Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Please Help: Trojan - Artemis! A9D9670AA481

  1. #1
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Please Help: Trojan - Artemis! A9D9670AA481

    Hi,

    I went onto freethemesandtemplates.blogspot.com yesterday looking at Wordpress themes. The page tried to download but McAfee blocked and quarantined the file showing it had the following virus: Trojan - Artemis! A9D9670AA481.

    Today: Intenet Explorer is doing weird things like changing my homepage to one called about:blank.

    Help would be really appreciated.

    Thanks,

    Dan.

    NB.

    Because I have been asked to attach the logs and not include them across two posts I have had to add the rest of FRST.txt over four attachments because of the forum upload limits. Also, the maximum number of attachments is 5, so I have had to include the asw.MBR is the next post anyway.

    _______________________

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-11-2014 01
    Ran by Daniel (administrator) on DANIELS-LAPTOP on 28-11-2014 12:56:26
    Running from C:\Users\Daniel\Desktop
    Loaded Profile: Daniel (Available profiles: Daniel & Administrator & Classic .NET AppPool & .NET v4.5 & DefaultAppPool & .NET v2.0 & .NET v4.5 Classic & .NET v2.0 Classic)
    Platform: Windows 8.1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
    (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
    (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe
    (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
    (Microsoft Corporation) C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    () C:\Program Files\MySQL\MySQL Server 5.6\bin\mysqld.exe
    (Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
    (Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
    () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
    (Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
    (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    () C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe
    (Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
    (McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
    (McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
    (McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    (Microsoft Corporation) C:\Windows\System32\dasHost.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
    () C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Intel Corporation) C:\Windows\System32\igfxsrvc.exe
    (Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
    (Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppService.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
    (CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppService.exe
    (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\StartMenuIndexer.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    (McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\saUI.exe
    (Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
    (McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
    (McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
    (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
    (Microsoft Corporation) C:\Windows\splwow64.exe
    (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
    (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_239.exe
    (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_239.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-31] (Intel Corporation)
    HKLM\...\Run: [RtsFT] => C:\WINDOWS\RTFTrack.exe [6340312 2013-07-19] (Realtek semiconductor)
    HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [903384 2013-07-25] (Conexant Systems, Inc.)
    HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1647616 2012-06-13] (Conexant Systems, Inc.)
    HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [15813616 2013-11-29] (Lenovo(beijing) Limited)
    HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [80880 2013-11-29] (Lenovo(beijing) Limited)
    HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
    HKLM-x32\...\Run: [Lenovo App Shop] => C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\ismagent.exe [156000 2013-07-18] (Intel Corporation)
    HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-07] (CyberLink Corp.)
    HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
    HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
    Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [132736 2013-09-07] ( (Qualcomm®Atheros®))
    HKLM\...\Policies\Explorer: [NoFolderOptions] 0
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [22065760 2014-10-01] (Skype Technologies S.A.)
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [BrowserChoice] => C:\Windows\BrowserChoice\browserchoice.exe [86816 2013-08-22] (Microsoft Corporation)
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [MySQL Notifier] => C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySqlNotifier.exe [773120 2014-09-03] (Oracle Corporation)

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
    SearchScopes: HKLM -> DefaultScope {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM-x32 -> DefaultScope {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKU\S-1-5-21-2228433086-130700982-1473003571-1001 -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL =
    BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
    BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
    Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
    Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
    Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    Handler-x32: http - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    Handler-x32: http - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    Handler-x32: https - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    Handler-x32: https - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    Handler-x32: msdaipp - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    Handler-x32: msdaipp - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
    Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
    Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

    FireFox:
    ========
    FF ProfilePath: C:\Users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\2wept432.default
    FF Homepage: hxxp://www.sky.com
    FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_15_0_0_239.dll ()
    FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
    FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Plugin HKU\S-1-5-21-2228433086-130700982-1473003571-1001: intel.com/AppUp -> C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\npAppUp.dll (Intel)
    FF Plugin HKU\S-1-5-21-2228433086-130700982-1473003571-1001: intel.com/AppUpx64 -> C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\npAppUp_x64.dll (Intel)
    FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
    FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2014-11-18]
    FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
    FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2014-11-18]
    FF Extension: No Name - {4ED1F68A-5463-4931-9384-8FFF5ED91D92} [Not Found]

    Chrome:
    =======
    CHR HomePage: Default -> https://www.google.com/
    CHR StartupUrls: Default -> "https://www.google.com/"
    CHR Profile: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Slides) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-19]
    CHR Extension: (Google Docs) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-19]
    CHR Extension: (Google Drive) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-19]
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-19]
    CHR Extension: (YouTube) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-19]
    CHR Extension: (Google Search) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-19]
    CHR Extension: (Google Sheets) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-19]
    CHR Extension: (SiteAdvisor) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2014-11-19]
    CHR Extension: (Google Wallet) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-19]
    CHR Extension: (Gmail) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-19]
    CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2014-11-19]

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [312448 2013-09-07] (Windows (R) Win 7 DDK provider)
    S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [142336 2014-02-20] (Microsoft Corporation) [File not signed]
    R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-31] (Intel Corporation)
    R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-12] (Intel(R) Corporation) [File not signed]
    S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-12] (Intel(R) Corporation)
    R2 IpOverUsbSvc; C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe [22744 2014-10-15] (Microsoft Corporation)
    R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
    S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272776 2014-10-16] ()
    R2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
    R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [603424 2014-09-04] (McAfee, Inc.)
    R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-08-20] (McAfee, Inc.)
    R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
    R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
    R2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [88720 2014-05-05] (Microsoft Corporation)
    R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
    R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [62379184 2014-07-10] (Microsoft Corporation)
    R2 MySQL56; C:\Program Files\MySQL\MySQL Server 5.6\bin\mysqld.exe [13031424 2014-09-11] () [File not signed]
    R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-07-24] (Nitro PDF Software)
    R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
    S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [442536 2014-07-10] (Microsoft Corporation)
    S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [119808 2013-08-22] (Microsoft Corporation) [File not signed]
    R2 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe [68368 2013-11-29] ()
    S3 VsEtwService120; C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [89232 2014-07-22] (Microsoft Corporation)
    S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-11-19] (Microsoft Corporation)
    R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [546304 2014-11-19] (Microsoft Corporation)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
    R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2013-09-07] (Atheros) [File not signed]

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-16] (Qualcomm Atheros Communications, Inc.)
    R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-09-07] (Qualcomm Atheros)
    R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
    R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
    S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
    R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-08-08] (Intel Corporation)
    R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
    R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
    S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [70600 2014-06-20] (McAfee, Inc.)
    R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
    R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
    R3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [445512 2014-08-20] (McAfee, Inc.)
    S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96592 2014-08-20] (McAfee, Inc.)
    R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
    S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3344352 2013-07-08] (Intel Corporation)
    S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [322736 2014-07-10] (Microsoft Corporation)
    S3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8247640 2013-07-19] (Realtek Semiconductor Corp.)
    R3 SensorsSimulatorDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-31] (Microsoft Corporation)
    R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-09-13] (Synaptics Incorporated)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
    S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-14] ("CyberLink)
    S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
    S3 MFE_RR; \??\C:\Users\Daniel\AppData\Local\Temp\mfe_rr.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-11-28 12:56 - 2014-11-28 12:57 - 00024151 _____ () C:\Users\Daniel\Desktop\FRST.txt
    2014-11-28 12:55 - 2014-11-28 12:56 - 00000000 ____D () C:\FRST
    2014-11-28 12:54 - 2014-11-28 12:54 - 00000207 _____ () C:\WINDOWS\tweaking.com-regbackup-DANIELS-LAPTOP-Microsoft-Windows-8.1-(64-bit).dat
    2014-11-28 12:53 - 2014-11-28 12:53 - 02117632 _____ (Farbar) C:\Users\Daniel\Desktop\FRST64.exe
    2014-11-28 12:52 - 2014-11-28 12:52 - 00002262 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
    2014-11-28 12:52 - 2014-11-28 12:52 - 00000000 ____D () C:\RegBackup
    2014-11-28 12:52 - 2014-11-28 12:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
    2014-11-28 12:52 - 2014-11-28 12:52 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
    2014-11-28 12:51 - 2014-11-28 12:51 - 04215584 _____ () C:\Users\Daniel\Desktop\tweaking.com_registry_backup_setup.exe
    2014-11-28 11:10 - 2014-11-28 11:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
    2014-11-27 20:29 - 2014-11-27 20:29 - 00003134 _____ () C:\WINDOWS\System32\Tasks\{269C8AD7-1979-4457-A275-86612F3AC068}
    2014-11-27 19:53 - 2014-11-27 19:53 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2014-11-27 16:03 - 2014-11-27 16:03 - 00094896 _____ () C:\Users\Daniel\AppData\Local\GDIPFONTCACHEV1.DAT
    2014-11-24 21:30 - 2014-11-24 21:30 - 12173312 _____ () C:\Users\Daniel\Downloads\mysql-connector-net-6.9.5(1).msi
    2014-11-24 18:30 - 2014-11-24 18:30 - 00003672 _____ () C:\WINDOWS\System32\Tasks\MySQLNotifierTask
    2014-11-24 18:21 - 2014-11-24 21:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySQL
    2014-11-24 15:04 - 2014-11-24 15:06 - 12173312 _____ () C:\Users\Daniel\Downloads\mysql-connector-net-6.9.5.msi
    2014-11-23 11:41 - 2014-11-25 14:27 - 00000000 ____D () C:\Users\Daniel\AppData\Local\CrashDumps
    2014-11-23 11:02 - 2014-11-23 11:02 - 00000000 ____D () C:\Users\Daniel\SkyDrive
    2014-11-22 13:19 - 2014-11-22 13:19 - 00001158 _____ () C:\Users\Daniel\Desktop\My Computer.lnk
    2014-11-21 17:27 - 2014-11-21 17:27 - 00000678 _____ () C:\Users\Daniel\Desktop\OneDrive.lnk
    2014-11-21 16:57 - 2014-11-23 10:42 - 00003110 _____ () C:\WINDOWS\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-2228433086-130700982-1473003571-1001
    2014-11-21 16:14 - 2014-11-21 16:15 - 00000000 ____D () C:\ProgramData\Oracle
    2014-11-21 16:14 - 2014-11-21 16:14 - 00098216 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
    2014-11-21 16:14 - 2014-11-21 16:14 - 00000000 ____D () C:\ProgramData\Sun
    2014-11-21 16:14 - 2014-11-21 16:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
    2014-11-21 16:14 - 2014-11-21 16:14 - 00000000 ____D () C:\Program Files (x86)\Java
    2014-11-21 15:49 - 2014-07-24 15:28 - 00419648 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbhub.sys
    2014-11-21 15:49 - 2014-07-24 15:28 - 00412992 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\spaceport.sys
    2014-11-21 15:49 - 2014-07-24 15:28 - 00280384 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys
    2014-11-21 15:49 - 2014-07-24 15:28 - 00143680 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbccgp.sys
    2014-11-21 15:49 - 2014-07-24 15:23 - 00125472 _____ (Microsoft Corporation) C:\WINDOWS\system32\dwmapi.dll
    2014-11-21 15:49 - 2014-07-24 15:20 - 00645592 _____ (Microsoft Corporation) C:\WINDOWS\system32\SHCore.dll
    2014-11-21 15:49 - 2014-07-24 15:20 - 00263400 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemSettingsAdminFlows.exe
    2014-11-21 15:49 - 2014-07-24 15:16 - 02574208 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVDECOD.DLL
    2014-11-21 15:49 - 2014-07-24 15:16 - 00211216 _____ (Microsoft Corporation) C:\WINDOWS\system32\SndVol.exe
    2014-11-21 15:49 - 2014-07-24 15:07 - 02009920 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
    2014-11-21 15:49 - 2014-07-24 15:05 - 01660048 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
    2014-11-21 15:49 - 2014-07-24 15:05 - 01519560 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
    2014-11-21 15:49 - 2014-07-24 15:05 - 01488008 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
    2014-11-21 15:49 - 2014-07-24 15:05 - 01356840 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
    2014-11-21 15:49 - 2014-07-24 15:03 - 02141920 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
    2014-11-21 15:49 - 2014-07-24 15:03 - 00882136 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfplat.dll
    2014-11-21 15:49 - 2014-07-24 15:03 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfreadwrite.dll
    2014-11-21 15:49 - 2014-07-24 15:03 - 00233888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
    2014-11-21 15:49 - 2014-07-24 15:03 - 00205512 _____ (Microsoft Corporation) C:\WINDOWS\system32\mftranscode.dll
    2014-11-21 15:49 - 2014-07-24 13:50 - 00098048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dwmapi.dll
    2014-11-21 15:49 - 2014-07-24 13:48 - 02410976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVDECOD.DLL
    2014-11-21 15:49 - 2014-07-24 13:48 - 00180208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SndVol.exe
    2014-11-21 15:49 - 2014-07-24 13:46 - 00477200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SHCore.dll
    2014-11-21 15:49 - 2014-07-24 13:36 - 02145472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
    2014-11-21 15:49 - 2014-07-24 13:36 - 00707536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfplat.dll
    2014-11-21 15:49 - 2014-07-24 13:36 - 00355800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfreadwrite.dll
    2014-11-21 15:49 - 2014-07-24 13:36 - 00180720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mftranscode.dll
    2014-11-21 15:49 - 2014-07-24 11:51 - 00008192 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDRUM.DLL
    2014-11-21 15:49 - 2014-07-24 11:51 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDYAK.DLL
    2014-11-21 15:49 - 2014-07-24 11:51 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDTT102.DLL
    2014-11-21 15:49 - 2014-07-24 11:51 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDTAT.DLL
    2014-11-21 15:49 - 2014-07-24 11:51 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDRU1.DLL
    2014-11-21 15:49 - 2014-07-24 11:51 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDBASH.DLL
    2014-11-21 15:49 - 2014-07-24 11:51 - 00006656 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDRU.DLL
    2014-11-21 15:49 - 2014-07-24 11:46 - 00079872 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\IPMIDrv.sys
    2014-11-21 15:49 - 2014-07-24 11:45 - 00076800 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hdaudbus.sys
    2014-11-21 15:49 - 2014-07-24 11:44 - 00674816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
    2014-11-21 15:49 - 2014-07-24 11:43 - 00412160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
    2014-11-21 15:49 - 2014-07-24 11:42 - 00446976 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\nwifi.sys
    2014-11-21 15:49 - 2014-07-24 11:42 - 00126464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\NdisImPlatform.sys
    2014-11-21 15:49 - 2014-07-24 11:41 - 00118272 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthpan.sys
    2014-11-21 15:49 - 2014-07-24 11:06 - 00220160 _____ (Microsoft Corporation) C:\WINDOWS\system32\iasnap.dll
    2014-11-21 15:49 - 2014-07-24 11:05 - 00287232 _____ (Microsoft Corporation) C:\WINDOWS\system32\usbmon.dll
    2014-11-21 15:49 - 2014-07-24 11:05 - 00226816 _____ (Microsoft Corporation) C:\WINDOWS\system32\WebClnt.dll
    2014-11-21 15:49 - 2014-07-24 10:52 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDYAK.DLL
    2014-11-21 15:49 - 2014-07-24 10:52 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDTT102.DLL
    2014-11-21 15:49 - 2014-07-24 10:52 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDTAT.DLL
    2014-11-21 15:49 - 2014-07-24 10:51 - 00008192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDRUM.DLL
    2014-11-21 15:49 - 2014-07-24 10:51 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDRU1.DLL
    2014-11-21 15:49 - 2014-07-24 10:51 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDBASH.DLL
    2014-11-21 15:49 - 2014-07-24 10:51 - 00006656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDRU.DLL
    2014-11-21 15:49 - 2014-07-24 10:49 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\system32\WorkFoldersGPExt.dll
    2014-11-21 15:49 - 2014-07-24 10:32 - 00207360 _____ (Microsoft Corporation) C:\WINDOWS\system32\powercfg.cpl
    2014-11-21 15:49 - 2014-07-24 10:20 - 02050560 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
    2014-11-21 15:49 - 2014-07-24 10:18 - 01089024 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpedit.dll
    2014-11-21 15:49 - 2014-07-24 10:12 - 00878592 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActionCenter.dll
    2014-11-21 15:49 - 2014-07-24 10:10 - 01844224 _____ (Microsoft Corporation) C:\WINDOWS\system32\Display.dll
    2014-11-21 15:49 - 2014-07-24 10:10 - 00834560 _____ (Microsoft Corporation) C:\WINDOWS\system32\osk.exe
    2014-11-21 15:49 - 2014-07-24 10:10 - 00198656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WebClnt.dll
    2014-11-21 15:49 - 2014-07-24 10:10 - 00168960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iasnap.dll
    2014-11-21 15:49 - 2014-07-24 10:05 - 00187392 _____ (Microsoft Corporation) C:\WINDOWS\system32\WorkFoldersShell.dll
    2014-11-21 15:49 - 2014-07-24 09:52 - 00621056 _____ (Microsoft Corporation) C:\WINDOWS\system32\comdlg32.dll
    2014-11-21 15:49 - 2014-07-24 09:44 - 16874496 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
    2014-11-21 15:49 - 2014-07-24 09:42 - 00206336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\powercfg.cpl
    2014-11-21 15:49 - 2014-07-24 09:40 - 00557056 _____ (Microsoft Corporation) C:\WINDOWS\system32\PrintDialogs.dll
    2014-11-21 15:49 - 2014-07-24 09:39 - 00770048 _____ (Microsoft Corporation) C:\WINDOWS\system32\WorkfoldersControl.dll
    2014-11-21 15:49 - 2014-07-24 09:33 - 01741824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRH.dll
    2014-11-21 15:49 - 2014-07-24 09:32 - 01048064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gpedit.dll
    2014-11-21 15:49 - 2014-07-24 09:27 - 00779264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\osk.exe
    2014-11-21 15:49 - 2014-07-24 09:25 - 00832512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActionCenter.dll
    2014-11-21 15:49 - 2014-07-24 09:24 - 01817088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Display.dll
    2014-11-21 15:49 - 2014-07-24 09:21 - 00134144 _____ (Microsoft Corporation) C:\WINDOWS\system32\browser.dll
    2014-11-21 15:49 - 2014-07-24 09:18 - 00018432 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlansvcpal.dll
    2014-11-21 15:49 - 2014-07-24 09:16 - 12730880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
    2014-11-21 15:49 - 2014-07-24 09:14 - 00443904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlansec.dll
    2014-11-21 15:49 - 2014-07-24 09:12 - 00127488 _____ (Microsoft Corporation) C:\WINDOWS\system32\WiFiDisplay.dll
    2014-11-21 15:49 - 2014-07-24 09:11 - 00356864 _____ (Microsoft Corporation) C:\WINDOWS\system32\conhost.exe
    2014-11-21 15:49 - 2014-07-24 09:11 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshbth.dll
    2014-11-21 15:49 - 2014-07-24 09:10 - 00540672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\comdlg32.dll
    2014-11-21 15:49 - 2014-07-24 09:04 - 00492032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintDialogs.dll
    2014-11-21 15:49 - 2014-07-24 09:04 - 00183808 _____ (Microsoft Corp.) C:\WINDOWS\system32\Defrag.exe
    2014-11-21 15:49 - 2014-07-24 09:03 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\system32\srvsvc.dll
    2014-11-21 15:49 - 2014-07-24 09:02 - 00220160 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
    2014-11-21 15:49 - 2014-07-24 08:58 - 00105472 _____ (Microsoft Corporation) C:\WINDOWS\system32\BluetoothApis.dll
    2014-11-21 15:49 - 2014-07-24 08:53 - 01261056 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpsvc.dll
    2014-11-21 15:49 - 2014-07-24 08:53 - 00449536 _____ (Microsoft Corporation) C:\WINDOWS\system32\defragsvc.dll
    2014-11-21 15:49 - 2014-07-24 08:49 - 01287680 _____ (Microsoft Corporation) C:\WINDOWS\system32\mispace.dll
    2014-11-21 15:49 - 2014-07-24 08:49 - 00296960 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlanapi.dll
    2014-11-21 15:49 - 2014-07-24 08:48 - 00659968 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Devices.Bluetooth.dll
    2014-11-21 15:49 - 2014-07-24 08:47 - 00102912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wcmcsp.dll
    2014-11-21 15:49 - 2014-07-24 08:43 - 00051200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshbth.dll
    2014-11-21 15:49 - 2014-07-24 08:39 - 02397184 _____ (Microsoft Corporation) C:\WINDOWS\system32\storagewmi.dll
    2014-11-21 15:49 - 2014-07-24 08:38 - 00371200 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlanmsm.dll
    2014-11-21 15:49 - 2014-07-24 08:36 - 00079872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BluetoothApis.dll
    2014-11-21 15:49 - 2014-07-24 08:32 - 01532416 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlansvc.dll
    2014-11-21 15:49 - 2014-07-24 08:30 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlanapi.dll
    2014-11-21 15:49 - 2014-07-24 08:29 - 00439296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Bluetooth.dll
    2014-11-21 15:49 - 2014-07-24 08:28 - 00595456 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Networking.dll
    2014-11-21 15:49 - 2014-07-24 08:23 - 01404416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\storagewmi.dll
    2014-11-21 15:49 - 2014-07-24 08:22 - 00487936 _____ (Microsoft Corporation) C:\WINDOWS\system32\winspool.drv
    2014-11-21 15:49 - 2014-07-24 08:21 - 01231872 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
    2014-11-21 15:49 - 2014-07-24 08:21 - 00302080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlanmsm.dll
    2014-11-21 15:49 - 2014-07-24 08:18 - 01144320 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwanmm.dll
    2014-11-21 15:49 - 2014-07-24 08:18 - 00795136 _____ (Microsoft Corporation) C:\WINDOWS\system32\spoolsv.exe
    2014-11-21 15:49 - 2014-07-24 08:16 - 00505344 _____ (Microsoft Corporation) C:\WINDOWS\system32\VAN.dll
    2014-11-21 15:49 - 2014-07-24 08:16 - 00084480 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpdbusenum.dll
    2014-11-21 15:49 - 2014-07-24 08:15 - 00721408 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.dll
    2014-11-21 15:49 - 2014-07-24 08:15 - 00432128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Networking.dll
    2014-11-21 15:49 - 2014-07-24 08:13 - 00226304 _____ (Microsoft Corporation) C:\WINDOWS\system32\SndVolSSO.dll
    2014-11-21 15:49 - 2014-07-24 08:10 - 00889344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
    2014-11-21 15:49 - 2014-07-24 08:10 - 00371712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winspool.drv
    2014-11-21 15:49 - 2014-07-24 08:08 - 00321536 _____ (Microsoft Corporation) C:\WINDOWS\system32\stobject.dll
    2014-11-21 15:49 - 2014-07-24 08:05 - 00448000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VAN.dll
    2014-11-21 15:49 - 2014-07-24 08:01 - 01992192 _____ (Microsoft Corporation) C:\WINDOWS\system32\XpsPrint.dll
    2014-11-21 15:49 - 2014-07-24 08:00 - 02100736 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemSettingsAdminFlowUI.dll
    2014-11-21 15:49 - 2014-07-24 07:58 - 00432640 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwanconn.dll
    2014-11-21 15:49 - 2014-07-24 07:58 - 00288768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\stobject.dll
    2014-11-21 15:49 - 2014-07-24 07:54 - 01290752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\XpsPrint.dll
    2014-11-21 15:49 - 2014-07-24 07:50 - 01182208 _____ (Microsoft Corporation) C:\WINDOWS\system32\printui.dll
    2014-11-21 15:49 - 2014-07-24 07:47 - 00576512 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSync.dll
    2014-11-21 15:49 - 2014-07-24 07:44 - 01057792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\printui.dll
    2014-11-21 15:49 - 2014-07-24 07:41 - 00459264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSync.dll
    2014-11-21 15:49 - 2014-07-24 07:28 - 01600000 _____ (Microsoft Corporation) C:\WINDOWS\system32\workfolderssvc.dll
    2014-11-21 15:49 - 2014-07-24 04:11 - 00513544 _____ () C:\WINDOWS\SysWOW64\locale.nls
    2014-11-21 15:49 - 2014-07-24 04:11 - 00513544 _____ () C:\WINDOWS\system32\locale.nls
    2014-11-21 15:49 - 2014-07-12 05:55 - 00268288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wisp.dll
    2014-11-21 15:49 - 2014-07-12 04:58 - 00210944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wisp.dll
    2014-11-21 15:49 - 2014-07-04 12:59 - 00295424 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ks.sys
    2014-11-21 15:49 - 2014-07-04 10:29 - 00117248 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxSip.dll
    2014-11-21 15:49 - 2014-07-04 10:20 - 01656832 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
    2014-11-21 15:49 - 2014-07-04 10:06 - 00095232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxSip.dll
    2014-11-21 15:49 - 2014-07-04 10:00 - 01351168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
    2014-11-21 15:49 - 2014-07-04 09:30 - 00544768 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxPackaging.dll
    2014-11-21 15:49 - 2014-07-04 09:27 - 00474112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxPackaging.dll
    2014-11-21 15:49 - 2014-06-27 06:22 - 00246272 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srvnet.sys
    2014-11-21 15:49 - 2014-06-26 00:32 - 01029632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mispace.dll
    2014-11-21 15:49 - 2014-06-26 00:29 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\dab.dll
    2014-11-21 15:49 - 2014-06-19 23:37 - 00206848 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
    2014-11-21 15:49 - 2014-06-19 02:13 - 00310080 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\volsnap.sys
    2014-11-21 15:49 - 2014-06-14 06:03 - 02389504 _____ (Microsoft Corporation) C:\WINDOWS\system32\d3d10warp.dll
    2014-11-21 15:49 - 2014-06-14 05:46 - 02071552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d3d10warp.dll
    2014-11-21 15:49 - 2014-06-07 12:46 - 00216368 _____ (Microsoft Corporation) C:\WINDOWS\system32\rsaenh.dll
    2014-11-21 15:49 - 2014-06-07 10:20 - 00189016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rsaenh.dll
    2014-11-21 15:49 - 2014-06-05 14:00 - 01118040 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ndis.sys
    2014-11-21 15:49 - 2014-06-05 10:18 - 01018368 _____ (Microsoft Corporation) C:\WINDOWS\system32\aclui.dll
    2014-11-21 15:49 - 2014-06-05 09:42 - 00889856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aclui.dll
    2014-11-21 15:49 - 2014-05-31 05:00 - 01463808 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsecedit.dll
    2014-11-21 15:49 - 2014-05-31 04:18 - 01319936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wsecedit.dll
    2014-11-21 15:49 - 2014-05-29 06:23 - 00427008 _____ (Microsoft Corporation) C:\WINDOWS\system32\clusapi.dll
    2014-11-21 15:49 - 2014-05-29 05:25 - 00313856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clusapi.dll
    2014-11-21 15:49 - 2014-05-26 07:26 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxSysprep.dll
    2014-11-21 15:49 - 2014-05-10 10:12 - 00387896 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcryptprimitives.dll
    2014-11-21 15:49 - 2014-05-10 08:46 - 00335680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcryptprimitives.dll
    2014-11-21 15:49 - 2014-05-06 04:41 - 00486744 _____ (Microsoft Corporation) C:\WINDOWS\system32\netcfgx.dll
    2014-11-21 15:49 - 2014-05-06 00:55 - 00391000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netcfgx.dll
    2014-11-21 15:49 - 2014-03-25 02:27 - 00160600 _____ (Microsoft Corporation) C:\WINDOWS\system32\winmmbase.dll
    2014-11-21 15:49 - 2014-03-25 02:27 - 00123920 _____ (Microsoft Corporation) C:\WINDOWS\system32\winmm.dll
    2014-11-21 15:49 - 2014-03-25 01:20 - 00128568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winmm.dll
    2014-11-21 15:49 - 2014-03-25 01:20 - 00127544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winmmbase.dll
    2014-11-21 15:46 - 2014-11-21 15:46 - 00000000 __SHD () C:\Users\Daniel\AppData\Local\EmieBrowserModeList
    2014-11-21 14:54 - 2014-04-14 03:29 - 01018880 _____ (Microsoft Corporation) C:\WINDOWS\system32\termsrv.dll
    2014-11-21 14:49 - 2014-10-13 02:33 - 00116032 _____ (Microsoft Corporation) C:\WINDOWS\system32\consent.exe
    2014-11-21 14:49 - 2014-10-11 00:58 - 03320320 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
    2014-11-21 14:49 - 2014-10-11 00:53 - 03607040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
    2014-11-21 14:49 - 2014-10-08 07:30 - 00110080 _____ (Microsoft Corporation) C:\WINDOWS\system32\appinfo.dll
    2014-11-21 14:49 - 2014-10-08 07:09 - 00428032 _____ (Microsoft Corporation) C:\WINDOWS\system32\msihnd.dll
    2014-11-21 14:49 - 2014-10-08 06:27 - 00325120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msihnd.dll
    2014-11-21 14:49 - 2014-10-08 05:32 - 02773504 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
    2014-11-21 14:49 - 2014-10-08 05:19 - 02459136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
    2014-11-21 14:49 - 2014-08-15 00:36 - 00146752 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\msgpioclx.sys
    2014-11-21 14:49 - 2014-07-30 01:56 - 00299520 _____ (Microsoft Corporation) C:\WINDOWS\system32\WSDMon.dll
    2014-11-21 14:49 - 2014-07-29 05:22 - 00205824 _____ (Microsoft Corporation) C:\WINDOWS\system32\tcpmon.dll
    2014-11-21 14:49 - 2014-05-30 03:03 - 00563200 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\afd.sys
    2014-11-21 14:49 - 2014-03-13 07:42 - 00308224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wusa.exe
    2014-11-21 14:49 - 2014-03-13 06:51 - 00305152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wusa.exe
    2014-11-21 14:48 - 2014-09-22 04:38 - 01519488 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll
    2014-11-21 14:48 - 2014-09-22 03:06 - 00258368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdFilter.sys
    2014-11-21 14:48 - 2014-09-22 03:06 - 00114496 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdNisDrv.sys
    2014-11-21 14:48 - 2014-09-22 02:49 - 00035320 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdBoot.sys
    2014-11-21 14:48 - 2014-09-19 00:16 - 01346048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user32.dll
    2014-11-21 14:48 - 2014-09-02 22:08 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\system32\winshfhc.dll
    2014-11-21 14:48 - 2014-09-02 22:08 - 00012800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winshfhc.dll
    2014-11-21 14:48 - 2014-08-23 05:18 - 02149376 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml3.dll
    2014-11-21 14:48 - 2014-08-23 05:03 - 01346048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml3.dll
    2014-11-21 14:48 - 2014-06-09 22:13 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TsWpfWrp.exe
    2014-11-21 14:48 - 2014-06-09 22:13 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\system32\TsWpfWrp.exe
    2014-11-21 14:48 - 2014-05-19 06:31 - 00057856 _____ (Microsoft Corporation) C:\WINDOWS\system32\drvcfg.exe
    2014-11-21 14:48 - 2014-05-19 06:21 - 00110592 _____ (Microsoft Corporation) C:\WINDOWS\system32\drvinst.exe
    2014-11-21 14:48 - 2014-05-19 05:23 - 00098816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\drvinst.exe
    2014-11-21 14:47 - 2014-10-31 05:28 - 25110016 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2014-11-21 14:47 - 2014-10-31 05:05 - 02884096 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2014-11-21 14:47 - 2014-10-31 04:50 - 06040064 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
    2014-11-21 14:47 - 2014-10-31 04:30 - 00077824 _____ (Microsoft Corporation) C:\WINDOWS\system32\JavaScriptCollectionAgent.dll
    2014-11-21 14:47 - 2014-10-31 03:59 - 14390272 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
    2014-11-21 14:47 - 2014-10-31 03:45 - 02365440 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
    2014-11-21 14:47 - 2014-10-31 03:42 - 19781632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2014-11-21 14:47 - 2014-10-31 03:32 - 01550336 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
    2014-11-21 14:47 - 2014-10-31 03:18 - 02277376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2014-11-21 14:47 - 2014-10-31 02:46 - 04298240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
    2014-11-21 14:47 - 2014-10-31 02:30 - 12819456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
    2014-11-21 14:47 - 2014-10-31 02:17 - 01892864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
    2014-11-21 14:47 - 2014-10-31 02:13 - 01310208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
    2014-11-21 14:47 - 2014-10-07 06:28 - 00500016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
    2014-11-21 14:47 - 2014-10-07 06:27 - 00482872 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEng.dll
    2014-11-21 14:47 - 2014-10-07 06:27 - 00394120 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
    2014-11-21 14:47 - 2014-10-07 06:27 - 00272248 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiodg.exe
    2014-11-21 14:47 - 2014-10-07 06:27 - 00108432 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDump.dll
    2014-11-21 14:47 - 2014-10-07 03:34 - 00370424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
    2014-11-21 14:47 - 2014-10-07 03:34 - 00344536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
    2014-11-21 14:47 - 2014-10-07 03:33 - 00424544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioEng.dll
    2014-11-21 14:47 - 2014-10-07 01:54 - 00226304 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
    2014-11-21 14:47 - 2014-10-07 01:46 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
    2014-11-21 14:47 - 2014-08-23 07:48 - 02374784 _____ (Microsoft Corporation) C:\WINDOWS\explorer.exe
    2014-11-21 14:47 - 2014-08-23 07:13 - 02084520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe
    2014-11-21 14:47 - 2014-08-23 06:10 - 00068096 _____ (Microsoft Corporation) C:\WINDOWS\system32\UXInit.dll
    2014-11-21 14:47 - 2014-08-23 05:32 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UXInit.dll
    2014-11-21 14:47 - 2014-08-23 04:33 - 00796672 _____ (Microsoft Corporation) C:\WINDOWS\system32\uDWM.dll
    2014-11-21 14:47 - 2014-05-13 07:01 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\BulkOperationHost.exe
    2014-11-21 14:47 - 2014-05-03 05:36 - 00997888 _____ (Microsoft Corporation) C:\WINDOWS\system32\reseteng.dll
    2014-11-21 14:47 - 2014-05-03 05:19 - 00071168 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncobjapi.dll
    2014-11-21 14:47 - 2014-05-03 05:08 - 00301056 _____ (Microsoft Corporation) C:\WINDOWS\system32\framedynos.dll
    2014-11-21 14:47 - 2014-05-03 05:07 - 00262656 _____ (Microsoft Corporation) C:\WINDOWS\system32\framedyn.dll
    2014-11-21 14:47 - 2014-05-03 04:46 - 00052736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncobjapi.dll
    2014-11-21 14:47 - 2014-05-03 04:37 - 00235008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\framedynos.dll
    2014-11-21 14:47 - 2014-05-03 04:37 - 00207360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\framedyn.dll
    2014-11-21 14:47 - 2014-05-02 23:26 - 00050745 _____ () C:\WINDOWS\system32\srms.dat

    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2014-11-28 12:59:35
    -----------------------------
    12:59:35.997 OS Version: Windows x64 6.2.9200
    12:59:35.997 Number of processors: 8 586 0x3C03
    12:59:35.997 ComputerName: DANIELS-LAPTOP UserName: Daniel
    12:59:38.040 Initialize success
    12:59:38.198 VM: initialized successfully
    12:59:38.199 VM: Intel CPU BiosDisabled
    13:03:00.101 AVAST engine defs: 14112800
    13:04:58.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000033
    13:04:58.798 Disk 0 Vendor: ST1000LM024_HN-M101MBB 2BA30001 Size: 953869MB BusType: 11
    13:04:58.996 Disk 0 MBR read successfully
    13:04:58.998 Disk 0 MBR scan
    13:04:59.009 Disk 0 unknown MBR code
    13:04:59.012 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
    13:04:59.048 Disk 0 scanning C:\WINDOWS\system32\drivers
    13:05:16.915 Service scanning
    13:05:54.987 Modules scanning
    13:05:55.001 Disk 0 trace - called modules:
    13:05:55.023 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll iaStorA.sys
    13:05:55.048 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe001584e3640]
    13:05:55.064 3 CLASSPNP.SYS[fffff800216ba27b] -> nt!IofCallDriver -> \Device\00000033[0xffffe00155dbe060]
    13:05:55.989 AVAST engine scan C:\WINDOWS
    13:05:58.540 AVAST engine scan C:\WINDOWS\system32
    13:15:36.787 AVAST engine scan C:\WINDOWS\system32\drivers
    13:16:18.901 AVAST engine scan C:\Users\Daniel
    13:20:23.060 Disk 0 MBR has been saved successfully to "C:\Users\Daniel\Desktop\MBR.dat"
    13:20:23.079 The log file has been saved successfully to "C:\Users\Daniel\Desktop\aswMBR.txt"
    Attached Files Attached Files
    Last edited by tashi; 2014-11-28 at 19:27. Reason: Merged two posts, please don't add posts

  2. #2
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    McAfee blocked and quarantined the file showing it had the following virus: Trojan - Artemis! A9D9670AA481.
    Can you open McAfee and find what file it's showing as infected?

    Pokki from SweetLabs has been found to be bundled with 3rd party software <--need to remove/uninstall this

    Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

    start
    CloseProcesses:
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppService.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\StartMenuIndexer.exe
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
    SearchScopes: HKLM -> DefaultScope {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM-x32 -> DefaultScope {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKU\S-1-5-21-2228433086-130700982-1473003571-1001 -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL =
    FF Extension: No Name - {4ED1F68A-5463-4931-9384-8FFF5ED91D92} [Not Found]
    Task: {04E97A79-B502-42E8-BB60-B2FB53FBC605} - System32\Tasks\MySQL\Installer\ManifestUpdate => C:\Program Files (x86)\MySQL\MySQL Installer for Windows\MySQLInstallerConsole.exe [2014-09-18] (Oracle Corporation) <==== ATTENTION
    2014-11-19 18:05 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\DefaultAppPool\AppData\Local\Pokki
    2014-11-19 17:23 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\Classic .NET AppPool\AppData\Local\Pokki
    2014-11-19 17:23 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v2.0\AppData\Local\Pokki
    2014-11-19 17:23 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v2.0 Classic\AppData\Local\Pokki
    2014-11-19 17:13 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v4.5\AppData\Local\Pokki
    2014-11-19 17:13 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v4.5 Classic\AppData\Local\Pokki
    C:\Users\Daniel\AppData\Local\Temp\oct8AE9.tmp.exe
    C:\Users\Daniel\AppData\Local\Temp\SkypeSetup.exe
    EmptyTemp:
    Hosts:
    End
    Open FRST/FRST64 and press the Fix button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~~~~~

    the next 2 tools may not run, try and it will good if not, move to the next.

    -AdwCleaner-by Xplode

    Click on this link to download : ADWCleaner
    Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

    Do not click on any links in the top Advertisment.



    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Scan.
    • After the scan is complete click on "Clean"
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
    • NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    ~~~~~~~~~~~~~~
    please post
    Fixlog.txt
    C:\AdwCleaner.txt
    JRT.txt
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Please Help: Trojan - Artemis! A9D9670AA481

    Hi Juliet,

    Thank you, for your support.

    In response to your comments:

    1/. Can you open McAfee and find what file it's showing as infected?

    C:\Users\Daniel\AppData\LocalTemp\wf2Be71i.exe.part (please see attached image)

    2/. Pokki from SweetLabs has been found to be bundled with 3rd party software <--need to remove/uninstall this

    I was going to reply saying that the Pokki Start Menu came preinstalled by Lenovo and I haven't had any issues with it or the PC. Therefore, I want to keep this because I will not be able to cope with Windows 8.1 without it. But, it's gone so I will try to get used to Windows 8 without it - it was slow anyway!

    Everything ran OK; Windows security and McAfee didn't like the JRT though. Please find the logs below.

    I really appreciate your help. Thanks again.

    ______________________________

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-11-2014 01
    Ran by Daniel at 2014-11-29 17:45:08 Run:1
    Running from C:\Users\Daniel\Desktop
    Loaded Profile: Daniel (Available profiles: Daniel & Administrator & Classic .NET AppPool & .NET v4.5 & DefaultAppPool & .NET v2.0 & .NET v4.5 Classic & .NET v2.0 Classic)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    start
    CloseProcesses:
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppService.exe
    (Pokki) C:\Users\Daniel\AppData\Local\Pokki\Engine\StartMenuIndexer.exe
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
    SearchScopes: HKLM -> DefaultScope {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM-x32 -> DefaultScope {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL = http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=LCJB
    SearchScopes: HKU\S-1-5-21-2228433086-130700982-1473003571-1001 -> {1BFEC185-0D04-40DF-ACF3-5057D4300A85} URL =
    FF Extension: No Name - {4ED1F68A-5463-4931-9384-8FFF5ED91D92} [Not Found]
    Task: {04E97A79-B502-42E8-BB60-B2FB53FBC605} - System32\Tasks\MySQL\Installer\ManifestUpdate => C:\Program Files (x86)\MySQL\MySQL Installer for Windows\MySQLInstallerConsole.exe [2014-09-18] (Oracle Corporation) <==== ATTENTION
    2014-11-19 18:05 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\DefaultAppPool\AppData\Local\Pokki
    2014-11-19 17:23 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\Classic .NET AppPool\AppData\Local\Pokki
    2014-11-19 17:23 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v2.0\AppData\Local\Pokki
    2014-11-19 17:23 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v2.0 Classic\AppData\Local\Pokki
    2014-11-19 17:13 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v4.5\AppData\Local\Pokki
    2014-11-19 17:13 - 2013-11-29 15:54 - 00000000 ____D () C:\Users\.NET v4.5 Classic\AppData\Local\Pokki
    C:\Users\Daniel\AppData\Local\Temp\oct8AE9.tmp.exe
    C:\Users\Daniel\AppData\Local\Temp\SkypeSetup.exe
    EmptyTemp:
    Hosts:
    End
    *****************

    Processes closed successfully.
    C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe => No running process found
    C:\Users\Daniel\AppData\Local\Pokki\Engine\HostAppService.exe => No running process found
    C:\Users\Daniel\AppData\Local\Pokki\Engine\StartMenuIndexer.exe => No running process found
    HKU\S-1-5-21-2228433086-130700982-1473003571-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Pokki => value deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
    "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
    "HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
    "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1BFEC185-0D04-40DF-ACF3-5057D4300A85}" => Key deleted successfully.
    "HKCR\CLSID\{1BFEC185-0D04-40DF-ACF3-5057D4300A85}" => Key not found.
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{1BFEC185-0D04-40DF-ACF3-5057D4300A85}" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{1BFEC185-0D04-40DF-ACF3-5057D4300A85}" => Key not found.
    "HKU\S-1-5-21-2228433086-130700982-1473003571-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1BFEC185-0D04-40DF-ACF3-5057D4300A85}" => Key deleted successfully.
    "HKCR\CLSID\{1BFEC185-0D04-40DF-ACF3-5057D4300A85}" => Key not found.
    FF Extension: No Name - {4ED1F68A-5463-4931-9384-8FFF5ED91D92} [Not Found] not found.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{04E97A79-B502-42E8-BB60-B2FB53FBC605}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04E97A79-B502-42E8-BB60-B2FB53FBC605}" => Key deleted successfully.
    C:\Windows\System32\Tasks\MySQL\Installer\ManifestUpdate => Moved successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MySQL\Installer\ManifestUpdate" => Key deleted successfully.
    C:\Users\DefaultAppPool\AppData\Local\Pokki => Moved successfully.
    C:\Users\Classic .NET AppPool\AppData\Local\Pokki => Moved successfully.
    C:\Users\.NET v2.0\AppData\Local\Pokki => Moved successfully.
    C:\Users\.NET v2.0 Classic\AppData\Local\Pokki => Moved successfully.
    C:\Users\.NET v4.5\AppData\Local\Pokki => Moved successfully.
    C:\Users\.NET v4.5 Classic\AppData\Local\Pokki => Moved successfully.
    C:\Users\Daniel\AppData\Local\Temp\oct8AE9.tmp.exe => Moved successfully.
    C:\Users\Daniel\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
    C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
    Hosts was reset successfully.
    EmptyTemp: => Removed 917.9 MB temporary data.


    The system needed a reboot.

    ==== End of Fixlog ====
    _______________________________

    # AdwCleaner v4.102 - Report created 29/11/2014 at 18:00:32
    # Updated 23/11/2014 by Xplode
    # Database : 2014-11-27.1 [Live]
    # Operating System : Windows 8.1 (64 bits)
    # Username : Daniel - DANIELS-LAPTOP
    # Running from : C:\Users\Daniel\Desktop\AdwCleaner.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\Users\Daniel\AppData\Local\Pokki
    Folder Deleted : C:\Users\Public\Pokki

    ***** [ Scheduled Tasks ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKCU\Software\Classes\pokki
    Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
    Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
    Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
    Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844}
    Key Deleted : HKCU\Software\Pokki
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17416


    -\\ Mozilla Firefox v33.1.1 (x86 en-GB)


    -\\ Google Chrome v39.0.2171.71

    [C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}

    *************************

    AdwCleaner[R0].txt - [1512 octets] - [29/11/2014 17:56:41]
    AdwCleaner[S0].txt - [1412 octets] - [29/11/2014 18:00:32]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1472 octets] ##########
    ____________________________

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.4.0 (11.29.2014:1)
    OS: Windows 8.1 x64
    Ran by Daniel on 29/11/2014 at 18:27:13.12
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys



    ~~~ Files



    ~~~ Folders



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 29/11/2014 at 18:29:40.38
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Attached Images Attached Images

  4. #4
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Windows security and McAfee didn't like the JRT though
    Your using windows 8.1, some tools want run well and thats one of them.

    C:\Users\Daniel\AppData\LocalTemp\wf2Be71i.exe.part

    Can you search for wf2Be71i.exe on your computer to see what application it might be attached to?, have you recently downloaded something?
    the good thing about it is, it was located in a temp file directory.

    Download Malwarebytes' Anti-Malware to your desktop.

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"







    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Dections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan
    • When the scan is finished and the log pops up...select Copy to Clipboard
    • Please paste the log back into this thread for review
    • Exit Malwarebytes


    ~~~~~~~~~~~~~~~~~

    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.


    Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
    • Note:
      For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
    • Click the blue Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
    • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
    • Click on Advanced Settings
    • Make sure that the option Remove found threats is unticked.
    • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

    • Click Start
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
    • Close the ESET online scan.



    Please post
    Malwarebytes log
    Eset log

    How's your computer now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #5
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Please Help: Trojan - Artemis! A9D9670AA481

    Hi Juliet,

    Apologies for the lengthy reply.

    Re: Can you search for wf2Be71i.exe on your computer to see what application it might be attached to?

    I have attached two screenshots of the temp folder contents.

    Re: have you recently downloaded something?

    When this happened, I wanted to download a Wordpress theme at freethemesandtemplates.blogspot.com, but when I was checking the download page to see if the site was safe the download began automatically.

    McAfee detailed that it had caught and quarantined the download; so, I presume the application it was attached to got stopped by McAfee. Then again, something must have got through because internet explorer started changing the homepage and doing weird things. I can't understand how this happened if McAfee had supposedly caught the virus?

    When I researched internet explorer changing the homepage to about:blank on Google lots of posts about the Artemis Virus were listed.

    Does ESTET always produce a log, because one wasn't produced when the scan finished?

    The summary, shown in the attached screenshot detailed that no threats were found. Although, I'm now wondering if ESET ran OK because although McAfee real time protection was turned off during the ESET scan, McAfee began a scheduled weekly scan before ESET had finished.

    This didn't appear to affect the ESET scan; however, following the scan my PC would not return to the desktop. It was really weird; the PC purple start screen background appeared while on desktop view; there were no desktop icons visible, but the open apps showed on the taskbar however, not as icons, but as little window menu bars with the X to close them at the right.

    It seemed as though the PC had slipped into a cross between safe mode where everything is bigger and out of focus and the start menu. This has never happened before.

    Please find the Malwarebytes log below; no ESET log seemed to be produced.

    Thanks.
    ____________________________________

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 30/11/2014
    Scan Time: 11:05:44
    Logfile:
    Administrator: Yes

    Version: 2.00.3.1025
    Malware Database: v2014.11.30.04
    Rootkit Database: v2014.11.29.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows 8.1
    CPU: x64
    File System: NTFS
    User: Daniel

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 660727
    Time Elapsed: 38 min, 52 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)
    Attached Images Attached Images

  6. #6
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Update

    Hi Juliet,

    Update:

    I have just noticed that all my desktop icons/ shortcuts have been rearranged. This also happened when the PC went weird after the ESET scan.

    This definitely just happened because prior to or during the scan I created new shortcuts to the control panel and a few other services following the removal of the start menu app.

    Do you think this behaviour could be the virus or Windows? I've never seen it before.

    Before all this happened, I was going to say the PC seems fine.

    Thanks

  7. #7
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    From the screen shots, those temp files can be deleted and the other highlighted was a wordpad file?, not sure why?

    Good to know Eset find nothing.

    windows-7-desktop-icons-rearrange <-- this is a long read through but had several tips on adjusting the system for the issue.

    When this happened, I wanted to download a Wordpress theme at freethemesandtemplates.blogspot.com, but when I was checking the download page to see if the site was safe the download began automatically.
    Look for this theme and see if it made it's way on the computer and delete it if found.


    ~~~~~~~~~~~~~~~~~~`

    Malwarebytes Anti-Rootkit
    • Download Malwarebytes Anti-Rootkit
    • Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
    • Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
    • Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
    • Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
    • After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
    • Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
    • If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.



    • Please click by the introduction screen on the Next button to continue.




    • Next you will see the Update Database screen.
    • Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.




    • When the update has finished, click on the Next button.



    • Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
    • Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.




    • When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
    • Make sure everything is selected and that the option to create a restore point is checked.
    • Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
    • Click on Yes button to restart your computer.

    • There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
    • The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
      • For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.

    • The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #8
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Please Help: Trojan - Artemis! A9D9670AA481

    Hi Juliet,

    Explorer is still doing weird things. After I downloaded Malwarebytes Anti-Rootkit I couldn't get it to run initially because another Malwarebytes programme was running. In the end, I exited the other Malwarebytes program through the system tray, but that was after restarting my PC to try to close the program.

    Following the reboot I couldn't restart the previous internet explorer session because everything in explorer's recent history had been deleted - on it's own. Another weird behaviour?

    So you think the desktop icons moving are a coincidence? I have tried some of the ideas in the post you directed me too; fingers crossed they work.

    I can't find the Wordpress theme on my computer. Malwarebytes Anti-Rootkit didn't find anything either; I have attached an image of the scan results.

    Thanks for the help and info.
    Attached Images Attached Images

  9. #9
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    We can try a few things for IE

    http://java.com/en/download/help/disable_browser.xml
    How do I disable Java in my web browser?

    a. Do you have any registry cleaner, cc cleaner, or auto delete temp files software installed on your computer?
    b. Are you using Desktop or Modern UI Internet Explorer 10?
    I would suggest you to try troubleshooting steps:
    a. Open Internet Explorer browser.
    b. Press Windows key + R.
    c. Type “inetcpl.cpl”.
    d. Click OK.
    e. Select on General tab.
    f. Under set up Select “start with tabs from the last session”
    g. Under browsing history uncheck “delete browsing history on exit”.
    and the restore previous tabs option can be selected. under Settings in that section, "Temporary Internet Files" is set to "Automatically" with an adequate size
    h. Click on apply and OK.



    Press Ctrl+Alt+Del
    Open Task manager
    While IE opened with tabs, under procesess, find iexplore.exe (not iexplore.exe *32)
    Right click and end process
    next start of IE, at the bottom, you should see an option to restore last session

    ~~~~~~~~~~~~~`

    Also please download Windows Repair (all in one) from here


    Install the program then go to step 4 and create a new system restore point and new registry backup.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:




    NEXT
    On the the Start Repairs tab => Click the Start



    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):


    Click on box next to the Restart System when Finished. Then click on Start.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  10. #10
    Member
    Join Date
    Oct 2009
    Posts
    87

    Default Please Help: Trojan - Artemis! A9D9670AA481

    Hi Juliet,

    Re: Do you have any registry cleaner, cc cleaner, or auto delete temp files software installed on your computer?

    No, I try to stay well clear of software like this.

    Re: Are you using Desktop or Modern UI Internet Explorer 10?

    I have the desktop version of Internet Explorer 11 installed.

    The desktop icons seem OK now; fingers crossed.

    Regarding the internet explorer troubleshooting steps, I had those settings in place already; but, thanks anyway.

    Finally, regarding the All in One Windows repair tool: I ran CheckDisk and sure enough errors were found. I run this tool regularly and I haven't found errors before on this PC; it's only a few months old.

    So, I followed the instructions in your post. Afterwards, I ran the sfc/ scannow tool from the elevated command prompt and all was fine. However, I ran the All in One Windows repair tool CheckDisk pre-scan again and errors were found.

    That said, I noted the comments about false errors being reported when running the tool in read only mode, and that if the Windows check doesn't report any errors all should be OK; therefore, as Windows now reports all is OK, I presume that all is indeed well again.

    I have attached a few images that I took during the process for reference.

    Thank you, so much. We are looking good here again (I think).

    Daniel.
    Attached Images Attached Images

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •