 2016-06-14 23:27 2060032 ----a-w- c:\windows\system32\RCoInstII64.dll
2016-06-14 23:27 . 2016-06-14 23:27 84624 ----a-w- c:\windows\system32\R4EEG64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 7172920 ----a-w- c:\windows\system32\R4EEP64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 447728 ----a-w- c:\windows\system32\R4EED64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 151792 ----a-w- c:\windows\system32\R4EEL64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 134208 ----a-w- c:\windows\system32\R4EEA64A.dll
2016-06-14 23:27 . 2016-06-14 23:27 6402440 ----a-w- c:\windows\system32\NAHIMICV3apo.dll
2016-06-14 23:27 . 2016-06-14 23:27 5776968 ----a-w- c:\windows\system32\NAHIMICV2apo.dll
2016-06-14 23:27 . 2016-06-14 23:27 1003864 ----a-w- c:\windows\system32\NahimicAPONSControl.dll
2016-06-14 23:27 . 2016-06-14 23:27 5593616 ----a-w- c:\windows\system32\NAHIMICAPOlfx.dll
2016-06-14 23:27 . 2016-06-14 23:27 923744 ----a-w- c:\windows\system32\MISS_APO.dll
2016-06-14 23:27 . 2016-06-14 23:27 677672 ----a-w- c:\windows\system32\MaxxVolumeSDAPO.dll
2016-06-14 23:27 . 2016-06-14 23:27 12988344 ----a-w- c:\windows\system32\MaxxVoiceAPO4064.dll
2016-06-14 23:27 . 2016-06-14 23:27 13122584 ----a-w- c:\windows\system32\MaxxVoiceAPO3064.dll
2016-06-14 23:27 . 2016-06-14 23:27 999864 ----a-w- c:\windows\system32\MaxxVoiceAPO2064.dll
2016-06-14 23:27 . 2016-06-14 23:27 1334384 ----a-w- c:\windows\system32\MaxxSpeechAPO64.dll
2016-06-14 23:27 . 2016-06-14 23:27 24399536 ----a-w- c:\windows\system32\MaxxAudioRenderAVX64.dll
2016-06-14 23:27 . 2016-06-14 23:27 24310136 ----a-w- c:\windows\system32\MaxxAudioRender64.dll
2016-06-14 23:27 . 2016-06-14 23:27 14057256 ----a-w- c:\windows\system32\MaxxAudioRealtek64.dll
2016-06-14 23:27 . 2016-06-14 23:27 2050176 ----a-w- c:\windows\system32\MaxxAudioEQ64.dll
2016-06-14 23:27 . 2016-06-14 23:27 17359672 ----a-w- c:\windows\system32\MaxxAudioCapture64.dll
2016-06-14 23:27 . 2016-06-14 23:27 931624 ----a-w- c:\windows\system32\MaxxAudioAPOShell64.dll
2016-06-14 23:27 . 2016-06-14 23:27 2825112 ----a-w- c:\windows\system32\MaxxAudioAPO7064.dll
2016-06-14 23:27 . 2016-06-14 23:27 678192 ----a-w- c:\windows\system32\MaxxAudioAPO30.dll
2016-06-14 23:27 . 2016-06-14 23:27 618184 ----a-w- c:\windows\system32\KAAPORT64.dll
2016-06-14 23:27 . 2016-06-14 23:27 330568 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2016-06-14 23:27 . 2016-06-14 23:27 1422928 ----a-w- c:\windows\system32\MaxxAudioAPO6064.dll
2016-06-14 23:27 . 2016-06-14 23:27 1213664 ----a-w- c:\windows\system32\MaxxAudioAPO5064.dll
2016-06-14 23:27 . 2016-06-14 23:27 1166160 ----a-w- c:\windows\system32\MaxxAudioAPO4064.dll
2016-06-14 23:27 . 2016-06-14 23:27 1186824 ----a-w- c:\windows\system32\IntelSstCApoPropPage.dll
2016-06-14 23:27 . 2016-06-14 23:27 472312 ----a-w- c:\windows\system32\ICEsoundAPO64.dll
2016-06-14 23:27 . 2016-06-14 23:27 416512 ----a-w- c:\windows\system32\HMUI.dll
2016-06-14 23:27 . 2016-06-14 23:27 371456 ----a-w- c:\windows\system32\HiFiDAX2API.dll
2016-06-14 23:27 . 2016-06-14 23:27 366128 ----a-w- c:\windows\system32\HMAPO.dll
2016-06-14 23:27 . 2016-06-14 23:27 360352 ----a-w- c:\windows\system32\HMClariFi.dll
2016-06-14 23:27 . 2016-06-14 23:27 203848 ----a-w- c:\windows\system32\HMHVS.dll
2016-06-14 23:27 . 2016-06-14 23:27 190936 ----a-w- c:\windows\system32\HMEQ_Voice.dll
2016-06-14 23:27 . 2016-06-14 23:27 190936 ----a-w- c:\windows\system32\HMEQ.dll
2016-06-14 23:27 . 2016-06-14 23:27 179600 ----a-w- c:\windows\system32\HMLimiter.dll
2016-06-14 23:27 . 2016-06-14 23:27 10512448 ----a-w- c:\windows\system32\IntelSSTAPO.dll
2016-06-14 23:27 . 2016-06-14 23:27 3282544 ----a-w- c:\windows\system32\FMAPO64.dll
2016-06-14 23:27 . 2016-06-14 23:27 154368 ----a-w- c:\windows\system32\HarmanAudioInterface.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2012-04-09 21:27 158224 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtomicAlarmClock6"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2014-06-10 1609728]
"uTorrent"="c:\users\Bud Parker\AppData\Roaming\uTorrent\uTorrent.exe" [2016-07-21 1988096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-18 1157640]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-21 244480]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2016-06-02 2623456]
.
c:\users\Bud Parker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\
TurboLaunch.lnk - c:\program files (x86)\TurboLaunch\TurboLaunch.exe [2016-3-18 2032360]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
Malwarebytes Anti-Ransomware.lnk - c:\program files\Malwarebytes\Anti-Ransomware\mbarw.exe [2016-7-27 653280]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.11.334\SSScheduler.exe [2016-5-31 334088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler^Registry: HKCU:RUN
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Exploit^32*Registry: HKLM:RUN]
2016-06-02 11:19 2623456 ----a-w- c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut^32*Registry: HKLM:RUN]
2009-04-16 04:54 50472 ----a-w- c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8^32*Registry: HKLM:RUN]
2009-04-16 06:52 91432 ----a-w- c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoWebCamera^32*Registry: HKLM:RUN]
2009-07-28 18:29 1507448 ----a-w- c:\program files (x86)\VideoWebCamera\VideoWebCamera.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Wondershare Helper Compact.exe"=c:\program files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
"HP Software Update"=c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
R1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [x]
R3 AvgAMPS;AvgAMPS;c:\program files (x86)\AVG\Av\avgamps.exe;c:\program files (x86)\AVG\Av\avgamps.exe [x]
R3 avgsvc;AVG Service;c:\program files (x86)\AVG\Framework\Common\avgsvca.exe;c:\program files (x86)\AVG\Framework\Common\avgsvca.exe [x]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys;c:\windows\SYSNATIVE\DRIVERS\EsgScanner.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.11.334\McCHSvc.exe;c:\program files\McAfee Security Scan\3.11.334\McCHSvc.exe [x]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 rp24msdrv;2.4g Device;c:\windows\system32\drivers\rp24msdrv.sys;c:\windows\SYSNATIVE\drivers\rp24msdrv.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64_prewin8.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64_prewin8.sys [x]
R4 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [x]
S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys;c:\windows\SYSNATIVE\DRIVERS\amdkmpfd.sys [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 avguniva;AVG Universal Driver;c:\windows\system32\DRIVERS\avguniva.sys;c:\windows\SYSNATIVE\DRIVERS\avguniva.sys [x]
S0 FlashBoot;System Reflection Flash Boot;c:\windows\system32\DRIVERS\FlashBoot.sys;c:\windows\SYSNATIVE\DRIVERS\FlashBoot.sys [x]
S0 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S1 Avgdiska;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiska.sys;c:\windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
S1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\windows\SysWOW64\drivers\HWiNFO64A.SYS;c:\windows\SysWOW64\drivers\HWiNFO64A.SYS [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe;c:\program files\Atomic Alarm Clock\timeserv.exe [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 MB3Service;MB3Service;c:\program files\Malwarebytes\Anti-Ransomware\MBAMService.exe;c:\program files\Malwarebytes\Anti-Ransomware\MBAMService.exe [x]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
S2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe;c:\program files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
S2 Ronzafind;Ronzafind Service;c:\users\Bud Parker\AppData\Roaming\Ronzafind\Ronzafind.exe olbXgpnzyP/q/cJaoSzH4ks20/gtM/4xfwvL8jEEDT8=;c:\users\Bud Parker\AppData\Roaming\Ronzafind\Ronzafind.exe olbXgpnzyP/q/cJaoSzH4ks20/gtM/4xfwvL8jEEDT8= [x]
S2 Sumdrill;Sumdrill Service;c:\users\Bud Parker\AppData\Roaming\Sumdrill\Sumdrill.exe 2D7J7GL7YcIv6Wi2u2YycCJjp+008c6PgFehEJzfJryBtRyvWIcHWH6vyAtkhE90;c:\users\Bud Parker\AppData\Roaming\Sumdrill\Sumdrill.exe 2D7J7GL7YcIv6Wi2u2YycCJjp+008c6PgFehEJzfJryBtRyvWIcHWH6vyAtkhE90 [x]
S2 Toughstreet;Toughstreet Service;c:\users\Bud Parker\AppData\Roaming\Toughstreet\Toughstreet.exe 2D7J7GL7YcIv6Wi2u2YycPBEedruPYQ9cAb+bYKLl0SFx9O/4ANIvM4J8erRPP+J;c:\users\Bud Parker\AppData\Roaming\Toughstreet\Toughstreet.exe 2D7J7GL7YcIv6Wi2u2YycPBEedruPYQ9cAb+bYKLl0SFx9O/4ANIvM4J8erRPP+J [x]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys;c:\windows\SYSNATIVE\DRIVERS\CAXHWAZL.sys [x]
S3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\DRIVERS\cbfs3.sys;c:\windows\SYSNATIVE\DRIVERS\cbfs3.sys [x]
S3 ETDSMBus;ETDSMBus;c:\windows\system32\DRIVERS\ETDSMBus.sys;c:\windows\SYSNATIVE\DRIVERS\ETDSMBus.sys [x]
S3 farflt;farflt;c:\windows\system32\drivers\farflt.sys;c:\windows\SYSNATIVE\drivers\farflt.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 JmUsbCcgp;JMicron USB Composite Device Lower Filter Driver;c:\windows\system32\DRIVERS\jmccgp.sys;c:\windows\SYSNATIVE\DRIVERS\jmccgp.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys;c:\windows\SYSNATIVE\DRIVERS\LEqdUsb.Sys [x]
S3 LHidEqd;Logicool SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys;c:\windows\SYSNATIVE\DRIVERS\LHidEqd.Sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr QWAVE wcncsvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2016-06-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-03-30 03:14]
.
2016-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-06-11 15:24]
.
2016-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-06-11 15:24]
.
2016-07-28 c:\windows\Tasks\Windows 7 Manager - Free Memory.job
- c:\program files\Yamicsoft\Windows 7 Manager\FreeMemory.exe [2013-08-27 21:26]
.
2016-06-28 c:\windows\Tasks\Windows 7 Manager - Logon Background Changer.job
- c:\program files\Yamicsoft\Windows 7 Manager\LogonBackgroundChanger.exe [2014-02-16 23:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2012-04-09 21:27 190480 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2016-06-14 16475392]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-08-06 828960]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2012-02-14 2868496]
"PLFSetL"="c:\windows\PLFSetL.exe" [2010-02-12 99712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2016-03-14 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2016-03-14 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2016-03-14 415256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2016-07-06 176952]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mDefault_Search_URL = hxxp://go.microsoft.com
mDefault_Page_URL = about:blank
mStart Page = about:blank
mSearch Page = hxxp://go.microsoft.com
Trusted Zone: driversupport.com\apps
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{00BC4D36-12D6-4016-8BC0-DB5C01069066}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{00BC4D36-12D6-4016-8BC0-DB5C01069066}\051627B656270284F6573756: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{00BC4D36-12D6-4016-8BC0-DB5C01069066}\2375942554430323: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Bud Parker\AppData\Roaming\Mozilla\Firefox\Profiles\214rc45p.default-1469802536457\
FF - prefs.js: browser.startup.homepage - hxxps://www.startpage.com/
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-SpeedConnectStartUp - c:\program files (x86)\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
c:\users\Bud Parker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\SpeedConnect Internet Accelerator.lnk - c:\program files (x86)\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
SafeBoot-AppXSvc
SafeBoot-ClipSvc
SafeBoot-TweakingRemoveSafeBoot
SafeBoot-WSService
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.7.0.30\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_22_0_0_192_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_22_0_0_192_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_22_0_0_192_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_22_0_0_192_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_192.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.22"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_192.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_192.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_192.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0\Alias]
@=""
"0"="ActionsPane Schema for Add-Ins"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@DACL=(02 0014)
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\UnHackMe\hackmon.exe
.
**************************************************************************
.
Completion time: 2016-07-29 13:27:37 - machine was rebooted
ComboFix-quarantined-files.txt 2016-07-29 18:27
.
Pre-Run: 207,624,204,288 bytes free
Post-Run: 206,619,492,352 bytes free
.
- - End Of File - - 6CD899A733918A8B0AAE949177D3C3A5
A36C5E4F47E84449FF07ED3517B43A31
Top
US Army, Retired
#39
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 29 July 2016 - 01:54 PM
This file has been bugging me all along, lets check it
You need to Enable Windows to Show all Files and Folders, you can find the instructions Here
Go to Jotti's Malware Scanand submit this file for analysis. Just Choose file and then Submit file , when done and the report loads just copy and paste the URL back into this thread for me to see
c:\users\Bud Parker\AppData\Roaming\Ronzafind\Ronzafind.exe <--This file
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#40
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 29 July 2016 - 02:23 PM
Jotti found "Nothing" on all of the DBs listed after I uploaded Ronzafind. It has bugged me, too.
Boy, ComboFix hammered lots of items on my hard drive. Some of them sort of surprised me, but I suppose they had been infected. It also "Locked" and renamed Lanzap.del. But, guess what is back? LANZAP & LANZAPS!
Top
US Army, Retired
Register to Remove
#41
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 29 July 2016 - 03:01 PM
This LAMZAP writes many directories under C:/Windows. Look at what Combofix found had been written to C:/Windows today...
((((((((((((((((((((((((( Files Created from 2016-06-28 to 2016-07-29 )))))))))))))))))))))))))))))))
2016-07-29 20:42:32 . 2016-07-29 20:42:32 -------- d-----w- C:\Users\Default\AppData\Local\temp
2016-07-29 20:42:32 . 2016-07-29 20:42:32 -------- d-----w- C:\Users\Bud\AppData\Local\temp
2016-07-29 20:42:32 . 2016-07-29 20:42:32 -------- d-----w- C:\Users\Bud Parker\AppData\Local\temp
2016-07-29 19:31:56 . 2016-07-29 19:31:56 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Plexway
2016-07-29 19:31:52 . 2016-07-29 19:31:52 -------- d-----w- C:\Program Files\Common Files\zencare
2016-07-29 19:31:48 . 2016-07-29 19:31:48 -------- d-----w- C:\Windows\Ganja-lane
2016-07-29 19:31:34 . 2016-07-29 19:31:36 -------- d-----w- C:\ProgramData\Lamzaps
2016-07-29 19:31:23 . 2016-07-29 20:40:40 -------- d-----w- C:\ProgramData\Lamzap
2016-07-29 19:30:51 . 2016-07-29 19:30:51 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Tamcan
2016-07-29 14:19:34 . 2016-07-29 14:19:34 -------- d-----w- C:\AdwCleaner
2016-07-29 14:07:58 . 2016-07-29 14:07:58 -------- d-----w- C:\Users\Bud Parker\O-techno
2016-07-29 14:07:39 . 2016-07-29 14:07:39 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Lotzumbam
2016-07-29 14:07:14 . 2016-07-29 14:07:15 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Fasedom
2016-07-29 04:15:40 . 2016-07-29 04:15:40 -------- d-----w- C:\Users\Bud Parker\lineholdings
2016-07-29 04:15:38 . 2016-07-29 04:15:38 -------- d-----w- C:\Program Files\Common Files\zotelectronics
2016-07-29 04:15:07 . 2016-07-29 18:19:37 -------- d-----w- C:\ProgramData\LAMZAP.del
2016-07-29 04:14:33 . 2016-07-29 04:14:33 -------- d-----w- C:\Users\Bud Parker\Vialux
2016-07-29 02:58:53 . 2016-07-29 02:58:53 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Resontaxon
2016-07-29 02:57:20 . 2016-07-29 02:57:20 -------- d-----w- C:\Windows\Cone-plus
2016-07-28 23:06:58 . 2016-07-28 23:06:58 -------- d-----w- C:\Program Files\Common Files\Zamnix
2016-07-28 23:04:49 . 2016-07-28 23:04:49 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Donelectrics
2016-07-28 21:03:42 . 2016-07-29 14:43:02 28272 ----a-w- C:\Windows\system32\drivers\TrueSight.sys
2016-07-28 21:02:41 . 2016-07-28 21:02:58 -------- d-----w- C:\Program Files\RogueKiller
2016-07-28 21:02:34 . 2016-07-28 21:02:34 -------- d-----w- C:\ProgramData\RogueKiller
2016-07-28 19:41:32 . 2016-07-28 19:41:33 -------- d-----w- C:\Program Files\Common Files\Tamcan
2016-07-28 19:41:24 . 2016-07-28 19:41:25 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\zunfind
2016-07-28 19:30:39 . 2016-07-28 19:30:39 -------- d-----w- C:\Users\Bud Parker\kongreen
2016-07-28 19:30:31 . 2016-07-28 19:30:31 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\unaelectrics
2016-07-28 19:03:13 . 2016-07-28 19:03:13 -------- d-----w- C:\ProgramData\Runron
2016-07-28 19:03:11 . 2016-07-28 19:03:11 -------- d-----w- C:\Windows\Geocode
2016-07-28 19:03:08 . 2016-07-28 19:03:08 -------- d-----w- C:\ProgramData\Zerron
2016-07-28 19:02:04 . 2016-07-28 19:02:04 -------- d-----w- C:\ProgramData\Zaamphase
2016-07-28 17:42:03 . 2016-07-28 17:42:03 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Donice
2016-07-28 17:41:51 . 2016-07-28 17:41:52 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Dongphase
2016-07-28 17:41:47 . 2016-07-28 17:41:47 -------- d-----w- C:\Users\Bud Parker\Vaiatech
2016-07-28 15:44:40 . 2016-07-28 15:44:40 -------- d-----w- C:\Program Files (x86)\Greatis
2016-07-28 15:38:15 . 2016-07-28 15:38:15 -------- d-----w- C:\ProgramData\Indigo-code
2016-07-28 15:35:47 . 2016-07-28 17:37:48 -------- d-----w- C:\Users\TEMP
2016-07-28 15:27:04 . 2016-07-28 15:27:04 -------- d-----w- C:\Windows\Flextouch
2016-07-28 15:26:54 . 2016-07-28 15:26:55 -------- d-----w- C:\Users\Bud Parker\Technotouch
2016-07-28 15:26:40 . 2016-07-28 19:30:21 -------- d-----w- C:\Users\Bud Parker\Stantexon
2016-07-28 15:24:14 . 2016-07-28 15:24:14 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Funlam
2016-07-28 14:16:27 . 2016-07-28 14:16:27 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Zumhow
2016-07-28 14:16:14 . 2016-07-28 14:16:16 -------- d-----w- C:\ProgramData\Donice
2016-07-28 00:30:50 . 2016-07-28 00:30:51 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Iceit
2016-07-27 23:54:51 . 2016-07-29 19:03:58 59776 ----a-w- C:\Windows\system32\drivers\farflt.sys
2016-07-27 23:54:26 . 2016-07-27 23:54:26 -------- d-----w- C:\Program Files\Malwarebytes
2016-07-27 22:43:02 . 2016-07-28 19:38:12 -------- d-----w- C:\FRST
2016-07-27 18:43:35 . 2016-07-27 18:43:35 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Hexice
2016-07-27 18:43:33 . 2016-07-28 14:10:07 -------- d-----w- C:\Windows\kongreen
2016-07-27 18:43:30 . 2016-07-27 18:43:30 -------- d-----w- C:\Users\Bud Parker\Lamdex
2016-07-27 18:42:12 . 2016-07-27 18:42:12 -------- d-----w- C:\Program Files\Common Files\Quotom
2016-07-27 18:30:24 . 2016-07-27 18:30:24 -------- d-----w- C:\Program Files\Common Files\Dongphase
2016-07-27 18:30:21 . 2016-07-27 18:30:21 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Zathplanet
2016-07-27 18:29:21 . 2016-07-27 18:29:21 -------- d-----w- C:\ProgramData\Quotezoom
2016-07-27 18:21:18 . 2016-07-27 18:21:18 -------- d-----w- C:\ProgramData\Overtechi
2016-07-27 18:21:17 . 2016-07-27 18:21:17 -------- d-----w- C:\Program Files\Common Files\O-techno
2016-07-27 18:21:15 . 2016-07-27 18:21:15 -------- d-----w- C:\Users\Bud Parker\Kon-bam
2016-07-27 18:20:16 . 2016-07-27 18:20:16 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Codelane
2016-07-27 16:05:13 . 2016-07-28 17:40:40 -------- d-----w- C:\ProgramData\Bluetex
2016-07-27 16:05:11 . 2016-07-27 16:05:11 -------- d-----w- C:\Users\Bud Parker\Donquote
2016-07-27 16:05:09 . 2016-07-27 16:05:09 -------- d-----w- C:\Users\Bud Parker\Quocane
2016-07-27 16:03:56 . 2016-07-27 16:03:56 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\E-zoplex
2016-07-27 14:04:27 . 2016-07-27 14:04:27 -------- d-----w- C:\Users\Bud Parker\doubleholding
2016-07-27 14:04:25 . 2016-07-27 14:04:25 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Vivacon
2016-07-27 14:03:00 . 2016-07-27 14:03:00 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Subcorporation
2016-07-27 13:04:10 . 2016-07-27 13:04:11 -------- d-----w- C:\Windows\unolab
2016-07-27 13:02:43 . 2016-07-27 13:02:43 -------- d-----w- C:\Users\Bud Parker\Tranzone
2016-07-27 12:33:10 . 2016-07-27 12:33:10 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Zerron
2016-07-27 12:33:02 . 2016-07-27 12:33:02 -------- d-----w- C:\Users\Bud Parker\Bigholding
2016-07-27 12:32:53 . 2016-07-27 15:49:29 -------- d-----w- C:\Windows\Saocore
2016-07-27 12:30:02 . 2016-07-27 12:30:02 -------- d-----w- C:\Program Files\Common Files\Joymedbase
2016-07-27 12:25:14 . 2016-07-06 03:23:34 49608 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2016-07-27 12:25:08 . 2016-07-06 03:23:38 892976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
2016-07-27 12:25:08 . 2016-07-06 03:23:35 191432 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll
2016-07-27 12:25:07 . 2016-07-06 03:22:13 392136 ----a-w- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2016-07-27 03:07:55 . 2016-07-29 17:02:54 -------- d-----w- C:\@RestoreQuarantine
2016-07-27 03:02:53 . 2016-07-27 03:02:53 -------- d-----w- C:\ProgramData\Mathkix
2016-07-27 03:02:36 . 2016-07-27 03:02:36 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Zerzim
2016-07-27 03:01:02 . 2016-07-27 03:01:02 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Zaamcom
2016-07-26 22:50:10 . 2016-07-26 22:50:10 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Refind
2016-07-26 22:50:06 . 2016-07-26 22:50:06 -------- d-----w- C:\Program Files\Common Files\Kondrill
2016-07-26 22:49:08 . 2016-07-26 22:49:08 -------- d-----w- C:\Users\Bud Parker\AppData\Local\J-bela
2016-07-26 22:14:31 . 2016-07-26 22:14:32 -------- d-----w- C:\ProgramData\Freetaway
2016-07-26 22:11:45 . 2016-07-26 22:11:45 -------- d-----w- C:\Users\Bud Parker\Overtechi
2016-07-26 21:36:11 . 2016-07-28 17:10:36 -------- d-----w- C:\ProgramData\RegRun
2016-07-26 21:34:42 . 2016-07-26 21:34:42 40304 ----a-w- C:\Windows\SysWow64\drivers\Partizan.sys
2016-07-26 21:33:17 . 2016-07-07 18:06:34 15016 ----a-w- C:\Windows\SysWow64\drivers\UnHackMeDrv.sys
2016-07-26 21:33:17 . 2015-12-28 16:32:00 49968 ----a-w- C:\Windows\system32\partizan.exe
2016-07-26 21:33:02 . 2016-07-28 15:44:30 -------- d-----w- C:\Program Files (x86)\UnHackMe
2016-07-26 21:11:49 . 2016-07-26 21:11:49 -------- d-----w- C:\Windows\howtrans
2016-07-26 21:11:26 . 2016-07-26 21:11:26 -------- d-----w- C:\Users\Bud Parker\Medialam
2016-07-26 21:10:54 . 2016-07-26 21:10:54 -------- d-----w- C:\ProgramData\Techijob
2016-07-26 21:07:42 . 2016-07-26 21:07:42 -------- d-----w- C:\Windows\Kon-bam
2016-07-26 20:39:24 . 2016-07-26 20:39:24 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Ronlux
2016-07-26 20:39:18 . 2016-07-26 20:39:18 -------- d-----w- C:\Program Files\Common Files\Ronlux
2016-07-26 20:38:09 . 2016-07-26 20:45:35 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Canunoing
2016-07-26 20:38:08 . 2016-07-26 20:38:08 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Roundtouch
2016-07-26 18:18:08 . 2016-07-26 18:18:09 -------- d-----w- C:\ProgramData\Stantexon
2016-07-26 18:17:01 . 2016-07-28 14:16:31 -------- d-----w- C:\Users\Bud Parker\zunfind
2016-07-26 18:15:25 . 2016-07-28 19:30:18 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Toughstreet
2016-07-26 18:15:03 . 2016-07-28 19:30:16 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Sumdrill
2016-07-26 18:14:18 . 2016-07-28 19:30:12 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\Ronzafind
2016-07-26 15:58:20 . 2016-07-26 15:58:20 31232 ----a-w- C:\Windows\system32\drivers\tap0901.sys
2016-07-26 14:47:36 . 2016-07-26 17:33:00 -------- d-----w- C:\Windows\SysWow64\databases-incognito
2016-07-26 14:06:18 . 2016-07-26 14:06:18 -------- d-----w- C:\Users\Bud Parker\AppData\Local\Apps
2016-07-26 13:51:43 . 2016-07-26 13:51:43 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\c
2016-07-26 13:50:10 . 2016-07-29 13:28:11 -------- d--h--w- C:\Program Files (x86)\tai
2016-07-24 13:21:38 . 2016-07-24 13:21:42 -------- d-----w- C:\Program Files\McAfee Security Scan
2016-07-24 03:14:56 . 2016-07-24 03:14:56 -------- d-----w- C:\ProgramData\McAfee Security Scan
2016-07-19 17:26:07 . 2016-07-19 17:27:08 -------- d-----w- C:\Program Files\iTunes
2016-07-18 02:40:12 . 2016-07-18 02:40:12 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\DiskAid
2016-07-15 03:19:46 . 2016-07-26 21:33:48 2 --shatr- C:\Windows\winstart.bat
2016-07-14 14:08:26 . 2016-06-26 00:27:39 756736 ----a-w- C:\Windows\system32\win32spl.dll
2016-07-14 14:07:59 . 2016-06-26 00:27:07 1208320 ----a-w- C:\Windows\system32\aeinv.dll
2016-07-14 14:07:59 . 2016-06-17 18:24:29 544256 ----a-w- C:\Windows\system32\devinv.dll
2016-07-14 14:07:59 . 2016-06-17 18:24:28 219136 ----a-w- C:\Windows\system32\aepic.dll
2016-07-14 14:07:59 . 2016-06-17 18:24:28 1490432 ----a-w- C:\Windows\system32\appraiser.dll
2016-07-14 14:07:58 . 2016-06-26 00:35:09 41704 ----a-w- C:\Windows\system32\CompatTelRunner.exe
2016-07-14 14:07:58 . 2016-06-22 13:06:29 268800 ----a-w- C:\Windows\system32\centel.dll
2016-07-14 14:07:58 . 2016-06-17 18:24:29 571904 ----a-w- C:\Windows\system32\generaltel.dll
2016-07-14 14:07:58 . 2016-06-17 18:24:29 294912 ----a-w- C:\Windows\system32\invagent.dll
2016-07-14 14:07:58 . 2016-06-17 18:24:28 76800 ----a-w- C:\Windows\system32\acmigration.dll
2016-07-14 14:00:10 . 2016-06-14 15:03:37 3217408 ----a-w- C:\Windows\system32\win32k.sys
2016-07-10 01:33:49 . 2016-07-10 01:33:49 -------- d-----w- C:\Users\Bud Parker\AppData\Roaming\HP
Top
US Army, Retired
#42
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 29 July 2016 - 03:03 PM
Some of those written files may be legitimate but the vast majority are not. Also, I can't find any info on the net about Lamzap, can you?
Top
US Army, Retired
#43
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 29 July 2016 - 03:10 PM
This file has been bugging me all along, lets check it
You need to Enable Windows to Show all Files and Folders, you can find the instructions HereGo to Jotti's Malware Scanand submit this file for analysis. Just Choose file and then Submit file , when done and the report loads just copy and paste the URL back into this thread for me to seec:\users\Bud Parker\AppData\Roaming\Ronzafind\Ronzafind.exe <--This file
Here is what Jotti found on Lamzap.exe (Hope this tif file uploads)
Top
US Army, Retired
#44
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 29 July 2016 - 03:14 PM
Here is the upload file.
Attached Thumbnails
Top
US Army, Retired
#45
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 29 July 2016 - 03:58 PM
Its gets confusing but all those files that CF found have been on your system for some time, its possible there related to Lamzap but not sure. I would be impossible to check them all
Please download Malwarebytes Anti-Rootkit from Here
- Unzip the contents to a folder in a convenient location.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Click on the Cleanup button to remove any threats and reboot if prompted to do so.
- Wait while the system shuts down and the cleanup process is performed.
- Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
- When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
Also tagged with one or more of these keywords: Malware, Virus, Lamzap
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
