Results 1 to 10 of 44

Thread: trojan

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Jan 2016


    Thanks Ken - should I go to FRST & fix again & right now since spybot error I have not scanned since it can't update, not have I run Malware since last time you asked me to.

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Florida's SpaceCoast


    No, dont run another fix, just hang on for a bit. I'll be back as soon as I hear something
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Florida's SpaceCoast


    Lets do this while where waiting to rule out if Spybot is responsible for the hosts file backup

    Right click on the Windows Logo on the bottom left of your taskbar and select Programs and Features, look for Spybot and uninstall it. Its causing you problems right now and we can reinstall it when we are done
    After you uninstall it , reboot your system

    Then run this fix

    Open notepad , Go to Start --> All Programs --> Accessories --> Notepad.
    Please copy the entire contents Inside of the code box below beginning with START and ending with END
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
    Name the file Fixlist, Save it to your desktop where you have FRST/FRST64 or the fix wont work, . Then open up FRST/FRST64 by Right Clicking on it and select RUN AS ADMINISTRATOR, then click on FIX (Not Scan) It won't take long, after your computer reboots you will find a FIXLOG.TXT on your desktop, post it please

    2016-01-22 22:36 - 2016-01-20 00:17 - 00449968 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160122-223622.backup
    CMD: ipconfig /flushdns

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Then open up FRST by Right Clicking on it and select RUN AS ADMINISTRATOR, run a new scan and post the FRST log, I dont need Additions this time
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  4. #4
    Junior Member
    Join Date
    Jan 2016


    Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
    Ran by Corinne (2016-01-24 19:55:26) Run:3
    Running from C:\Users\Corinne\Desktop
    Loaded Profiles: Corinne (Available Profiles: Corinne)
    Boot Mode: Normal

    fixlist content:
    2016-01-22 22:36 - 2016-01-20 00:17 - 00449968 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160122-223622.backup
    CMD: ipconfig /flushdns

    Processes closed successfully.
    Restore point was successfully created.
    C:\WINDOWS\system32\Drivers\etc\hosts.20160122-223622.backup => moved successfully
    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    ========= ipconfig /flushdns =========

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========

    EmptyTemp: => 21.4 MB temporary data Removed.

    The system needed a reboot.

    ==== End of Fixlog 19:56:02 ====

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01
    Ran by Corinne (administrator) on CORINNE-PC (24-01-2016 20:01:06)
    Running from C:\Users\Corinne\Desktop
    Loaded Profiles: Corinne (Available Profiles: Corinne)
    Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Opera)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool:

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.50\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.50\opera_crashreporter.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.50\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.50\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.50\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.50\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.50\opera.exe
    (Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8492800 2015-06-24] (Realtek Semiconductor)
    HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-12-22] (Oracle Corporation)
    Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
    HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\RunOnce: [Uninstall C:\Users\Corinne\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Corinne\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer]
    Tcpip\..\Interfaces\{b0bd7e33-ea32-450a-9299-30cc53ef45df}: [DhcpNameServer]

    Internet Explorer:
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\ssv.dll [2016-01-23] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\jp2ssv.dll [2016-01-23] (Oracle Corporation)

    FF Plugin-x32:,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\dtplugin\npDeployJava1.dll [2016-01-23] (Oracle Corporation)
    FF Plugin-x32:,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\plugin2\npjp2.dll [2016-01-23] (Oracle Corporation)

    CHR HomePage: Default -> hxxp://
    CHR StartupUrls: Default -> "hxxp://"
    CHR Profile: C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Docs) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-09-18]
    CHR Extension: (Google Drive) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-18]
    CHR Extension: (YouTube) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-18]
    CHR Extension: (Google Search) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-09-18]
    CHR Extension: (Gmail) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-18]

    OPR StartupUrls: "hxxp://"
    OPR Session Restore: -> is enabled.
    OPR Extension: (Adblock Fast) - C:\Users\Corinne\AppData\Roaming\Opera Software\Opera Stable\Extensions\klhobddcbiabdfjmomildokiglpmdicc [2015-11-23]
    OPR Extension: (Adblock Plus) - C:\Users\Corinne\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2016-01-07]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
    S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-24] (Malwarebytes)
    S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
    R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek )
    R1 SDHookDriver; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [65576 2015-06-16] (Safer-Networking Ltd.)
    S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
    R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-24 19:49 - 2016-01-24 19:49 - 00000085 _____ C:\WINDOWS\wininit.ini
    2016-01-19 21:27 - 2016-01-19 21:30 - 00000556 _____ C:\Users\Corinne\Desktop\JRT.txt
    2016-01-19 21:06 - 2016-01-20 19:00 - 00000000 ____D C:\AdwCleaner
    2016-01-19 21:01 - 2016-01-24 19:56 - 00001069 _____ C:\Users\Corinne\Desktop\Fixlog.txt
    2016-01-19 20:57 - 2016-01-19 21:25 - 01600184 _____ (Malwarebytes) C:\Users\Corinne\Downloads\JRT.exe
    2016-01-19 20:56 - 2016-01-19 21:06 - 01505280 _____ C:\Users\Corinne\Downloads\AdwCleaner.exe
    2016-01-16 17:17 - 2016-01-16 17:17 - 00002431 _____ C:\Users\Corinne\Desktop\aswMBR.txt
    2016-01-16 16:52 - 2016-01-24 20:01 - 00007170 _____ C:\Users\Corinne\Desktop\FRST.txt
    2016-01-16 16:51 - 2016-01-23 20:40 - 00023426 _____ C:\Users\Corinne\Desktop\Addition.txt
    2016-01-16 16:44 - 2016-01-16 16:45 - 00023679 _____ C:\Users\Corinne\Downloads\Addition.txt
    2016-01-16 16:43 - 2016-01-24 20:00 - 00000000 ____D C:\FRST
    2016-01-16 16:43 - 2016-01-16 16:45 - 00026341 _____ C:\Users\Corinne\Downloads\FRST.txt
    2016-01-16 16:40 - 2016-01-16 16:40 - 00000207 _____ C:\WINDOWS\
    2016-01-16 16:40 - 2016-01-16 16:40 - 00000000 ____D C:\RegBackup
    2016-01-16 16:39 - 2016-01-16 16:39 - 00002312 _____ C:\Users\Public\Desktop\ - Registry Backup.lnk
    2016-01-16 16:39 - 2016-01-16 16:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
    2016-01-16 16:39 - 2016-01-16 16:39 - 00000000 ____D C:\Program Files (x86)\
    2016-01-16 16:38 - 2016-01-16 16:39 - 00016401 _____ C:\WINDOWS\ - Registry Backup Setup Log.txt
    2016-01-16 16:34 - 2016-01-16 16:38 - 04777232 _____ ( C:\Users\Corinne\Downloads\tweaking.com_registry_backup_setup.exe
    2016-01-16 16:33 - 2016-01-16 16:42 - 02370560 _____ (Farbar) C:\Users\Corinne\Desktop\FRST64.exe
    2016-01-16 16:32 - 2016-01-16 16:53 - 05198336 _____ (AVAST Software) C:\Users\Corinne\Downloads\aswMBR.exe
    2016-01-16 03:02 - 2016-01-04 21:51 - 07477600 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
    2016-01-16 03:02 - 2016-01-04 21:51 - 01317640 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
    2016-01-16 03:02 - 2016-01-04 21:51 - 01141496 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
    2016-01-16 03:02 - 2016-01-04 21:50 - 01173344 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
    2016-01-16 03:02 - 2016-01-04 21:50 - 00713568 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
    2016-01-16 03:02 - 2016-01-04 21:50 - 00671472 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
    2016-01-16 03:02 - 2016-01-04 21:49 - 00513888 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
    2016-01-16 03:02 - 2016-01-04 21:48 - 00499432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
    2016-01-16 03:02 - 2016-01-04 21:45 - 02587696 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml6.dll
    2016-01-16 03:02 - 2016-01-04 21:42 - 02026736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml6.dll
    2016-01-16 03:02 - 2016-01-04 21:37 - 02544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
    2016-01-16 03:02 - 2016-01-04 21:37 - 01299504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
    2016-01-16 03:02 - 2016-01-04 21:37 - 00858952 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
    2016-01-16 03:02 - 2016-01-04 21:37 - 00848160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsvr.dll
    2016-01-16 03:02 - 2016-01-04 21:37 - 00785088 _____ (Microsoft Corporation) C:\WINDOWS\system32\evr.dll
    2016-01-16 03:02 - 2016-01-04 21:37 - 00245840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
    2016-01-16 03:02 - 2016-01-04 21:37 - 00234504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mftranscode.dll
    2016-01-16 03:02 - 2016-01-04 21:36 - 00808800 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
    2016-01-16 03:02 - 2016-01-04 21:33 - 02180128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
    2016-01-16 03:02 - 2016-01-04 21:33 - 01118208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
    2016-01-16 03:02 - 2016-01-04 21:33 - 00709688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
    2016-01-16 03:02 - 2016-01-04 21:33 - 00701384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
    2016-01-16 03:02 - 2016-01-04 21:33 - 00652312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\evr.dll
    2016-01-16 03:02 - 2016-01-04 21:33 - 00208176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mftranscode.dll
    2016-01-16 03:02 - 2016-01-04 21:33 - 00116728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
    2016-01-16 03:02 - 2016-01-04 21:31 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
    2016-01-16 03:02 - 2016-01-04 21:27 - 01594408 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
    2016-01-16 03:02 - 2016-01-04 21:24 - 00796352 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
    2016-01-16 03:02 - 2016-01-04 21:23 - 01804664 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMALFXGFXDSP.dll
    2016-01-16 03:02 - 2016-01-04 21:23 - 01309376 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
    2016-01-16 03:02 - 2016-01-04 21:23 - 00786696 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOD.DLL
    2016-01-16 03:02 - 2016-01-04 21:23 - 00119320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP3DMOD.DLL
    2016-01-16 03:02 - 2016-01-04 21:21 - 01371792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
    2016-01-16 03:02 - 2016-01-04 21:17 - 00695752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOD.DLL
    2016-01-16 03:02 - 2016-01-04 21:16 - 00100160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP3DMOD.DLL
    2016-01-16 03:02 - 2016-01-04 20:59 - 22393856 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
    2016-01-16 03:02 - 2016-01-04 20:57 - 16986112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
    2016-01-16 03:02 - 2016-01-04 20:57 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\system32\RMSRoamingSecurity.dll
    2016-01-16 03:02 - 2016-01-04 20:57 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgrcli.dll
    2016-01-16 03:02 - 2016-01-04 20:56 - 00145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\omadmclient.exe
    2016-01-16 03:02 - 2016-01-04 20:54 - 00162816 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
    2016-01-16 03:02 - 2016-01-04 20:53 - 00148992 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshom.ocx
    2016-01-16 03:02 - 2016-01-04 20:52 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
    2016-01-16 03:02 - 2016-01-04 20:51 - 00472576 _____ (Microsoft Corporation) C:\WINDOWS\system32\DscCore.dll
    2016-01-16 03:02 - 2016-01-04 20:51 - 00248832 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserMgrProxy.dll
    2016-01-16 03:02 - 2016-01-04 20:50 - 00644096 _____ (Microsoft Corporation) C:\WINDOWS\system32\uReFS.dll
    2016-01-16 03:02 - 2016-01-04 20:50 - 00638464 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
    2016-01-16 03:02 - 2016-01-04 20:50 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
    2016-01-16 03:02 - 2016-01-04 20:49 - 13018624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
    2016-01-16 03:02 - 2016-01-04 20:49 - 01582080 _____ (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
    2016-01-16 03:02 - 2016-01-04 20:49 - 01255936 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOE.DLL
    2016-01-16 03:02 - 2016-01-04 20:49 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
    2016-01-16 03:02 - 2016-01-04 20:49 - 00749056 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhoneService.dll
    2016-01-16 03:02 - 2016-01-04 20:49 - 00167936 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProximityCommon.dll
    2016-01-16 03:02 - 2016-01-04 20:48 - 01009152 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOD.DLL
    2016-01-16 03:02 - 2016-01-04 20:48 - 00387072 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
    2016-01-16 03:02 - 2016-01-04 20:48 - 00034816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\usermgrcli.dll
    2016-01-16 03:02 - 2016-01-04 20:47 - 00628736 _____ (Microsoft Corporation) C:\WINDOWS\system32\MessagingDataModel2.dll
    2016-01-16 03:02 - 2016-01-04 20:47 - 00479232 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
    2016-01-16 03:02 - 2016-01-04 20:47 - 00305664 _____ (Microsoft Corporation) C:\WINDOWS\system32\
    2016-01-16 03:02 - 2016-01-04 20:45 - 00678912 _____ (Microsoft Corporation) C:\WINDOWS\system32\qedit.dll
    2016-01-16 03:02 - 2016-01-04 20:45 - 00275968 _____ (Microsoft Corporation) C:\WINDOWS\system32\facecredentialprovider.dll
    2016-01-16 03:02 - 2016-01-04 20:44 - 00125440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshom.ocx
    2016-01-16 03:02 - 2016-01-04 20:43 - 00912384 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgr.dll
    2016-01-16 03:02 - 2016-01-04 20:43 - 00604672 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
    2016-01-16 03:02 - 2016-01-04 20:43 - 00584704 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
    2016-01-16 03:02 - 2016-01-04 20:42 - 00166912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserMgrProxy.dll
    2016-01-16 03:02 - 2016-01-04 20:41 - 18677760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
    2016-01-16 03:02 - 2016-01-04 20:41 - 01070080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOE.DLL
    2016-01-16 03:02 - 2016-01-04 20:41 - 00558592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\uReFS.dll
    2016-01-16 03:02 - 2016-01-04 20:40 - 00890880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOD.DLL
    2016-01-16 03:02 - 2016-01-04 20:40 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ProximityCommon.dll
    2016-01-16 03:02 - 2016-01-04 20:39 - 03428864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
    2016-01-16 03:02 - 2016-01-04 20:39 - 00569856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
    2016-01-16 03:02 - 2016-01-04 20:39 - 00498176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MessagingDataModel2.dll
    2016-01-16 03:02 - 2016-01-04 20:39 - 00235008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\
    2016-01-16 03:02 - 2016-01-04 20:38 - 00389120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
    2016-01-16 03:02 - 2016-01-04 20:36 - 00573440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qedit.dll
    2016-01-16 03:02 - 2016-01-04 20:36 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
    2016-01-16 03:02 - 2016-01-04 20:33 - 01674240 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
    2016-01-16 03:02 - 2016-01-04 20:30 - 02796032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
    2016-01-16 03:02 - 2016-01-04 20:30 - 02280448 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
    2016-01-16 03:02 - 2016-01-04 20:29 - 03667456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
    2016-01-16 03:02 - 2016-01-04 20:28 - 07826432 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
    2016-01-16 03:02 - 2016-01-04 20:28 - 04894720 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
    2016-01-16 03:02 - 2016-01-04 20:28 - 01542656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll
    2016-01-16 03:02 - 2016-01-04 20:25 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
    2016-01-16 01:01 - 2016-01-16 01:02 - 00062360 _____ C:\TDSSKiller.
    2016-01-16 01:00 - 2016-01-16 01:01 - 04633146 _____ C:\Users\Corinne\Downloads\tdsskiller (1).zip
    2016-01-16 01:00 - 2016-01-16 01:00 - 00000366 _____ C:\TDSSKiller.
    2016-01-09 13:00 - 2016-01-09 13:00 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
    2015-12-29 02:26 - 2015-12-29 02:26 - 02560144 _____ (Microsoft Corporation) C:\Users\Corinne\Downloads\DefaultPack (2).EXE
    2015-12-28 22:03 - 2015-12-28 22:03 - 00000000 ___HD C:\WINDOWS\msdownld.tmp
    2015-12-28 22:00 - 2015-12-28 22:02 - 58082952 _____ (Microsoft Corporation) C:\Users\Corinne\Downloads\EIE11_EN-US_MCM_WIN764 (1).EXE
    2015-12-28 21:40 - 2015-12-28 21:40 - 00584288 _____ (Oracle Corporation) C:\Users\Corinne\Downloads\JavaSetup8u66 (2).exe
    2015-12-28 21:39 - 2015-12-28 21:40 - 00584288 _____ (Oracle Corporation) C:\Users\Corinne\Downloads\JavaSetup8u66 (1).exe
    2015-12-28 18:38 - 2016-01-19 19:38 - 19604160 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-24 19:57 - 2015-12-11 05:06 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2016-01-24 19:56 - 2015-10-30 01:28 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
    2016-01-24 19:50 - 2015-09-27 18:54 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-01-24 19:49 - 2015-10-30 01:28 - 00000000 ____D C:\Windows
    2016-01-24 19:38 - 2015-10-03 15:29 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2016-01-24 18:33 - 2015-10-03 15:30 - 00004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8884C0D3-6CBD-4E47-9640-E7E1C4272A96}
    2016-01-24 15:01 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
    2016-01-24 15:01 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
    2016-01-24 13:48 - 2015-10-25 20:12 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2016-01-23 19:06 - 2015-10-03 15:29 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
    2016-01-23 17:24 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
    2016-01-23 17:24 - 2015-09-18 21:28 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2016-01-23 14:51 - 2015-09-20 20:05 - 00000000 ____D C:\ProgramData\Oracle
    2016-01-23 14:51 - 2015-09-20 20:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
    2016-01-23 14:50 - 2015-10-03 15:39 - 00097888 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
    2016-01-23 14:50 - 2015-09-20 20:05 - 00000000 ____D C:\Program Files (x86)\Java
    2016-01-23 14:50 - 2015-09-17 19:37 - 00000000 ____D C:\Users\Corinne\.oracle_jre_usage
    2016-01-22 00:57 - 2015-11-07 12:19 - 00003960 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1446916789
    2016-01-22 00:57 - 2015-11-07 12:19 - 00001120 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
    2016-01-22 00:57 - 2015-09-18 23:07 - 00000000 ____D C:\Program Files (x86)\Opera
    2016-01-19 21:18 - 2015-09-27 18:55 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-01-19 21:02 - 2015-12-11 04:59 - 00000000 ____D C:\Users\Corinne
    2016-01-19 21:02 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
    2016-01-19 21:01 - 2012-04-06 21:14 - 00000000 ____D C:\Users\Corinne\AppData\LocalLow\Temp
    2016-01-19 19:38 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
    2016-01-19 19:38 - 2015-10-03 15:29 - 00004032 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
    2016-01-19 19:38 - 2015-09-19 01:32 - 00000000 ____D C:\WINDOWS\system32\MRT
    2016-01-19 19:37 - 2015-10-03 16:25 - 143671360 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2016-01-16 01:00 - 2015-07-21 19:55 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Corinne\Downloads\tdsskiller (1).exe
    2016-01-15 23:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\LiveKernelReports
    2016-01-10 14:41 - 2015-09-18 21:25 - 00000000 ____D C:\Users\Corinne\AppData\Local\Packages
    2016-01-10 14:27 - 2015-10-03 21:11 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2016-01-02 20:40 - 2015-10-30 02:26 - 00826872 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
    2016-01-02 20:40 - 2015-10-30 02:26 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
    2015-12-29 20:53 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\NDF
    2015-12-29 20:50 - 2011-08-16 13:34 - 60296312 _____ C:\Users\Corinne\Downloads\eppx-win-4_0_0-en.exe
    2015-12-28 18:38 - 2015-10-03 15:29 - 00003816 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater

    ==================== Files in the root of some directories =======

    2015-12-11 04:56 - 2015-12-11 04:56 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2016-01-22 21:51

    ==================== End of FRST.txt ============================

  5. #5
    Junior Member
    Join Date
    Jan 2016


    hope this helps - installed spybot first then did scans already posted, Thanks do you ever get a day off?? Not that I'm complaining - so do appreciate the help!

  6. #6
    Junior Member
    Join Date
    Jan 2016


    sorry UNinstalled spybot

  7. #7
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Florida's SpaceCoast


    I have been at this since the days of Windows 98. All us helpers are just volunteers, we dont work for Spybot. I am a member of about dozen or so Malware Removal forums but just active on this one and two others, not enough time in the day. Its just a hobby, do this when I have the time.

    Looks like uninstalling Spybot did the trick, that host file entry did not come back

    You can go ahead and reinstall Spybot, but do not use there hosts file tool, your host file is fine just the way it is with the Microsoft default host file.

    How is your system behaving now, any issues you feel maybe malware related ??
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts