Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

windows 7 slowed down, hangs a lot, especially browsers

This is a discussion on windows 7 slowed down, hangs a lot, especially browsers within the Resolved HJT Threads forums, part of the Tech Support Forum category. windows 7 slowed down, hangs a lot, especially browsers, I am running Kaspersky Total Security, and it seems to be


 
 
Thread Tools Search this Thread
Old 11-05-2015, 09:40 AM   #1
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

windows 7 slowed down, hangs a lot, especially browsers, I am running Kaspersky Total Security, and it seems to be active all the time... I am not sure it's virus or worm or malware... but I want to make sure it isn't.

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="TNGDA88DSM8M6">
<table>
<tr><td><input type="hidden" name="on0" value="live/remote">live/remote</td></tr><tr><td><select name="os0">
<option value="Live">Live </option>
<option value="Remote">Remote </option>
</select> </td></tr>
<tr><td><input type="hidden" name="on1" value="if you chose live...">if you chose live...</td></tr><tr><td><select name="os1">
<option value="on the phone">on the phone </option>
<option value="on skype">on skype </option>
<option value="on a webinar">on a webinar </option>
</select> </td></tr>
</table>
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>

I do not have access to windows disks, I bought the computer, I think, without disks...
Attached Files
File Type: txt Attach.txt (13.6 KB, 23 views)
mavensophie is offline  
Sponsored Links
Advertisement
 
Old 11-05-2015, 11:54 PM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

DDS tool creates two reports when scanning is finished. Attach.txt and DDS.txt. You've just added Attach.txt You haven't added a DDS.txt. Please add it and we move on.
__________________
tekir06 is offline  
Old 11-06-2015, 03:18 PM   #3
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Sorry, must have misunderstood the instructions. I copied and pasted the dds.txt into the body of the post
Attached Files
File Type: txt Attach.txt (13.6 KB, 22 views)
File Type: txt DDS.txt (22.1 KB, 24 views)
mavensophie is offline  
Sponsored Links
Advertisement
 
Old 11-08-2015, 11:42 AM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Please do the following steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Do NOT click the green 'Download' button(if visible).
Click the blue 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 11-08-2015, 12:16 PM   #5
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Hello, and thank you.

one documents pasted, two attached

# AdwCleaner v5.019 - Logfile created 08/11/2015 at 14:56:48
# Updated 08/11/2015 by Xplode
# Database : 2015-11-08.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : user - USER-PC
# Running from : C:\Users\user\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib

***** [ Services ] *****

[-] Service Deleted : WinDivert64

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\Innovative Solutions
[-] Folder Deleted : C:\Program Files (x86)\Common Files\Innovative Solutions
[-] Folder Deleted : C:\ProgramData\Ask
[-] Folder Deleted : C:\ProgramData\Innovative Solutions
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mipony
[-] Folder Deleted : C:\users\user\AppData\Local\Bundled software uninstaller
[-] Folder Deleted : C:\users\user\AppData\Local\Zoom_Downloader
[-] Folder Deleted : C:\users\user\AppData\Local\Innovative Solutions
[-] Folder Deleted : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd
[-] Folder Deleted : C:\users\user\AppData\Roaming\DigitalSites
[-] Folder Deleted : C:\users\user\AppData\Roaming\DSite
[-] Folder Deleted : C:\users\user\AppData\Roaming\OpenCandy
[-] Folder Deleted : C:\users\user\AppData\Roaming\RHEng
[-] Folder Deleted : C:\users\user\AppData\Roaming\mipony
[#] Folder Deleted : C:\Windows\SysNative\Tasks\DSite

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\Windows\SysNative\drivers\WinDivert64.sys

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : DSite
[-] Task Deleted : LyricsPal Update
[-] Task Deleted : LyricsPal Update

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{A3DAEB01-4C15-4AC6-A689-6406FD954EE0}]
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
[-] Key Deleted : HKCU\Software\BI
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\dsiteproducts
[-] Key Deleted : HKCU\Software\InstallCore
[-] Key Deleted : HKCU\Software\SweetIM
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\SweetIM
[-] Key Deleted : HKLM\SOFTWARE\Updater By Sweetpacks
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Digital Sites
[-] Key Deleted : [x64] HKLM\SOFTWARE\DivX\Install\Setup\WizardLayout\ConduitToolbar
[-] Key Deleted : [x64] HKLM\SOFTWARE\Updater By Sweetpacks
[-] Key Deleted : HKU\.DEFAULT\Software\AskToolbar
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope]

***** [ Web browsers ] *****

[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : websearch.ask.com
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : aaaaojmikegpiepcfdkkjaplodkpfmlo
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : fcfenmboojpjinhpgggodefccipikbpd
[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : mmiopbgcekanlhpjkonogoljpfmhpkhf

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4818 bytes] ##########
Attached Files
File Type: txt Addition.txt (46.7 KB, 16 views)
File Type: txt FRST.txt (41.1 KB, 14 views)
mavensophie is offline  
Old 11-09-2015, 02:09 AM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

Thanks for the logs. Please do the following.

We need to uninstall some programs.

Press the Windows Key + R on your keyboard at the same time. Type appwiz.cpl and click OK.
Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of program to uninstall:

AK Booster >>>>>>>>>>>>> READ

========================================================

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={64932422-C1AA-11E2-9505-0021706F4CCC}
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox => not found
FF HKLM-x32\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox => not found
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 11-09-2015, 04:50 AM   #7
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Fix result of Farbar Recovery Scan Tool (x64) Version:07-11-2015
Ran by user (2015-11-09 07:42:26) Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user & UpdatusUser & Sophie)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={64932422-C1AA-11E2-9505-0021706F4CCC}
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox => not found
FF HKLM-x32\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox => not found
EmptyTemp:
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
HKLM\Software\Mozilla\Firefox\Extensions\\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} => value removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} => value removed successfully
EmptyTemp: => 515.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 07:43:47 ====
mavensophie is offline  
Old 11-09-2015, 06:52 AM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:

  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

Click Finish.
At the end of the installation, a database update will be performed.
Click on Scan Now.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.
__________________
tekir06 is offline  
Old 11-09-2015, 08:32 AM   #9
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

malwarebytes scan log attached
Attached Files
File Type: txt malwarebytes-scan-log.txt (1.0 KB, 15 views)
mavensophie is offline  
Old 11-09-2015, 10:24 AM   #10
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

I just got an email from Kaspersky Total Security, that any software that uses LavasoftTcpService.dll is incompatible with Kaspersky Total Security. All that software I paid for and use daily.

is LavasoftTcpService.dll an adware? or should I just stop talking and let you do your work?
mavensophie is offline  
Old 11-09-2015, 12:41 PM   #11
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Quote:
Originally Posted by mavensophie View Post
malwarebytes scan log attached
you may have missed this post... from the log, malwarebytes didn't find any threats.
mavensophie is offline  
Old 11-10-2015, 02:42 AM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

Quote:
is LavasoftTcpService.dll an adware? or should I just stop talking and let you do your work?
I do not think so. Please Read read read

Please do the following. Then please tell me How is the machine behaving now? What problems do you still have?

Please go HERE then click on: Run Eset Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on Start buton.
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan Archives
  • Enable Anti-Stealth Technology
Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
Tick all the boxes that correspond to your external/inserted drives.
Click Start. The virus signature database will begin to download. This may take some time.
Wait for the scan to finish.
When completed, click on Finish.
When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
Save that text file to your desktop, and then copy/paste the contents in your next reply.
__________________
tekir06 is offline  
Old 11-10-2015, 12:52 PM   #13
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

eset results after 10 hours of scanning

C:\Users\user\Desktop\applications loader\FreeYouTubeToMP3Converter.exe Win32/Toolbar.Conduit.S potentially unwanted application
C:\Users\user\Desktop\___software\UltimateCodec.exe a variant of Win32/InstallCore.MB potentially unwanted application
F:\___plr\web-world-25\web-world-25\footer.php PHP/Obfuscated.F potentially unwanted application
F:\___plr\web-world-25\web-world-25\functions.php PHP/Obfuscated.F potentially unwanted application
F:\___plr\competition-10\sidebar.php PHP/Obfuscated.F potentially unwanted application
F:\___plr\___to_upload\download\web-world-25.zip PHP/Obfuscated.F potentially unwanted application
F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-check.php PHP/Obfuscated.F potentially unwanted application
F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-keygen.php PHP/Obfuscated.F potentially unwanted application
F:\__Blogging\17Wordpress-Themes\competition-10.zip PHP/Obfuscated.F potentially unwanted application
F:\__Blogging\17Wordpress-Themes\web-world-25.zip PHP/Obfuscated.F potentially unwanted application
P:\backup-yourvib-2015-01-26.tar.gz PHP/Obfuscated.E potentially unwanted application
P:\ctimer.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application

actually there are lots more files on drive P, but I just could not take it any more...
mavensophie is offline  
Old 11-11-2015, 12:36 AM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

Most of the detections are coming from web-world-25, competition-10, Blog_Scripts_no password,17Wordpress-Themes

What can you tell me about them?
__________________
tekir06 is offline  
Old 11-11-2015, 02:14 AM   #15
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

the P drive has all my backups, and the stuff you are asking: I have never even opened it, so it is no problem to just delete it.
mavensophie is offline  
Old 11-11-2015, 05:04 AM   #16
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

You were infected when you made backup, the backup is infected and need to be removed.
When we're finished I suggest, you create a new restore point and then make a backup.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
C:\Users\user\Desktop\applications loader\FreeYouTubeToMP3Converter.exe
C:\Users\user\Desktop\___software\UltimateCodec.exe
F:\___plr\web-world-25\web-world-25\footer.php
F:\___plr\web-world-25\web-world-25\functions.php
F:\___plr\competition-10\sidebar.php
F:\___plr\___to_upload\download\web-world-25.zip
F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-check.php 
F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-keygen.php
F:\__Blogging\17Wordpress-Themes\competition-10.zip
F:\__Blogging\17Wordpress-Themes\web-world-25.zip
P:\backup-yourvib-2015-01-26.tar.gz
P:\ctimer.exe
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 11-11-2015, 06:02 AM   #17
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Fix result of Farbar Recovery Scan Tool (x64) Version:07-11-2015
Ran by user (2015-11-11 08:24:06) Run:3
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user & UpdatusUser & Sophie)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Users\user\Desktop\applications loader\FreeYouTubeToMP3Converter.exe
C:\Users\user\Desktop\___software\UltimateCodec.exe
F:\___plr\web-world-25\web-world-25\footer.php
F:\___plr\web-world-25\web-world-25\functions.php
F:\___plr\competition-10\sidebar.php
F:\___plr\___to_upload\download\web-world-25.zip
F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-check.php
F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-keygen.php
F:\__Blogging\17Wordpress-Themes\competition-10.zip
F:\__Blogging\17Wordpress-Themes\web-world-25.zip
P:\backup-yourvib-2015-01-26.tar.gz
P:\ctimer.exe
EmptyTemp:
*****************

Restore point was successfully created.
"C:\Users\user\Desktop\applications loader\FreeYouTubeToMP3Converter.exe" => not found.
"C:\Users\user\Desktop\___software\UltimateCodec.exe" => not found.
"F:\___plr\web-world-25\web-world-25\footer.php" => not found.
"F:\___plr\web-world-25\web-world-25\functions.php" => not found.
"F:\___plr\competition-10\sidebar.php" => not found.
"F:\___plr\___to_upload\download\web-world-25.zip" => not found.
"F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-check.php" => not found.
"F:\__Blogging\Blog_Scripts_no password\Blog Scripts\Blog Hosting\BlogHoster 2.1\bloghoster\sm-keygen.php" => not found.
"F:\__Blogging\17Wordpress-Themes\competition-10.zip" => not found.
"F:\__Blogging\17Wordpress-Themes\web-world-25.zip" => not found.
P:\backup-yourvib-2015-01-26.tar.gz => moved successfully
P:\ctimer.exe => moved successfully
EmptyTemp: => 268.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:41:47 ====
mavensophie is offline  
Old 11-12-2015, 12:26 AM   #18
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

Please do the following.

Please download ComboFix and Save it to your Desktop.

Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Please make sure you disable your security applications before running ComboFix. Get help here
Double-click ComboFix.exe and follow the prompts to run it.
If a message window opens to install the Microsoft Windows Recovery Console, click the yes button.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.
Please re-enable your antivirus before posting the ComboFix.txt log.
NOTE: If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please open Task Manager and 'End Process' on explorer.exe
Next, go File > New Task(Run...) and type explorer then press 'Enter'. or just reboot the computer.
__________________
tekir06 is offline  
Old 11-12-2015, 04:35 AM   #19
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

ComboFix 15-11-09.01 - user 11/12/2015 7:13.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3966.1256 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: Kaspersky Total Security *Disabled/Updated* {B41C7598-35F6-4D89-7D0E-7ADE69B4047B}
FW: Kaspersky Total Security *Disabled* {8C27F4BD-7F99-4CD1-5651-D3EB97674300}
SP: Kaspersky Total Security *Disabled/Updated* {0F7D947C-13CC-4207-47BE-41AC12334EC6}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\user\AppData\Local\assembly\tmp
c:\users\user\AppData\Roaming\Temp\2B3FA4F243DF4E94A6E2517203CAF8B9\PlutoTVSetup0910.exe
c:\users\user\g2mdlhlpx.exe
F:\setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2015-10-12 to 2015-11-12 )))))))))))))))))))))))))))))))
.
.
2015-11-12 09:28 . 2015-11-12 09:28 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.7076.dll
2015-11-11 13:45 . 2015-11-11 13:45 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.1952.dll
2015-11-11 10:22 . 2015-11-11 10:22 -------- d-----w- c:\users\user\AppData\Local\CEF
2015-11-10 14:15 . 2015-11-10 14:15 192216 ----a-w- c:\windows\system32\drivers\208A7898.sys
2015-11-10 10:58 . 2015-11-10 10:58 -------- d-----w- c:\program files (x86)\ESET
2015-11-09 15:27 . 2015-11-12 09:53 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-11-09 15:27 . 2015-10-05 14:50 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-11-09 15:27 . 2015-10-05 14:50 109272 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-11-09 15:27 . 2015-10-05 14:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-11-09 15:26 . 2015-11-09 15:27 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-11-09 15:26 . 2015-11-09 15:26 -------- d-----w- c:\programdata\Malwarebytes
2015-11-08 20:05 . 2015-11-11 13:48 -------- d-----w- C:\FRST
2015-11-08 19:53 . 2015-11-08 19:56 -------- d-----w- C:\AdwCleaner
2015-11-08 07:34 . 2015-11-08 07:34 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.6396.dll
2015-11-07 08:34 . 2015-11-07 08:34 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.6688.dll
2015-11-06 08:12 . 2015-11-06 08:12 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.7052.dll
2015-11-05 09:49 . 2015-11-05 09:49 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.2436.dll
2015-11-05 00:25 . 2015-11-05 00:25 -------- d-----w- c:\program files (x86)\Glarysoft
2015-11-05 00:03 . 2015-11-05 00:19 -------- d-----w- c:\users\user\AppData\Local\PlutoTV
2015-11-05 00:02 . 2015-11-05 00:19 -------- d-----w- c:\program files (x86)\Pluto TV
2015-11-04 23:54 . 2015-11-04 23:53 425744 ----a-w- c:\windows\system32\LavasoftTcpService64.dll
2015-11-04 23:53 . 2015-11-04 23:53 345360 ----a-w- c:\windows\SysWow64\LavasoftTcpService.dll
2015-11-04 19:23 . 2015-11-07 20:36 7168 ----a-w- c:\windows\SysWow64\drivers\ute3otkw.sys
2015-11-03 10:39 . 2015-11-03 10:39 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.4588.dll
2015-11-01 19:34 . 2015-11-01 19:34 -------- d-----w- c:\programdata\LogiShrd
2015-11-01 19:32 . 2015-11-01 19:32 -------- d-----w- c:\users\user\AppData\Roaming\Leadertech
2015-11-01 19:30 . 2015-11-01 19:30 -------- d-----w- c:\program files (x86)\Logitech
2015-10-30 09:02 . 2015-10-30 09:02 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.4816.dll
2015-10-29 09:29 . 2015-10-29 09:29 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.5144.dll
2015-10-27 09:13 . 2015-10-27 09:13 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.780.dll
2015-10-25 08:15 . 2015-10-25 08:15 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.6040.dll
2015-10-22 08:47 . 2015-10-22 08:47 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.6596.dll
2015-10-19 02:43 . 2015-10-21 18:04 -------- d-----w- C:\documents
2015-10-18 22:06 . 2015-10-21 18:04 -------- d-----w- C:\documents-kindle
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-11-11 09:07 . 2012-10-04 18:07 780488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-11-11 09:07 . 2012-10-04 18:07 142536 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-10-21 18:50 . 2015-08-19 14:03 940936 ----a-w- c:\windows\system32\drivers\klif.sys
2015-10-21 18:50 . 2015-08-19 14:03 181640 ----a-w- c:\windows\system32\drivers\klflt.sys
2015-10-08 07:01 . 2015-10-08 07:01 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\offreg.4800.dll
2015-09-26 08:03 . 2015-06-08 23:43 41352 ----a-w- c:\windows\system32\drivers\klpd.sys
2015-09-17 19:06 . 2015-09-17 19:06 42152 ----a-w- c:\windows\system32\drivers\cnnctfy3.sys
2015-09-16 09:43 . 2015-09-22 13:26 11062400 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5014B8-FDDB-449E-8B8A-CA2B9976BA38}\mpengine.dll
2015-08-14 13:21 . 2012-12-04 22:48 132483416 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoToMeeting"="c:\program files (x86)\Citrix\GoToMeeting\3499\g2mstart.exe" [2015-09-20 41536]
"ClassicStartMenu"="c:\program files (x86)\Classic Start Menu\ClassicStartMenu.exe" [2011-04-29 4150688]
"pamela.exe"="c:\program files (x86)\Pamela\Pamela.exe" [2014-08-20 12116400]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2015-07-17 8418584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2015-09-28 57987712]
"RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2015-09-17 110160]
"BLSyndicationSystem"="c:\users\user\Desktop\___shortcuts\SociSynd_Submitter\SociSynd_Submitter.exe" [2015-03-06 3478528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1282048]
"Live! Central 3"="c:\program files (x86)\Creative\Creative Live! Cam\Live! Central 3\CTLVCentral3.exe" [2010-10-18 503948]
"V0690Mon.exe"="c:\windows\V0690Mon.exe" [2010-08-18 28672]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-03-20 60712]
"Logitech H760"="c:\program files (x86)\Logitech\H760\H760.exe" [2010-07-09 275800]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2014-6-17 1109344]
Logitech H760 Product Registration.lnk - c:\program files (x86)\Logitech\H760\eReg.exe /remind /language=ENU /_WFM="H760" [2009-11-16 517384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-9-16 113664]
AntRapunzel.lnk - c:\program files (x86)\Antification\Ant Rapunzel\AntRapunzel.exe [2015-11-11 1305088]
Mediatek Wireless Utility.lnk - c:\program files (x86)\MediatekWiFi\Common\ApUI.exe -s [2015-9-18 9508496]
Snagit 10.lnk - c:\program files (x86)\TechSmith\Snagit 10\Snagit32.exe [2010-4-13 7046984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 Brpu3sapw;Brpu3sapw;c:\windows\system32\drivers\wimmount.sys;c:\windows\SYSNATIVE\drivers\wimmount.sys [x]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files (x86)\PCPitstop\PCPitstopScheduleService.exe;c:\program files (x86)\PCPitstop\PCPitstopScheduleService.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 ute3otkw;AVZ Kernel Driver;c:\windows\system32\Drivers\ute3otkw.sys;c:\windows\SYSNATIVE\Drivers\ute3otkw.sys [x]
R3 V0690Vid;Creative Live! Cam Socialize HD AF / ZiiCam Driver;c:\windows\system32\DRIVERS\V0690Vid.sys;c:\windows\SYSNATIVE\DRIVERS\V0690Vid.sys [x]
R3 vssbrigde64;vssbrigde64;c:\program files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x64\vssbridge64.exe;c:\program files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x64\vssbridge64.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 cm_km;Kaspersky Lab ZAO Cryptographic Module x64 (Weak);c:\windows\system32\DRIVERS\cm_km.sys;c:\windows\SYSNATIVE\DRIVERS\cm_km.sys [x]
S0 klbackupdisk;Kaspersky Lab klbackupdisk;c:\windows\system32\DRIVERS\klbackupdisk.sys;c:\windows\SYSNATIVE\DRIVERS\klbackupdisk.sys [x]
S1 klbackupflt;Kaspersky Lab klbackupflt;c:\windows\system32\DRIVERS\klbackupflt.sys;c:\windows\SYSNATIVE\DRIVERS\klbackupflt.sys [x]
S1 klhk;Kaspersky Lab service driver;c:\windows\system32\DRIVERS\klhk.sys;c:\windows\SYSNATIVE\DRIVERS\klhk.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]
S1 klpd;Kaspersky Lab format recognizer driver;c:\windows\system32\DRIVERS\klpd.sys;c:\windows\SYSNATIVE\DRIVERS\klpd.sys [x]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]
S1 Klwtp;Klwtp;c:\windows\system32\DRIVERS\klwtp.sys;c:\windows\SYSNATIVE\DRIVERS\klwtp.sys [x]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 AVP16.0.0;Kaspersky Anti-Virus Service 16.0.0;c:\program files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\avp.exe;c:\program files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\avp.exe [x]
S2 kldisk;kldisk;c:\windows\system32\DRIVERS\kldisk.sys;c:\windows\SYSNATIVE\DRIVERS\kldisk.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 MediatekRegistryWriter;MediatekRegistryWriter;c:\program files (x86)\MediatekWiFi\Common\RaRegistry.exe;c:\program files (x86)\MediatekWiFi\Common\RaRegistry.exe [x]
S2 MediatekRegistryWriter64;MediatekRegistryWriter64;c:\program files (x86)\MediatekWiFi\Common\RaRegistry64.exe;c:\program files (x86)\MediatekWiFi\Common\RaRegistry64.exe [x]
S2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files (x86)\Intel\AMT\UNS.exe;c:\program files (x86)\Intel\AMT\UNS.exe [x]
S2 UsbClientService;UsbClientService;c:\program files (x86)\Synology\Assistant\UsbClientService.exe;c:\program files (x86)\Synology\Assistant\UsbClientService.exe [x]
S3 busenum;Synology Virtual USB Hub;c:\windows\system32\DRIVERS\busenum.sys;c:\windows\SYSNATIVE\DRIVERS\busenum.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 klflt;Kaspersky Lab Kernel DLL;c:\windows\system32\DRIVERS\klflt.sys;c:\windows\SYSNATIVE\DRIVERS\klflt.sys [x]
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2015-09-30 20:47 285880 ----a-w- c:\program files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
.
Contents of the 'Scheduled Tasks' folder
.
2015-11-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-04 09:07]
.
2015-11-12 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-4103537104-1711098450-1323067865-1000.job
- c:\program files (x86)\Citrix\GoToMeeting\3880\g2mupdate.exe [2015-11-06 05:31]
.
2015-11-12 c:\windows\Tasks\G2MUploadTask-S-1-5-21-4103537104-1711098450-1323067865-1000.job
- c:\program files (x86)\Citrix\GoToMeeting\3880\g2mupload.exe [2015-11-06 05:31]
.
2015-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4103537104-1711098450-1323067865-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-01 19:10]
.
2015-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4103537104-1711098450-1323067865-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-01 19:10]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atchk"="c:\program files (x86)\Intel\AMT\atchk.exe" [2009-12-01 401408]
"Everything"="c:\program files\Everything\Everything.exe" [2014-08-06 1441792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-04-07 169768]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: aol.com\free
Trusted Zone: localhost
Trusted Zone: webcompanion.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\mz4cbpw5.default-1446683940283\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-iCloudServices - c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
Wow6432Node-HKCU-Run-ApplePhotoStreams - c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
Wow6432Node-HKCU-Run-AppleIEDAV - c:\program files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Lightning.lnk - c:\program files (x86)\Desktop Lightning\Desktop Lightning.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_245_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_245_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_245_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_245_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_245.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.19"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_245.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_245.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_245.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-11-12 07:29:21
ComboFix-quarantined-files.txt 2015-11-12 12:29
.
Pre-Run: 353,726,107,648 bytes free
Post-Run: 353,807,724,544 bytes free
.
- - End Of File - - 663A7EC46847B51FD1F9B46D05BEDF24
A36C5E4F47E84449FF07ED3517B43A31
mavensophie is offline  
Old 11-12-2015, 05:26 AM   #20
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello mavensophie,

Please do the following.

Please go to: VirusTotal

Click the Choose File button.
Please copy/paste the following bolded text into the 'File name:' box:

c:\windows\SysWow64\drivers\ute3otkw.sys

Click Open then click the Scan it! button just below.
This will scan the file. Please be patient.
If you get a message saying File already analyzed: click Reanalyse
Once scanned, copy and paste the URL from your browser address bar in your next reply.
__________________
tekir06 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help!
Im unable to complete the gmer scan. It wont allow me to copy the results of the scan to submit to you guys. What do I do now?
REDLEG Resolved HJT Threads 49 12-15-2013 02:15 PM
ESET threats
In earlier message, and in continuation of another thread on another conmuter I started a thread stating that having tried ESET it had found a number of threats which i will mention at the end. meanwhile I ran DDS abnd will add the the logs. Gmer found rootkit activity but when I ran the scan on...
qimqim Inactive Malware Help Topics 13 12-13-2013 07:22 PM
Repost Per: CatByte Trojan:dos/alureon.e and SmartHDD problem
Trojan:dos/alureon.e and SmartHDD problem Hello, I hope I'm at the right area for help. This pc I'm on was infected with Trojan:dos/alureon.e and SmartHDD. I was able to get to the net somehow and I installed and ran Malwarebytes and got rid of SmartHDD. Then I ran Windows Defender and it found...
mg67 Resolved HJT Threads 23 07-30-2012 06:24 AM
Rootkit TR/Sirefef.BP.1 and Rootkit.Gen2
Hi Everybody, I have this issue with my computer: Rootkit TR/Sirefef.BP.1 and Rootkit.Gen2 have been detected by Antivir and, though removed, reappear at the PC reboot. Avira RealTime Protection keeps sending alerts, detecting unspecified viruses with access denied. Several of the directories...
beppe1968 Resolved HJT Threads 81 03-15-2012 11:19 AM
After closing previous thread my problems continue
Hi there. After lots of great help from CatByte all the memory I had lost was returned and it looked like my problems were solved. However I've noticed that the memory I got back has been going down at the same rate as before (see link to thread below). It also takes a long time to shut down with...
Oberjeen Resolved HJT Threads 7 03-19-2011 03:48 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:12 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts