Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Ransomware Malware need help with analyzing logs.. [Solved]

Started by RickSanchez , Jun 24 2016 11:06 PM

  • This topic is locked This topic is locked
19 replies to this topic

#1 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 24 June 2016 - 11:06 PM

Ill try to make this straight and to the point- friend has a windows 7 home premium Gateway desktop. Back in 2012, he was the victim of the FBI ransomware trojan, freaked out and his solution was to just turn off the desktop and unhook it from the internet. Fast forward to yesterday, and after I heard this story, convinced him to let me bring the computer back from the dead, after assuring him the FBI virus was easily cured. I logged in, and ran Malwarebytes 2x. It showed one trojan and about 250 PUP/PUMs, as well as manual deletion of a bunch of outdated and questionable software. But thats it, almost too easy...

 

So Im asking if one of you awesome experts will look at my logs please, to make sure im not missing something? Attached Frst, Addition, and AswMBR... if you need more info, please ask, and Ill respond right away, thanks!

 

FRST.TXT

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01
Ran by Brian (administrator) on BRIAN-PC (24-06-2016 22:20:31)
Running from C:\Users\Brian\Desktop
Loaded Profiles: Brian (Available Profiles: Brian & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Webroot Software, Inc. ) C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
(Acer) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Webroot Software, Inc. (www.webroot.com)) C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Apple Inc.) C:\Program Files (x86)\Safari\Safari.exe
(Apple Inc.) C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe
(AVAST Software) C:\Users\Brian\AppData\Local\Temp\l7y7otht.tmp\aswmbr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\msinfo32.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Run: [join.me.launcher] => C:\Users\Brian\AppData\Local\join.me.launcher\join.me.launcher.exe [176560 2015-10-27] (LogMeIn, Inc)
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{BBDAE6C1-A6CD-4212-A4AF-D8E7323B4EDF}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4831&r=17360411p106p0465v185k4411r39o
URLSearchHook: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm014YYus&ptnrS=XPxdm014YYus&ptb=C85FA07E-F22E-442D-AF50-7EF76F19EFE6&psa=&ind=2012101202&st=sb&n=77ee3a52&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = hxxp://supertoolbar.ask.com/redirect?client=ie&tb=WBR&o=13993&src=crm&q={searchTerms}&locale=en_US
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {4C3D2017-1104-495D-93EA-1901FBC8D222} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3244149
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm014YYus&ptnrS=XPxdm014YYus&ptb=C85FA07E-F22E-442D-AF50-7EF76F19EFE6&psa=&ind=2012101202&st=sb&n=77ee3a52&searchfor={searchTerms}
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-08-16] (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-08-16] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
DPF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-08-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-08-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2011-07-12] (Pando Networks)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2010-12-07] ()
FF Plugin HKU\S-1-5-21-1318367738-224961267-1809221802-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2011-07-12] (Pando Networks)
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LMS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [262144 2009-09-30] (Intel Corporation) [File not signed]
R2 UNS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2314240 2009-09-30] (Intel Corporation) [File not signed]
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
R2 WebrootSpySweeperService; C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe [4048240 2009-11-06] (Webroot Software, Inc. (www.webroot.com))
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WRConsumerService; C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe [1201640 2014-08-16] (Webroot Software, Inc. )
S2 Greg_Service; C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-26] (NETGEAR Inc.)
R0 ssfs0bbc; C:\Windows\System32\DRIVERS\ssfs0bbc.sys [37488 2009-11-06] (Webroot Software, Inc. (www.webroot.com))
R0 ssidrv; C:\Windows\System32\DRIVERS\ssidrv.sys [135280 2009-11-06] (Webroot Software, Inc. (www.webroot.com))
U3 aswMBR; \??\C:\Users\Brian\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\Brian\AppData\Local\Temp\aswVmm.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-24 22:20 - 2016-06-24 22:20 - 00011768 _____ C:\Users\Brian\Desktop\FRST.txt
2016-06-24 22:19 - 2016-06-24 22:19 - 02387456 _____ (Farbar) C:\Users\Brian\Desktop\FRST64.exe
2016-06-24 22:16 - 2016-06-24 22:16 - 00000512 _____ C:\Users\Brian\Desktop\MBR.dat
2016-06-24 21:35 - 2016-06-24 22:16 - 00002818 _____ C:\Users\Brian\Desktop\aswMBR.txt
2016-06-24 16:12 - 2016-06-24 16:12 - 00000000 ____D C:\Users\Brian\AppData\Local\join.me.launcher
2016-06-24 15:00 - 2016-06-24 16:19 - 00000000 ____D C:\Users\Brian\AppData\Local\join.me
2016-06-24 15:00 - 2016-06-24 15:00 - 00000000 ____D C:\Users\Brian\AppData\Roaming\join.me
2016-06-24 14:59 - 2016-06-24 15:00 - 22125056 _____ C:\Users\Brian\Downloads\join.me.msi
2016-06-24 14:57 - 2016-06-24 14:57 - 00000000 ____H C:\Users\Brian\Documents\Default.rdp
2016-06-24 14:19 - 2016-06-24 14:19 - 00000000 ___RD C:\Users\Brian\Documents\Notes
2016-06-24 14:17 - 2016-06-24 22:20 - 00000000 ____D C:\FRST
2016-06-24 14:15 - 2016-06-24 14:15 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Malwarebytes
2016-06-24 14:15 - 2012-09-29 11:54 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\SysWOW64\Drivers\mbam.sys
2016-06-24 14:11 - 2016-06-24 14:32 - 00000000 ____D C:\Users\Brian\AppData\Local\Apple Computer
2016-06-24 11:47 - 2016-06-24 11:47 - 00038400 _____ (Sysinternals) C:\Windows\SysWOW64\Drivers\REGSYS701.SYS
2016-06-24 11:30 - 2016-06-24 11:30 - 00000000 ____D C:\!KillBox
2016-06-24 11:27 - 2016-06-24 11:27 - 00001262 _____ C:\CSDefault.cst
2016-06-24 11:23 - 2016-06-24 11:23 - 00000000 ___SD C:\32788R22FWJFW
2016-06-24 10:37 - 2016-06-24 10:38 - 00000000 ____D C:\Qoobox
2016-06-24 10:36 - 2016-06-24 10:36 - 00000000 ____D C:\Windows\erdnt
2016-06-24 10:30 - 2016-06-24 10:30 - 00000632 __RSH C:\Users\Brian\ntuser.pol
2016-06-24 10:13 - 2016-06-24 10:13 - 00000000 _____ C:\Users\Brian\AppData\Roaming\wklnhst.dat
2016-06-24 10:11 - 2016-06-24 10:11 - 00000000 ____D C:\TDSSKiller_Quarantine
2016-06-24 10:10 - 2016-06-24 10:12 - 00258916 _____ C:\TDSSKiller.2.8.15.0_24.06.2016_10.10.24_log.txt
2016-06-24 08:58 - 2016-06-24 08:58 - 00000000 ____D C:\Windows\pss
2016-06-24 08:31 - 2012-10-29 09:30 - 00027159 _____ C:\Windows\TempFileCleaner.cmd
2016-06-24 08:24 - 2016-06-24 08:24 - 00000000 __SHD C:\Users\Brian\AppData\Local\EmieUserList
2016-06-24 08:24 - 2016-06-24 08:24 - 00000000 __SHD C:\Users\Brian\AppData\Local\EmieSiteList
2016-06-24 07:53 - 2016-06-24 14:15 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-06-24 07:53 - 2012-09-29 11:54 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-24 16:32 - 2009-07-13 21:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-24 16:32 - 2009-07-13 21:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-24 16:29 - 2009-07-13 22:13 - 00812762 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-24 16:29 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-06-24 16:24 - 2011-04-19 20:19 - 00000000 ____D C:\ProgramData\NVIDIA
2016-06-24 16:24 - 2009-12-01 02:06 - 00000000 ____D C:\Program Files\Google
2016-06-24 16:24 - 2009-12-01 02:06 - 00000000 ____D C:\Program Files (x86)\Google
2016-06-24 14:47 - 2011-04-19 21:05 - 00000000 ____D C:\Users\Brian\AppData\Local\Google
2016-06-24 14:47 - 2009-12-01 02:06 - 00000000 ____D C:\ProgramData\Google
2016-06-24 14:25 - 2012-10-11 23:12 - 00000000 ____D C:\Program Files (x86)\Conduit
2016-06-24 14:22 - 2012-10-11 23:13 - 00000000 ____D C:\ProgramData\Sendori
2016-06-24 14:11 - 2011-06-27 21:27 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Apple Computer
2016-06-24 13:57 - 2011-07-10 22:53 - 00000000 ____D C:\Users\Brian\AppData\Local\ElevatedDiagnostics
2016-06-24 12:57 - 2014-08-16 22:55 - 01762212 _____ C:\Windows\ntbtlog.txt
2016-06-24 12:46 - 2012-06-01 20:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-24 11:01 - 2009-07-13 21:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-06-24 10:57 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2016-06-24 10:30 - 2011-04-19 20:21 - 00000000 ____D C:\Users\Brian
2016-06-24 10:30 - 2009-07-13 20:20 - 00000000 ___HD C:\Windows\system32\GroupPolicyUsers
2016-06-24 10:30 - 2009-07-13 20:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-06-24 10:16 - 2009-07-13 22:32 - 00000000 ____D C:\Program Files\Windows Defender
2016-06-24 08:37 - 2011-05-03 22:39 - 00000000 ____D C:\Users\Brian\Tracing
2016-06-24 08:37 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-13 19:31 - 2011-04-19 20:31 - 00484008 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2016-06-24 10:13 - 2016-06-24 10:13 - 0000000 _____ () C:\Users\Brian\AppData\Roaming\wklnhst.dat
2011-07-13 13:10 - 2011-07-13 13:10 - 0000093 _____ () C:\Users\Brian\AppData\Local\fusioncache.dat
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2016-06-14 22:40
 
==================== End of FRST.txt ============================
 
Addition.txt
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by Brian (2016-06-24 22:21:13)
Running from C:\Users\Brian\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2011-04-20 03:20:56)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1318367738-224961267-1809221802-500 - Administrator - Disabled)
ASPNET (S-1-5-21-1318367738-224961267-1809221802-1002 - Limited - Disabled)
Brian (S-1-5-21-1318367738-224961267-1809221802-1000 - Administrator - Enabled) => C:\Users\Brian
Guest (S-1-5-21-1318367738-224961267-1809221802-501 - Limited - Disabled)
UpdatusUser (S-1-5-21-1318367738-224961267-1809221802-1003 - Limited - Disabled) => C:\Users\UpdatusUser
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Webroot AntiVirus with Spy Sweeper (Disabled - Up to date) {3A033352-45FD-579C-DF47-2D2DA7A56A3D}
AS: Webroot AntiVirus with Spy Sweeper (Disabled - Up to date) {8162D2B6-63C7-5812-E5F7-165FDC222080}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.5.0.880 - Adobe Systems Incorporated)
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader 9.1 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}) (Version: 2.1.3.127 - Apple Inc.)
Backup Manager Advance (x32 Version: 2.0.2.19 - NewTech Infosystems) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build-a-lot (x32 Version: 2.2.0.98 - WildTangent) Hidden
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Diablo II (HKLM-x32\...\Diablo II) (Version:  - )
Diablo III (HKLM-x32\...\Diablo III) (Version: 1.0.3.10235 - Blizzard Entertainment)
DriverTuner 3.0.1.0 (HKLM-x32\...\{520C1D80-935C-42B9-9340-E883849D804F}_is1) (Version: 3.0.0.1 - LionSea SoftWare)
eBay Worldwide (HKLM-x32\...\{E0B19DF7-B1C7-4937-82C4-0E4B1E346965}) (Version: 2.1.0901 - OEM)
Fish Tycoon (x32 Version: 2.2.0.95 - WildTangent) Hidden
Gateway Games (HKLM-x32\...\WildTangent gateway Master Uninstall) (Version: 1.0.2.5 - WildTangent)
Gateway InfoCentre (HKLM-x32\...\Gateway InfoCentre) (Version: 3.02.3000 - Gateway Incorporated)
Gateway MyBackup (HKLM-x32\...\InstallShield_{30075A70-B5D2-440B-AFA3-FB2021740121}) (Version: 2.0.2.19 - NewTech Infosystems)
Gateway Photo Frame 4.2.3.10 (HKLM-x32\...\Gateway Photo Frame) (Version: 4.2.3.10 - I/O Interconnect)
Gateway Recovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3005 - Gateway Incorporated)
Gateway Registration (HKLM-x32\...\Gateway Registration) (Version: 1.02.3006 - Gateway Incorporated)
Gateway ScreenSaver (HKLM-x32\...\Gateway Screensaver) (Version: 1.1.0812 - Gateway Incorporated)
Gateway Updater (HKLM-x32\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.01.3017 - Gateway Incorporated)
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
Guild Wars 2 (HKLM-x32\...\Guild Wars 2) (Version:  - NCsoft Corporation, Ltd.)
iCloud (HKLM\...\{704C0303-D20C-45AF-BD2B-556EAF31BE09}) (Version: 2.1.2.8 - Apple Inc.)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3002 - Gateway Incorporated)
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iTunes (HKLM\...\{76FF0F03-B707-4332-B5D1-A56C8303514E}) (Version: 11.0.4.4 - Apple Inc.)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
JavaFX 2.1.0 (HKLM-x32\...\{1111706F-666A-4037-7777-210328764D10}) (Version: 2.1.0 - Oracle Corporation)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.00.0000 - JMicron Technology Corp.)
join.me (HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\JoinMe) (Version: 2.15.1.2637 - LogMeIn, Inc.)
join.me.launcher (x32 Version: 1.0.624.0 - LogMeIn, Inc.) Hidden
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Logitech Gaming Software 7.00 (HKLM\...\{690285C2-2481-44FB-8402-162EA970A6DD}) (Version: 7.00.291 - Logitech Inc.)
Microsoft .NET Framework 1.1 (HKLM-x32\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Suite Activation Assistant (HKLM-x32\...\{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}) (Version: 2.9 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{67E03279-F703-408F-B4BF-46B5FC8D70CD}) (Version: 9.7.0621 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (x32 Version: 1.0.0.0 - Webroot Software, Inc.) Hidden
Nero 9 Essentials (HKLM-x32\...\{f531dd03-45ef-45e9-ab97-2a0ab4f14907}) (Version:  - Nero AG)
NVIDIA 3D Vision Controller Driver 301.42 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 301.42 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Graphics Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.16.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.16.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.12.0213 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0213 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
Pando Media Booster (HKLM-x32\...\{980A182F-E0A2-4A40-94C1-AE0C1235902E}) (Version: 2.3.5.4 - Pando Networks Inc.)
Prison Tycoon - Alcatraz (x32 Version: 2.2.0.95 - WildTangent) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5969 - Realtek Semiconductor Corp.)
Romopolis (x32 Version: 2.2.0.95 - WildTangent) Hidden
Safari (HKLM-x32\...\{FA4C2D53-205F-4245-9717-F3761154824D}) (Version: 5.34.57.2 - Apple Inc.)
SimCity™ Societies (HKLM-x32\...\{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}) (Version: 1.0.0.0 - Electronic Arts)
SMPlayer 0.6.9 (HKLM-x32\...\SMPlayer) (Version: 0.6.9 - RVM)
Spy Sweeper Core (x32 Version: 4.4.0.85 - Webroot Software) Hidden
The Lord of the Rings Online™ v03.03.00.8048 (HKLM-x32\...\12bbe590-c890-11d9-9669-0800200c9a66_is1) (Version: 03.03.00.8048 - Turbine, Inc.)
The Witcher 2 (HKLM-x32\...\{F0A209B7-7F85-4BDD-8F1F-B98EEAD9E04B}) (Version: 1.00.0000 - CD Projekt Red)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Mogul (x32 Version: 2.2.0.97 - WildTangent) Hidden
Ventrilo Client (HKLM-x32\...\{789289CA-F73A-4A16-A331-54D498CE069F}) (Version: 3.0.8 - Flagship Industries, Inc.)
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
Webroot AntiVirus with Spy Sweeper (HKLM-x32\...\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1) (Version: 6.1 - Webroot Software, Inc.)
Welcome Center (HKLM-x32\...\Gateway Welcome Center) (Version: 1.00.3008 - Gateway Incorporated)
Westward (x32 Version: 2.2.0.95 - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.2.5 - WildTangent)
WildTangent Games App (Gateway Games) (x32 Version: 4.0.5.21 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version: 4.1.0.14007 - Blizzard Entertainment)
Youda Survivor 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0864ACE8-F4B1-46D6-8F93-F02A3E4D92E0} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {08698D40-983E-4E95-8511-BEF953F37C8D} - System32\Tasks\wrSpySweeper_L48B9FE50FAE640DC8284E0939545902A => C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-11-06] (Webroot Software, Inc.)
Task: {6EE10206-13AB-4749-9636-E4A4E5E3C6E7} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {846AB774-34CC-433A-B063-9678D3B2FC62} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {8E12FE6A-39B6-40A5-8E27-087D6B1C7B0A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-08-16] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\wrSpySweeper_L48B9FE50FAE640DC8284E0939545902A.job => C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L48B9FE50FAE640DC8284E0939545902A C:\BrianԢ眇扥潲瑯ԒTaskName=wrSpySweeper_L48B9FE50FAE640DC8284E0939545902A
ApplicationName=C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\Public\Desktop\Netflix.lnk -> C:\ProgramData\OEM_E471269A730D\Netflix\StartURL.exe () -> hxxp://homepage.gateway.com/redirect.aspx?rid=09000002
 
==================== Loaded Modules (Whitelisted) ==============
 
2009-12-13 19:19 - 2009-12-09 02:24 - 00076320 _____ () C:\OEM\USBDECTION\USBS3S4Detection.exe
2012-05-20 16:18 - 2013-01-18 08:00 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2011-09-27 07:23 - 2011-09-27 07:23 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2011-09-27 07:22 - 2011-09-27 07:22 - 01242472 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2009-02-02 18:33 - 2009-02-02 18:33 - 00460199 _____ () C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\sqlite3.dll
2008-09-28 18:55 - 2008-09-28 18:55 - 01076224 _____ () C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\ACE.dll
2012-03-22 11:40 - 2012-03-22 11:40 - 00087912 _____ () C:\Program Files (x86)\Safari\Apple Application Support\zlib1.dll
2012-03-22 11:40 - 2012-03-22 11:40 - 01242472 _____ () C:\Program Files (x86)\Safari\Apple Application Support\libxml2.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndappv2 => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WebrootSpySweeperService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRConsumerService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 19:34 - 2014-08-16 23:07 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^Users^Brian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Brian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ZooskMessenger.lnk => C:\Windows\pss\ZooskMessenger.lnk.Startup
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: BackupManagerTray => "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
MSCONFIG\startupreg: Gateway Photo Frame => "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
MSCONFIG\startupreg: HotKeysCmds => "C:\Windows\system32\hkcmd.exe"
MSCONFIG\startupreg: IAAnotif => "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
MSCONFIG\startupreg: IgfxTray => "C:\Windows\system32\igfxtray.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: JMB36X IDE Setup => "C:\Windows\RaidTool\xInsIDE.exe"
MSCONFIG\startupreg: Launch LCore => "C:\Program Files\Logitech Gaming Software\LCore.exe" /minimized
MSCONFIG\startupreg: MobileDocuments => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
MSCONFIG\startupreg: msnmsgr => "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
MSCONFIG\startupreg: OOTag => "C:\windows\oobeoffer\oobeoffer\ootag.exe"
MSCONFIG\startupreg: Persistence => "C:\Windows\system32\igfxpers.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RtHDVCpl => "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
MSCONFIG\startupreg: Sendori Tray => "C:\Program Files (x86)\Sendori\SendoriTray.exe"
MSCONFIG\startupreg: SpySweeper => "C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
20-08-2014 13:07:03 Windows Defender Checkpoint
21-08-2014 14:11:41 Windows Defender Checkpoint
21-08-2014 15:52:10 Windows Update
22-08-2014 02:25:13 Windows Update
22-08-2014 15:16:10 Windows Defender Checkpoint
26-08-2014 02:25:11 Windows Update
28-08-2014 03:00:11 Windows Update
17-01-2016 06:06:14 Scheduled Checkpoint
14-06-2016 22:47:51 Scheduled Checkpoint
24-06-2016 15:00:34 Installed join.me
24-06-2016 20:27:44 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: Logitech GamePanel Devices (Mono)
Description: Logitech GamePanel Devices (Mono)
Class Guid: {997b5d8d-c442-4f2e-baf3-9c8e671e9e21}
Manufacturer: Logitech Inc
Service: WUDFRd
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver
 
Name: Logitech GamePanel Devices (QVGA)
Description: Logitech GamePanel Devices (QVGA)
Class Guid: {997b5d8d-c442-4f2e-baf3-9c8e671e9e21}
Manufacturer: Logitech Inc
Service: WUDFRd
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver
 
Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/24/2016 04:20:49 PM) (Source: Wininit) (EventID: 1015) (User: )
Description: A critical system process, C:\Windows\system32\lsm.exe, failed with status code 1.  The machine must now be restarted.
 
Error: (06/24/2016 02:51:23 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Exception code: 0xc0000005
Fault offset: 0x000040cd
Faulting process id: 0x1280
Faulting application start time: 0xRootkitRevealer.exe0
Faulting application path: RootkitRevealer.exe1
Faulting module path: RootkitRevealer.exe2
Report Id: RootkitRevealer.exe3
 
Error: (06/24/2016 02:48:58 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (06/24/2016 02:48:58 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (06/24/2016 02:48:58 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (06/24/2016 02:48:58 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (06/24/2016 12:41:07 PM) (Source: SendoriService) (EventID: 99) (User: )
Description: In the enable methodObject reference not set to an instance of an object.
 
Error: (06/24/2016 11:00:52 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (06/24/2016 11:00:52 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (06/24/2016 11:00:52 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.
 
 
System errors:
=============
Error: (06/24/2016 10:16:10 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.
 
Error: (06/24/2016 10:16:10 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.
 
Error: (06/24/2016 04:27:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069 = The service did not start due to a logon failure.
 
 
Error: (06/24/2016 04:27:23 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: 
%%1331 = Logon failure: account currently disabled.
 
 
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
 
Error: (06/24/2016 04:25:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The GRegService service failed to start due to the following error: 
%%2 = The system cannot find the file specified.
 
 
Error: (06/24/2016 04:24:56 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 4:23:38 PM on ‎6/‎24/‎2016 was unexpected.
 
Error: (06/24/2016 02:31:05 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069 = The service did not start due to a logon failure.
 
 
Error: (06/24/2016 02:31:05 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: 
%%1331 = Logon failure: account currently disabled.
 
 
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
 
Error: (06/24/2016 02:28:48 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The GRegService service failed to start due to the following error: 
%%2 = The system cannot find the file specified.
 
 
Error: (06/24/2016 02:04:43 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068lltdsvc{5BF9AA75-D7FF-4AEE-AA2C-96810586456D}
 
 
CodeIntegrity:
===================================
  Date: 2016-06-24 11:47:40.186
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Users\Brian\AppData\Local\Temp\HBCD\REGSYS701.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2016-06-24 11:47:40.030
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Users\Brian\AppData\Local\Temp\HBCD\REGSYS701.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2016-06-24 11:47:39.890
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\drivers\REGSYS701.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2016-06-24 11:47:39.749
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\drivers\REGSYS701.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5 CPU 650 @ 3.20GHz
Percentage of memory in use: 57%
Total physical RAM: 8119.09 MB
Available physical RAM: 3424.63 MB
Total Virtual: 16236.37 MB
Available Virtual: 11073.92 MB
 
==================== Drives ================================
 
Drive c: (Gateway) (Fixed) (Total:914.41 GB) (Free:729.05 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: E7E9DEBE)
Partition 1: (Not Active) - (Size=17 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=914.4 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
AswMBR
 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-06-24 21:34:02
-----------------------------
21:34:02.818    OS Version: Windows x64 6.1.7601 Service Pack 1
21:34:02.818    Number of processors: 4 586 0x2502
21:34:02.819    ComputerName: BRIAN-PC  UserName: Brian
21:34:04.354    Initialize success
21:34:04.392    VM: initialized successfully
21:34:04.393    VM: Intel CPU supported 
21:34:08.517    VM: supported disk I/O iaStor.sys
21:35:32.010    The log file has been saved successfully to "C:\Users\Brian\Desktop\aswMBR.txt"
 
 
aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-06-24 21:34:02
-----------------------------
21:34:02.818    OS Version: Windows x64 6.1.7601 Service Pack 1
21:34:02.818    Number of processors: 4 586 0x2502
21:34:02.819    ComputerName: BRIAN-PC  UserName: Brian
21:34:04.354    Initialize success
21:34:04.392    VM: initialized successfully
21:34:04.393    VM: Intel CPU supported 
21:34:08.517    VM: supported disk I/O iaStor.sys
21:35:32.010    The log file has been saved successfully to "C:\Users\Brian\Desktop\aswMBR.txt"
21:35:35.442    AVAST engine defs: 16062401
21:35:55.301    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
21:35:55.301    Disk 0 Vendor: WDC_WD10 01.0 Size: 953869MB BusType: 3
21:35:55.862    VM: Disk 0 MBR read successfully
21:35:55.862    Disk 0 MBR scan
21:35:55.862    Disk 0 Windows 7 default MBR code
21:35:55.894    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        17408 MB offset 2048
21:35:55.925    Disk 0 Partition 2 80 (A) 07      HPFS/NTFS NTFS          100 MB offset 35653632
21:35:55.987    Disk 0 default boot code
21:35:56.018    Disk 0 Partition 3 00     07      HPFS/NTFS NTFS       936359 MB offset 35858432
21:35:57.266    Disk 0 scanning C:\Windows\system32\drivers
21:36:51.950    Service scanning
21:40:36.115    Modules scanning
21:40:36.115    Disk 0 trace - called modules:
21:40:36.302    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys 
21:40:36.302    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007e22060]
21:40:36.302    3 CLASSPNP.SYS[fffff88001add43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa8007b50050]
21:40:55.568    AVAST engine scan C:\Windows
21:41:47.282    AVAST engine scan C:\Windows\system32
21:47:46.746    AVAST engine scan C:\Windows\system32\drivers
21:47:55.966    AVAST engine scan C:\Users\Brian
21:51:49.170    AVAST engine scan C:\ProgramData
21:52:15.940    Disk 0 statistics 4127404/0/22 @ 3.29 MB/s
21:52:15.940    Scan finished successfully
22:16:08.145    Disk 0 MBR has been saved successfully to "C:\Users\Brian\Desktop\MBR.dat"
22:16:08.152    The log file has been saved successfully to "C:\Users\Brian\Desktop\aswMBR.txt"
 
 

 


    Advertisements

Register to Remove

#2 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 25 June 2016 - 01:44 AM

Hello RickSanchez and welcome to the WTT forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

You seem to have thrown everything at this computer including ComboFix which is not advisable. ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop. That said, there is still some dubious stuff on this PC so let's get started.

===================================================

You should consider removing Pando Media Booster as it could be causing the computer to slow down.

Pando Media Booster - Pando uses P2P (Peer-to-Peer) file swapping technology. Although they do say user's files and systems are not automatically included in the file swapping network, any file download using their services uses your bandwidth to share to speed up their file transfers. They do this so that they can benefit their paying customers at free customers’ expense.

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

When you’ve done that, please run FRST again and post the new log.
Logs to include with next post:

AdwCleaner log
JRT.txt
New Frst.txt

Thanks

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#3 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 25 June 2016 - 03:21 AM

Hi, thanks for your quick response. To be honest, I did try every program I could. I'm not too worried about further damage at this point, I went into this knowing I would most likely be formatting and reinstalling the OS. I wanted the experts opinions to be sure first, though, so here I am. And When I ran combofix, it popped up in CMD and then just disappeared. A few other programs did the same too, actually...So how bad is it, really? I noticed the ZeroAccess warnings, thats not good is it.

Few questions--how does the aswMBR log look, is 21:35:55.894    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        17408 MB offset 2048 normal? And what would cause those code integrity errors?

 

Attached the asked for logs:

# AdwCleaner v5.200 - Logfile created 25/06/2016 at 02:02:07
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-25.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Brian - BRIAN-PC
# Running from : C:\Users\Brian\Desktop\adwcleaner_5.200.exe
# Option : Clean
# Support : https://toolslib.net/forum
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\ProgramData\Partner
[-] Folder Deleted : C:\ProgramData\Sendori
[#] Folder Deleted : C:\ProgramData\Application Data\Partner
[#] Folder Deleted : C:\ProgramData\Application Data\Sendori
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverTuner
[-] Folder Deleted : C:\Program Files (x86)\Conduit
[-] Folder Deleted : C:\Program Files (x86)\DriverTuner
 
***** [ Files ] *****
 
[-] File Deleted : C:\END
[-] File Deleted : C:\Users\Public\Desktop\eBay.lnk
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataContainer
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataContainer.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataController
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataController.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataStatistics
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataStatistics.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataTable
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataTable.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataTableFields
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataTableFields.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataTableHolder
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.DataTableHolder.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.LSPLogic
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.LSPLogic.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.ProxyChecks
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.ProxyChecks.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.ReadOnlyManager
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.ReadOnlyManager.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.WatchDog
[-] Key Deleted : HKLM\SOFTWARE\Classes\PCProxy.WatchDog.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9DC8FA51-B596-4F77-802C-5B295919C205}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3E28F712-0D6C-4EE3-AC8C-8F060F5D7C33}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EEBC7FF-67DA-4B90-9251-C2C5696E4B48}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{74137531-80F7-406F-9543-7D11385FA8C8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{832599B2-55BF-4437-8F3E-030CF5AEB262}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9B7B034B-944A-4261-B487-862F642F7615}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DD67706E-819E-4EBD-BF8D-6D6147CC7A49}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22511E2E-7970-414E-BC7C-28D16C4AF54D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C5311E-016D-4999-BCB1-499898429D6C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2C4B6DB8-6413-403B-A038-16A352CFE8B9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{46803190-228D-470E-90FE-F5E0CEA9C4F2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5180FE16-2E09-497B-9C8B-5A6F029ECECB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A4F6E1B3-469E-46EF-A936-FBA9D5EFD2B9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C97AF157-6A27-4F57-9D47-E2D3E4761B77}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED0D2C81-7DB5-4599-B7C0-1033418B5672}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B8445FED-900C-4137-AD15-DDD2F6306B62}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BB27DF2F-6F05-4A42-9FFD-14696D795750}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C00F4B2B-A33C-40FC-8E47-4D18DCD4B01E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4B8E39FD-ED07-4A41-9681-3D78DAFCEE66}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\DriverTuner
[-] Key Deleted : HKLM\SOFTWARE\DriverTuner_Init
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{520C1D80-935C-42B9-9340-E883849D804F}_is1
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{4C3D2017-1104-495D-93EA-1901FBC8D222}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\superfish.com
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
:: IE policies deleted
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [6252 bytes] - [25/06/2016 02:02:07]
C:\AdwCleaner\AdwCleaner[S1].txt - [6523 bytes] - [25/06/2016 02:00:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [6398 bytes] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Brian (Administrator) on Sat 06/25/2016 at  2:13:15.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 22 
 
Successfully deleted: C:\Program Files (x86)\Bucksbee Loyalty Plugin - 100815 (Folder)
Successfully deleted: C:\Windows\wininit.ini (File) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\067AUV3V (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKFX5Y67 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HI0AHU0V (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RVOVM57A (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARINSTALLER_UPDATE-58C72B7B.pf (File) 
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARMANAGER_F3B2E431-EA321F90.pf (File) 
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARNOTIFIER.EXE-969E73DB.pf (File) 
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARUSER_32.EXE-66EEE4D2.pf (File) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\067AUV3V (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKFX5Y67 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HI0AHU0V (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RVOVM57A (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 06/25/2016 at  2:16:48.95
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01
Ran by Brian (administrator) on BRIAN-PC (25-06-2016 02:47:22)
Running from C:\Users\Brian\Desktop
Loaded Profiles: Brian (Available Profiles: Brian & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Webroot Software, Inc. ) C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
(Acer) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Webroot Software, Inc. (www.webroot.com)) C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Apple Inc.) C:\Program Files (x86)\Safari\Safari.exe
(Apple Inc.) C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Run: [join.me.launcher] => C:\Users\Brian\AppData\Local\join.me.launcher\join.me.launcher.exe [176560 2015-10-27] (LogMeIn, Inc)
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{BBDAE6C1-A6CD-4212-A4AF-D8E7323B4EDF}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4831&r=17360411p106p0465v185k4411r39o
URLSearchHook: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-08-16] (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-08-16] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-08-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-08-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-18] (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2011-07-12] (Pando Networks)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2010-12-07] ()
FF Plugin HKU\S-1-5-21-1318367738-224961267-1809221802-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2011-07-12] (Pando Networks)
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LMS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [262144 2009-09-30] (Intel Corporation) [File not signed]
R2 UNS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2314240 2009-09-30] (Intel Corporation) [File not signed]
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
R2 WebrootSpySweeperService; C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe [4048240 2009-11-06] (Webroot Software, Inc. (www.webroot.com))
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WRConsumerService; C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe [1201640 2014-08-16] (Webroot Software, Inc. )
S2 Greg_Service; C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-26] (NETGEAR Inc.)
R0 ssfs0bbc; C:\Windows\System32\DRIVERS\ssfs0bbc.sys [37488 2009-11-06] (Webroot Software, Inc. (www.webroot.com))
R0 ssidrv; C:\Windows\System32\DRIVERS\ssidrv.sys [135280 2009-11-06] (Webroot Software, Inc. (www.webroot.com))
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-25 02:16 - 2016-06-25 02:16 - 00003692 _____ C:\Users\Brian\Desktop\JRT.txt
2016-06-25 01:59 - 2016-06-25 02:02 - 00000000 ____D C:\AdwCleaner
2016-06-25 01:57 - 2016-06-25 01:57 - 03703360 _____ C:\Users\Brian\Desktop\adwcleaner_5.200.exe
2016-06-25 01:57 - 2016-06-25 01:57 - 01610816 _____ (Malwarebytes) C:\Users\Brian\Desktop\JRT.exe
2016-06-24 22:33 - 2016-06-24 22:37 - 00000345 _____ C:\Users\Brian\Desktop\Search.txt
2016-06-24 22:32 - 2016-06-24 22:32 - 00003665 _____ C:\Users\Brian\Desktop\aswMBR2.txt
2016-06-24 22:21 - 2016-06-24 22:21 - 00033470 _____ C:\Users\Brian\Desktop\Addition.txt
2016-06-24 22:20 - 2016-06-25 02:47 - 00010137 _____ C:\Users\Brian\Desktop\FRST.txt
2016-06-24 22:19 - 2016-06-24 22:19 - 02387456 _____ (Farbar) C:\Users\Brian\Desktop\FRST64.exe
2016-06-24 22:16 - 2016-06-24 22:32 - 00000512 _____ C:\Users\Brian\Desktop\MBR.dat
2016-06-24 21:35 - 2016-06-24 22:16 - 00002818 _____ C:\Users\Brian\Desktop\aswMBR.txt
2016-06-24 21:33 - 2016-06-24 21:34 - 05200384 _____ (AVAST Software) C:\Users\Brian\Desktop\aswmbr.exe
2016-06-24 16:12 - 2016-06-24 16:12 - 00000000 ____D C:\Users\Brian\AppData\Local\join.me.launcher
2016-06-24 15:00 - 2016-06-24 16:19 - 00000000 ____D C:\Users\Brian\AppData\Local\join.me
2016-06-24 15:00 - 2016-06-24 15:00 - 00000000 ____D C:\Users\Brian\AppData\Roaming\join.me
2016-06-24 14:59 - 2016-06-24 15:00 - 22125056 _____ C:\Users\Brian\Downloads\join.me.msi
2016-06-24 14:57 - 2016-06-24 14:57 - 00000000 ____H C:\Users\Brian\Documents\Default.rdp
2016-06-24 14:19 - 2016-06-24 14:19 - 00000000 ___RD C:\Users\Brian\Documents\Notes
2016-06-24 14:17 - 2016-06-25 02:47 - 00000000 ____D C:\FRST
2016-06-24 14:15 - 2016-06-24 14:15 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Malwarebytes
2016-06-24 14:15 - 2012-09-29 11:54 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\SysWOW64\Drivers\mbam.sys
2016-06-24 14:11 - 2016-06-24 14:32 - 00000000 ____D C:\Users\Brian\AppData\Local\Apple Computer
2016-06-24 11:47 - 2016-06-24 11:47 - 00038400 _____ (Sysinternals) C:\Windows\SysWOW64\Drivers\REGSYS701.SYS
2016-06-24 11:30 - 2016-06-24 11:30 - 00000000 ____D C:\!KillBox
2016-06-24 11:27 - 2016-06-24 11:27 - 00001262 _____ C:\CSDefault.cst
2016-06-24 11:23 - 2016-06-24 11:23 - 00000000 ___SD C:\32788R22FWJFW
2016-06-24 10:37 - 2016-06-24 10:38 - 00000000 ____D C:\Qoobox
2016-06-24 10:36 - 2016-06-24 10:36 - 00000000 ____D C:\Windows\erdnt
2016-06-24 10:30 - 2016-06-24 10:30 - 00000632 __RSH C:\Users\Brian\ntuser.pol
2016-06-24 10:13 - 2016-06-24 10:13 - 00000000 _____ C:\Users\Brian\AppData\Roaming\wklnhst.dat
2016-06-24 10:11 - 2016-06-24 10:11 - 00000000 ____D C:\TDSSKiller_Quarantine
2016-06-24 10:10 - 2016-06-24 10:12 - 00258916 _____ C:\TDSSKiller.2.8.15.0_24.06.2016_10.10.24_log.txt
2016-06-24 08:58 - 2016-06-24 08:58 - 00000000 ____D C:\Windows\pss
2016-06-24 08:31 - 2012-10-29 09:30 - 00027159 _____ C:\Windows\TempFileCleaner.cmd
2016-06-24 08:24 - 2016-06-24 08:24 - 00000000 __SHD C:\Users\Brian\AppData\Local\EmieUserList
2016-06-24 08:24 - 2016-06-24 08:24 - 00000000 __SHD C:\Users\Brian\AppData\Local\EmieSiteList
2016-06-24 07:53 - 2016-06-24 14:15 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-06-24 07:53 - 2012-09-29 11:54 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-25 02:13 - 2009-07-13 21:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-25 02:13 - 2009-07-13 21:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-25 02:10 - 2009-07-13 22:13 - 00812762 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-25 02:10 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-06-25 02:05 - 2011-04-19 20:19 - 00000000 ____D C:\ProgramData\NVIDIA
2016-06-24 16:24 - 2009-12-01 02:06 - 00000000 ____D C:\Program Files\Google
2016-06-24 16:24 - 2009-12-01 02:06 - 00000000 ____D C:\Program Files (x86)\Google
2016-06-24 14:47 - 2011-04-19 21:05 - 00000000 ____D C:\Users\Brian\AppData\Local\Google
2016-06-24 14:47 - 2009-12-01 02:06 - 00000000 ____D C:\ProgramData\Google
2016-06-24 14:11 - 2011-06-27 21:27 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Apple Computer
2016-06-24 13:57 - 2011-07-10 22:53 - 00000000 ____D C:\Users\Brian\AppData\Local\ElevatedDiagnostics
2016-06-24 12:57 - 2014-08-16 22:55 - 01762212 _____ C:\Windows\ntbtlog.txt
2016-06-24 12:46 - 2012-06-01 20:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-24 11:01 - 2009-07-13 21:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-06-24 10:57 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2016-06-24 10:30 - 2011-04-19 20:21 - 00000000 ____D C:\Users\Brian
2016-06-24 10:30 - 2009-07-13 20:20 - 00000000 ___HD C:\Windows\system32\GroupPolicyUsers
2016-06-24 10:30 - 2009-07-13 20:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-06-24 10:16 - 2009-07-13 22:32 - 00000000 ____D C:\Program Files\Windows Defender
2016-06-24 08:37 - 2011-05-03 22:39 - 00000000 ____D C:\Users\Brian\Tracing
2016-06-24 08:37 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-13 19:31 - 2011-04-19 20:31 - 00484008 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2016-06-24 10:13 - 2016-06-24 10:13 - 0000000 _____ () C:\Users\Brian\AppData\Roaming\wklnhst.dat
2011-07-13 13:10 - 2011-07-13 13:10 - 0000093 _____ () C:\Users\Brian\AppData\Local\fusioncache.dat
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
 
Some files in TEMP:
====================
C:\Users\Brian\AppData\Local\Temp\libeay32.dll
C:\Users\Brian\AppData\Local\Temp\msvcr120.dll
C:\Users\Brian\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2016-06-14 22:40
 
==================== End of FRST.txt ============================

#4 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 25 June 2016 - 04:31 AM

Your aswMBR log was fine.
 

I noticed the ZeroAccess warnings, thats not good is it.

It’s not good but not as bad as some.

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428
SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S2 Greg_Service; C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [X]
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndappv2 => ""="service"
C:\Program Files (x86)\Google\Desktop\Install
CMD: ipconfig /flushdns
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.

Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/7/8/10, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.
Please post the contents of the RKreport.txt in your next reply.

Logs to include with next post:

Fixlog.txt
RKreport.txt

 

Please just paste the results into the post without "code/quote" boxes.

Thanks

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#5 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 25 June 2016 - 02:37 PM

RK Report RogueKiller V12.3.5.0 [Jun 22 2016] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.co...guekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Brian [Administrator] Started from : C:\Users\Brian\Desktop\RogueKiller.exe Mode : Scan -- Date : 06/25/2016 13:34:36 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 14 ¤¤¤ [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Application Sendori (C:\Program Files (x86)\Sendori\SendoriSvc.exe) -> Found [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Service Sendori (C:\Program Files (x86)\Sendori\Sendori.Service.exe) -> Found [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sndappv2 (C:\Program Files (x86)\Sendori\sndappv2.exe) -> Found [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TelevisionFanaticService (C:\PROGRA~2\TELEVI~2\bar\1.bin\64barsvc.exe) -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://homepage.gate...65v185k4411r39o -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://homepage.gate...65v185k4411r39o -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD10EADS-22M2B0 +++++ --- User --- [MBR] ef16c0e728d9575e145e0d8c5eeb1877 [BSP] 8574895f78e0bfa17ee0d280408a9ef2 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 17408 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 35653632 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 35858432 | Size: 936359 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: Generic- xD-Picture USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: Generic- MS/MS-Pro/HG USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive5: Generic- MicroSD USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) Farbar Report Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01 Ran by Brian (2016-06-25 04:45:08) Run:1 Running from C:\Users\Brian\Desktop Loaded Profiles: Brian (Available Profiles: Brian & UpdatusUser) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User: Restriction <======= ATTENTION GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User: Restriction <======= ATTENTION SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428 SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428 BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File Toolbar: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File S2 Greg_Service; C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [X] DeleteJunctionsIndirectory: C:\Program Files\Windows Defender HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndappv2 => ""="service" C:\Program Files (x86)\Google\Desktop\Install CMD: ipconfig /flushdns EmptyTemp: ***************** Processes closed successfully. C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User => moved successfully C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User => moved successfully HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => key removed successfully HKCR\Wow6432Node\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => key not found. HKU\S-1-5-21-1318367738-224961267-1809221802-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully "HKU\S-1-5-21-1318367738-224961267-1809221802-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => key removed successfully HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => key not found. "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found. HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. Greg_Service => service removed successfully "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started: "C:\Program Files\Windows Defender\en-US" =>Deleting reparse point and unlocking completed. "C:\Program Files\Windows Defender" =>Deleting reparse point and unlocking completed. "HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sndappv2" => key removed successfully C:\Program Files (x86)\Google\Desktop\Install => moved successfully ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 4194304 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 81410582 B Java, Flash, Steam htmlcache => 63224 B Windows/system/drivers => 72328800 B Edge => 0 B Chrome => 0 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 66228 B Public => 0 B ProgramData => 0 B systemprofile => 6184252734 B systemprofile32 => 244984 B LocalService => 132244 B NetworkService => 1096192 B Brian => 163616142 B UpdatusUser => 66228 B RecycleBin => 568466095 B EmptyTemp: => 6.6 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 06:18:47 ====

#6 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 25 June 2016 - 02:38 PM

I ran Fixlist first, followed by RK

#7 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 26 June 2016 - 05:33 AM

Sorry, I seem to have missed that reply.

 

Those logs are unreadable as they are. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked then open the logs again and re-send the logs.

 

Note, If they still look the same then please attach them.

 

Thanks

 

Satchfan

 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#8 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 June 2016 - 06:34 AM

Lol, i thought it was just me that couldn't understand them! OK one second.

#9 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 June 2016 - 06:37 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01 Ran by Brian (2016-06-25 04:45:08) Run:1 Running from C:\Users\Brian\Desktop Loaded Profiles: Brian (Available Profiles: Brian & UpdatusUser) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User: Restriction <======= ATTENTION GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User: Restriction <======= ATTENTION SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428 SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428 BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File Toolbar: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File S2 Greg_Service; C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [X] DeleteJunctionsIndirectory: C:\Program Files\Windows Defender HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndappv2 => ""="service" C:\Program Files (x86)\Google\Desktop\Install CMD: ipconfig /flushdns EmptyTemp: ***************** Processes closed successfully. C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User => moved successfully C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User => moved successfully HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => key removed successfully HKCR\Wow6432Node\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => key not found. HKU\S-1-5-21-1318367738-224961267-1809221802-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully "HKU\S-1-5-21-1318367738-224961267-1809221802-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => key removed successfully HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => key not found. "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found. HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. Greg_Service => service removed successfully "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started: "C:\Program Files\Windows Defender\en-US" =>Deleting reparse point and unlocking completed. "C:\Program Files\Windows Defender" =>Deleting reparse point and unlocking completed. "HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sndappv2" => key removed successfully C:\Program Files (x86)\Google\Desktop\Install => moved successfully ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 4194304 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 81410582 B Java, Flash, Steam htmlcache => 63224 B Windows/system/drivers => 72328800 B Edge => 0 B Chrome => 0 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 66228 B Public => 0 B ProgramData => 0 B systemprofile => 6184252734 B systemprofile32 => 244984 B LocalService => 132244 B NetworkService => 1096192 B Brian => 163616142 B UpdatusUser => 66228 B RecycleBin => 568466095 B EmptyTemp: => 6.6 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 06:18:47 ==== Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01 Ran by Brian (administrator) on BRIAN-PC (25-06-2016 02:47:22) Running from C:\Users\Brian\Desktop Loaded Profiles: Brian (Available Profiles: Brian & UpdatusUser) Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Webroot Software, Inc. ) C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe (Acer) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe () C:\OEM\USBDECTION\USBS3S4Detection.exe (Webroot Software, Inc. (www.webroot.com)) C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Apple Inc.) C:\Program Files (x86)\Safari\Safari.exe (Apple Inc.) C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Run: [join.me.launcher] => C:\Users\Brian\AppData\Local\join.me.launcher\join.me.launcher.exe [176560 2015-10-27] (LogMeIn, Inc) HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\system: [LogonHoursAction] 2 HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1 HKU\S-1-5-21-1318367738-224961267-1809221802-1000\...\Policies\Explorer: [NoRecentDocsNetHood] 1 HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation) GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1003\User: Restriction <======= ATTENTION GroupPolicyUsers\S-1-5-21-1318367738-224961267-1809221802-1002\User: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 Tcpip\..\Interfaces\{BBDAE6C1-A6CD-4212-A4AF-D8E7323B4EDF}: [DhcpNameServer] 192.168.1.254 Internet Explorer: ================== HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/ HKU\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4831&r=17360411p106p0465v185k4411r39o URLSearchHook: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497} SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428 SearchScopes: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS428US428 BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated) BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-08-16] (Oracle Corporation) BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation) BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-08-16] (Oracle Corporation) Toolbar: HKU\S-1-5-21-1318367738-224961267-1809221802-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation) Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation) FireFox: ======== FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation) FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] () FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-08-16] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-08-16] (Oracle Corporation) FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation) FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-18] (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-18] (NVIDIA Corporation) FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2011-07-12] (Pando Networks) FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2010-12-07] () FF Plugin HKU\S-1-5-21-1318367738-224961267-1809221802-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2011-07-12] (Pando Networks) ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 LMS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [262144 2009-09-30] (Intel Corporation) [File not signed] R2 UNS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2314240 2009-09-30] (Intel Corporation) [File not signed] R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] () R2 WebrootSpySweeperService; C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe [4048240 2009-11-06] (Webroot Software, Inc. (www.webroot.com)) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation) R2 WRConsumerService; C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe [1201640 2014-08-16] (Webroot Software, Inc. ) S2 Greg_Service; C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-26] (NETGEAR Inc.) R0 ssfs0bbc; C:\Windows\System32\DRIVERS\ssfs0bbc.sys [37488 2009-11-06] (Webroot Software, Inc. (www.webroot.com)) R0 ssidrv; C:\Windows\System32\DRIVERS\ssidrv.sys [135280 2009-11-06] (Webroot Software, Inc. (www.webroot.com)) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-06-25 02:16 - 2016-06-25 02:16 - 00003692 _____ C:\Users\Brian\Desktop\JRT.txt 2016-06-25 01:59 - 2016-06-25 02:02 - 00000000 ____D C:\AdwCleaner 2016-06-25 01:57 - 2016-06-25 01:57 - 03703360 _____ C:\Users\Brian\Desktop\adwcleaner_5.200.exe 2016-06-25 01:57 - 2016-06-25 01:57 - 01610816 _____ (Malwarebytes) C:\Users\Brian\Desktop\JRT.exe 2016-06-24 22:33 - 2016-06-24 22:37 - 00000345 _____ C:\Users\Brian\Desktop\Search.txt 2016-06-24 22:32 - 2016-06-24 22:32 - 00003665 _____ C:\Users\Brian\Desktop\aswMBR2.txt 2016-06-24 22:21 - 2016-06-24 22:21 - 00033470 _____ C:\Users\Brian\Desktop\Addition.txt 2016-06-24 22:20 - 2016-06-25 02:47 - 00010137 _____ C:\Users\Brian\Desktop\FRST.txt 2016-06-24 22:19 - 2016-06-24 22:19 - 02387456 _____ (Farbar) C:\Users\Brian\Desktop\FRST64.exe 2016-06-24 22:16 - 2016-06-24 22:32 - 00000512 _____ C:\Users\Brian\Desktop\MBR.dat 2016-06-24 21:35 - 2016-06-24 22:16 - 00002818 _____ C:\Users\Brian\Desktop\aswMBR.txt 2016-06-24 21:33 - 2016-06-24 21:34 - 05200384 _____ (AVAST Software) C:\Users\Brian\Desktop\aswmbr.exe 2016-06-24 16:12 - 2016-06-24 16:12 - 00000000 ____D C:\Users\Brian\AppData\Local\join.me.launcher 2016-06-24 15:00 - 2016-06-24 16:19 - 00000000 ____D C:\Users\Brian\AppData\Local\join.me 2016-06-24 15:00 - 2016-06-24 15:00 - 00000000 ____D C:\Users\Brian\AppData\Roaming\join.me 2016-06-24 14:59 - 2016-06-24 15:00 - 22125056 _____ C:\Users\Brian\Downloads\join.me.msi 2016-06-24 14:57 - 2016-06-24 14:57 - 00000000 ____H C:\Users\Brian\Documents\Default.rdp 2016-06-24 14:19 - 2016-06-24 14:19 - 00000000 ___RD C:\Users\Brian\Documents\Notes 2016-06-24 14:17 - 2016-06-25 02:47 - 00000000 ____D C:\FRST 2016-06-24 14:15 - 2016-06-24 14:15 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Malwarebytes 2016-06-24 14:15 - 2012-09-29 11:54 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\SysWOW64\Drivers\mbam.sys 2016-06-24 14:11 - 2016-06-24 14:32 - 00000000 ____D C:\Users\Brian\AppData\Local\Apple Computer 2016-06-24 11:47 - 2016-06-24 11:47 - 00038400 _____ (Sysinternals) C:\Windows\SysWOW64\Drivers\REGSYS701.SYS 2016-06-24 11:30 - 2016-06-24 11:30 - 00000000 ____D C:\!KillBox 2016-06-24 11:27 - 2016-06-24 11:27 - 00001262 _____ C:\CSDefault.cst 2016-06-24 11:23 - 2016-06-24 11:23 - 00000000 ___SD C:\32788R22FWJFW 2016-06-24 10:37 - 2016-06-24 10:38 - 00000000 ____D C:\Qoobox 2016-06-24 10:36 - 2016-06-24 10:36 - 00000000 ____D C:\Windows\erdnt 2016-06-24 10:30 - 2016-06-24 10:30 - 00000632 __RSH C:\Users\Brian\ntuser.pol 2016-06-24 10:13 - 2016-06-24 10:13 - 00000000 _____ C:\Users\Brian\AppData\Roaming\wklnhst.dat 2016-06-24 10:11 - 2016-06-24 10:11 - 00000000 ____D C:\TDSSKiller_Quarantine 2016-06-24 10:10 - 2016-06-24 10:12 - 00258916 _____ C:\TDSSKiller.2.8.15.0_24.06.2016_10.10.24_log.txt 2016-06-24 08:58 - 2016-06-24 08:58 - 00000000 ____D C:\Windows\pss 2016-06-24 08:31 - 2012-10-29 09:30 - 00027159 _____ C:\Windows\TempFileCleaner.cmd 2016-06-24 08:24 - 2016-06-24 08:24 - 00000000 __SHD C:\Users\Brian\AppData\Local\EmieUserList 2016-06-24 08:24 - 2016-06-24 08:24 - 00000000 __SHD C:\Users\Brian\AppData\Local\EmieSiteList 2016-06-24 07:53 - 2016-06-24 14:15 - 00000000 ____D C:\ProgramData\Malwarebytes 2016-06-24 07:53 - 2012-09-29 11:54 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-06-25 02:13 - 2009-07-13 21:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2016-06-25 02:13 - 2009-07-13 21:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2016-06-25 02:10 - 2009-07-13 22:13 - 00812762 _____ C:\Windows\system32\PerfStringBackup.INI 2016-06-25 02:10 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf 2016-06-25 02:05 - 2011-04-19 20:19 - 00000000 ____D C:\ProgramData\NVIDIA 2016-06-24 16:24 - 2009-12-01 02:06 - 00000000 ____D C:\Program Files\Google 2016-06-24 16:24 - 2009-12-01 02:06 - 00000000 ____D C:\Program Files (x86)\Google 2016-06-24 14:47 - 2011-04-19 21:05 - 00000000 ____D C:\Users\Brian\AppData\Local\Google 2016-06-24 14:47 - 2009-12-01 02:06 - 00000000 ____D C:\ProgramData\Google 2016-06-24 14:11 - 2011-06-27 21:27 - 00000000 ____D C:\Users\Brian\AppData\Roaming\Apple Computer 2016-06-24 13:57 - 2011-07-10 22:53 - 00000000 ____D C:\Users\Brian\AppData\Local\ElevatedDiagnostics 2016-06-24 12:57 - 2014-08-16 22:55 - 01762212 _____ C:\Windows\ntbtlog.txt 2016-06-24 12:46 - 2012-06-01 20:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2016-06-24 11:01 - 2009-07-13 21:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk 2016-06-24 10:57 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF 2016-06-24 10:30 - 2011-04-19 20:21 - 00000000 ____D C:\Users\Brian 2016-06-24 10:30 - 2009-07-13 20:20 - 00000000 ___HD C:\Windows\system32\GroupPolicyUsers 2016-06-24 10:30 - 2009-07-13 20:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy 2016-06-24 10:16 - 2009-07-13 22:32 - 00000000 ____D C:\Program Files\Windows Defender 2016-06-24 08:37 - 2011-05-03 22:39 - 00000000 ____D C:\Users\Brian\Tracing 2016-06-24 08:37 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-06-13 19:31 - 2011-04-19 20:31 - 00484008 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe ==================== Files in the root of some directories ======= 2016-06-24 10:13 - 2016-06-24 10:13 - 0000000 _____ () C:\Users\Brian\AppData\Roaming\wklnhst.dat 2011-07-13 13:10 - 2011-07-13 13:10 - 0000093 _____ () C:\Users\Brian\AppData\Local\fusioncache.dat ZeroAccess: C:\Program Files (x86)\Google\Desktop\Install Some files in TEMP: ==================== C:\Users\Brian\AppData\Local\Temp\libeay32.dll C:\Users\Brian\AppData\Local\Temp\msvcr120.dll C:\Users\Brian\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender LastRegBack: 2016-06-14 22:40 ==================== End of FRST.txt ============================

#10 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 June 2016 - 06:41 AM

Let me know if this works.

Attached Files


    Advertisements

Register to Remove

#11 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 26 June 2016 - 07:01 AM

Don't know what's happening.

 

Please attach Fixlog.txt and RKreport.txt


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#12 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 June 2016 - 07:15 AM

Here it is again.

Attached Files

  • Attached File  Fixlog.txt   4.89KB   214 downloads
  • Attached File  rk.txt   9.37KB   222 downloads

#13 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 26 June 2016 - 07:30 AM

That’s better; I could read those. :yeah:

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7: right-click the program and select Run as Administrator'
  • after it has completed it's prescan click on the “Registry” tab
  • make sure al entries there are checked, then click on Delete:

Please attach the Delete log in your next post.

Can you tell me if there are any outstanding problems.

Thanks

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#14 RickSanchez

RickSanchez

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 June 2016 - 08:04 AM

Nothing outstanding that ive noticed thus far, but ive only been on it rarely. Is it possible that a virus delete itself after a prolonged hibernation? The PC hadnt been turned on since 2012 before this.

The concerns I have are that this PC has potential to infect other devices on the LAN, or corrupt the router. How could I check for a corrupted router? I have noticed a lot of strange network issues within the home...

 

Heres the deletion log:

 

 

RogueKiller V12.3.5.0 [Jun 22 2016] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Brian [Administrator]
Started from : C:\Users\Brian\Desktop\RogueKiller.exe
Mode : Delete -- Date : 06/26/2016 07:30:40
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 14 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Application Sendori (C:\Program Files (x86)\Sendori\SendoriSvc.exe) -> Deleted
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Service Sendori (C:\Program Files (x86)\Sendori\Sendori.Service.exe) -> Deleted
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sndappv2 (C:\Program Files (x86)\Sendori\sndappv2.exe) -> Deleted
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TelevisionFanaticService (C:\PROGRA~2\TELEVI~2\bar\1.bin\64barsvc.exe) -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://homepage.gate...65v185k4411r39o -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://homepage.gate...65v185k4411r39o -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1318367738-224961267-1809221802-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0  -> Replaced (1)
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Hj.Name][File] C:\Users\Brian\AppData\Local\Temp\3335641\svchost.exe -> Deleted
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EADS-22M2B0 +++++
--- User ---
[MBR] ef16c0e728d9575e145e0d8c5eeb1877
[BSP] 8574895f78e0bfa17ee0d280408a9ef2 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 17408 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 35653632 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 35858432 | Size: 936359 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive2: Generic- xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive4: Generic- MS/MS-Pro/HG USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive5: Generic- MicroSD USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 

Attached Files


#15 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 26 June 2016 - 09:00 AM

Is it possible that a virus delete itself after a prolonged hibernation? The PC hadnt been turned on since 2012 before this.

Although it is possible for a script to be written to delete files I have never heard of malware deleting itself. It's also very odd that this hasn't been turned on since 2012 and yet the version of Java on the machine was installed/updated in August 2014.
 

The concerns I have are that this PC has potential to infect other devices on the LAN

The FBI Ransomware was not evident so it's possible that the original was either a mis-diagnosis or has been dealt with  All that was evident on this PC was a lot of adware/spyware which can cause extremely annoying popups and redirects. They should not have affected your network. You can reset the router if it makes you feel easier.

Reset the Router

Let’s try to reset the router to its default configuration.

  • this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labelled "reset" located on the back of the router.
  • press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • if you don’t know the router's default password, you can look it up. here
  • you also need to reconfigure any security settings you had in place prior to the reset.
  • you may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router.

================================================

Run Security Check

I'd like another scan to look at the security.

Download Security Check by screen317 from here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

I think if all still seems well, we'll run a final scan before tidying up.

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·