Page 1 of 5 12345 LastLast
Results 1 to 10 of 44

Thread: zlob.zip trojan

  1. #1
    Junior Member
    Join Date
    Jan 2016
    Posts
    27

    Question zlob.zip trojan

    Have read about this & followed (I hope correctly) many steps & directions to be sure Spybot has removed this from my system, but ASWMBR log shows have 2 infected files from Zygna.com and I did not fix them but have logs to attach. Hope I'm in the right place to get some help, since have Windows 10 (hate it) and paid Spybot pro. Please advise what I should do & thanks in advance.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01
    Ran by Corinne (administrator) on CORINNE-PC (16-01-2016 16:43:31)
    Running from C:\Users\Corinne\Downloads
    Loaded Profiles: Corinne (Available Profiles: Corinne)
    Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Opera)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDOnAccess.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera_crashreporter.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera_autoupdate.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8492800 2015-06-24] (Realtek Semiconductor)
    HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4127488 2015-06-16] (Safer-Networking Ltd.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
    Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\RunOnce: [Uninstall C:\Users\Corinne\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Corinne\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
    Tcpip\..\Interfaces\{b0bd7e33-ea32-450a-9299-30cc53ef45df}: [DhcpNameServer] 192.168.1.1 192.168.1.1

    Internet Explorer:
    ==================
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-11-22] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-11-22] (Oracle Corporation)

    FireFox:
    ========
    FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-11-22] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-11-22] (Oracle Corporation)

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.google.com/
    CHR StartupUrls: Default -> "hxxp://www.google.com/"
    CHR Profile: C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Docs) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-09-18]
    CHR Extension: (Google Drive) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-18]
    CHR Extension: (YouTube) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-18]
    CHR Extension: (Google Search) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-09-18]
    CHR Extension: (Gmail) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-18]

    Opera:
    =======
    OPR StartupUrls: "hxxp://msn.com/"
    OPR Session Restore: -> is enabled.
    OPR Extension: (Adblock Fast) - C:\Users\Corinne\AppData\Roaming\Opera Software\Opera Stable\Extensions\klhobddcbiabdfjmomildokiglpmdicc [2015-11-23]
    OPR Extension: (Adblock Plus) - C:\Users\Corinne\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2016-01-07]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1750712 2015-06-16] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2102496 2015-06-16] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [224712 2015-07-24] (Safer-Networking Ltd.)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
    R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-16] (Malwarebytes)
    S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
    R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek )
    R1 SDHookDriver; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [65576 2015-06-16] (Safer-Networking Ltd.)
    S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
    R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-16 16:43 - 2016-01-16 16:43 - 00008374 _____ C:\Users\Corinne\Downloads\FRST.txt
    2016-01-16 16:43 - 2016-01-16 16:43 - 00000000 ____D C:\FRST
    2016-01-16 16:40 - 2016-01-16 16:40 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-CORINNE-PC-Windows-10-Pro-(64-bit).dat
    2016-01-16 16:40 - 2016-01-16 16:40 - 00000000 ____D C:\RegBackup
    2016-01-16 16:39 - 2016-01-16 16:39 - 00002312 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
    2016-01-16 16:39 - 2016-01-16 16:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
    2016-01-16 16:39 - 2016-01-16 16:39 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
    2016-01-16 16:38 - 2016-01-16 16:39 - 00016401 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
    2016-01-16 16:34 - 2016-01-16 16:38 - 04777232 _____ (Tweaking.com) C:\Users\Corinne\Downloads\tweaking.com_registry_backup_setup.exe
    2016-01-16 16:33 - 2016-01-16 16:42 - 02370560 _____ (Farbar) C:\Users\Corinne\Downloads\FRST64.exe
    2016-01-16 16:32 - 2016-01-16 16:32 - 05198336 _____ (AVAST Software) C:\Users\Corinne\Downloads\aswMBR.exe
    2016-01-16 01:01 - 2016-01-16 01:02 - 00062360 _____ C:\TDSSKiller.3.1.0.9_16.01.2016_01.01.39_log.txt
    2016-01-16 01:00 - 2016-01-16 01:01 - 04633146 _____ C:\Users\Corinne\Downloads\tdsskiller (1).zip
    2016-01-16 01:00 - 2016-01-16 01:00 - 00000366 _____ C:\TDSSKiller.3.0.0.44_16.01.2016_01.00.28_log.txt
    2016-01-09 13:00 - 2016-01-09 13:00 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
    2016-01-01 04:42 - 2015-11-22 18:35 - 00450771 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160101-044255.backup
    2015-12-29 02:26 - 2015-12-29 02:26 - 02560144 _____ (Microsoft Corporation) C:\Users\Corinne\Downloads\DefaultPack (2).EXE
    2015-12-28 22:03 - 2015-12-28 22:03 - 00000000 ___HD C:\WINDOWS\msdownld.tmp
    2015-12-28 22:00 - 2015-12-28 22:02 - 58082952 _____ (Microsoft Corporation) C:\Users\Corinne\Downloads\EIE11_EN-US_MCM_WIN764 (1).EXE
    2015-12-28 21:40 - 2015-12-28 21:40 - 00584288 _____ (Oracle Corporation) C:\Users\Corinne\Downloads\JavaSetup8u66 (2).exe
    2015-12-28 21:39 - 2015-12-28 21:40 - 00584288 _____ (Oracle Corporation) C:\Users\Corinne\Downloads\JavaSetup8u66 (1).exe
    2015-12-28 18:38 - 2015-12-28 18:38 - 19607232 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe
    2015-12-17 22:56 - 2015-12-06 23:57 - 00973664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LicenseManager.dll
    2015-12-17 22:56 - 2015-12-06 23:55 - 01281376 _____ (Microsoft Corporation) C:\WINDOWS\system32\LicenseManager.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 02544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 02180136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 01299504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 01155944 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfasfsrcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 01118208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 00983464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfasfsrcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 00823264 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmpeg2srcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:47 - 00716928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmpeg2srcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:46 - 03671888 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2015-12-17 22:56 - 2015-12-06 23:46 - 02919320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2015-12-17 22:56 - 2015-12-06 23:10 - 00824320 _____ (Microsoft Corporation) C:\WINDOWS\system32\WpcWebFilter.dll
    2015-12-17 22:56 - 2015-12-06 23:07 - 16984064 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
    2015-12-17 22:56 - 2015-12-06 23:03 - 13017600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
    2015-12-17 22:56 - 2015-12-06 22:58 - 24601600 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2015-12-17 22:56 - 2015-12-06 22:53 - 19339264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2015-12-17 22:56 - 2015-12-06 22:45 - 02582016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFMediaEngine.dll
    2015-12-17 22:56 - 2015-12-06 22:43 - 02598400 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
    2015-12-17 22:56 - 2015-12-06 22:40 - 01995776 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll
    2015-12-17 22:56 - 2015-12-06 22:40 - 01706496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll
    2015-12-17 22:55 - 2015-12-06 23:49 - 00412512 _____ (Microsoft Corporation) C:\WINDOWS\system32\wifitask.exe
    2015-12-17 22:55 - 2015-12-06 23:48 - 01092456 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfplat.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 01065080 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmp4srcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 01020096 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00884256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmp4srcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00794888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfds.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00696160 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00670928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfds.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00526856 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfreadwrite.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00502112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00498448 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFCaptureEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00462760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfreadwrite.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00450904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFCaptureEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00337840 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFPlay.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00289248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFPlay.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00245848 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
    2015-12-17 22:55 - 2015-12-06 23:47 - 00925064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfplat.dll
    2015-12-17 22:55 - 2015-12-06 23:47 - 00898184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:47 - 00116720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
    2015-12-17 22:55 - 2015-12-06 23:45 - 00264544 _____ (Microsoft Corporation) C:\WINDOWS\system32\ContentDeliveryManager.Utilities.dll
    2015-12-17 22:55 - 2015-12-06 23:15 - 01035776 _____ (Microsoft Corporation) C:\WINDOWS\system32\XboxNetApiSvc.dll
    2015-12-17 22:55 - 2015-12-06 23:15 - 00075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Networking.XboxLive.ProxyStub.dll
    2015-12-17 22:55 - 2015-12-06 23:09 - 00133120 _____ (Microsoft Corporation) C:\WINDOWS\system32\flvprophandler.dll
    2015-12-17 22:55 - 2015-12-06 23:09 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\policymanagerprecheck.dll
    2015-12-17 22:55 - 2015-12-06 23:09 - 00030208 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorageUsage.dll
    2015-12-17 22:55 - 2015-12-06 23:07 - 00134656 _____ (Microsoft Corporation) C:\WINDOWS\system32\wificonnapi.dll
    2015-12-17 22:55 - 2015-12-06 23:07 - 00077312 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProvPluginEng.dll
    2015-12-17 22:55 - 2015-12-06 23:06 - 00572928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WpcWebFilter.dll
    2015-12-17 22:55 - 2015-12-06 23:06 - 00231936 _____ (Microsoft Corporation) C:\WINDOWS\system32\KnobsCore.dll
    2015-12-17 22:55 - 2015-12-06 23:06 - 00199168 _____ (Microsoft Corporation) C:\WINDOWS\system32\InstallAgent.exe
    2015-12-17 22:55 - 2015-12-06 23:05 - 00192000 _____ (Microsoft Corporation) C:\WINDOWS\system32\provisioningcsp.dll
    2015-12-17 22:55 - 2015-12-06 23:05 - 00036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\BackgroundTransferHost.exe
    2015-12-17 22:55 - 2015-12-06 23:04 - 00066560 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshost.dll
    2015-12-17 22:55 - 2015-12-06 23:04 - 00056320 _____ (Microsoft Corporation) C:\WINDOWS\system32\provtool.exe
    2015-12-17 22:55 - 2015-12-06 23:02 - 00269824 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshostcore.dll
    2015-12-17 22:55 - 2015-12-06 23:02 - 00161280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InstallAgent.exe
    2015-12-17 22:55 - 2015-12-06 23:01 - 00543232 _____ (Microsoft Corporation) C:\WINDOWS\system32\StoreAgent.dll
    2015-12-17 22:55 - 2015-12-06 23:01 - 00034304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BackgroundTransferHost.exe
    2015-12-17 22:55 - 2015-12-06 23:00 - 00618496 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorSvc.dll
    2015-12-17 22:55 - 2015-12-06 23:00 - 00323072 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSFlacDecoder.dll
    2015-12-17 22:55 - 2015-12-06 23:00 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\wcmcsp.dll
    2015-12-17 22:55 - 2015-12-06 23:00 - 00203776 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00558080 _____ (Microsoft Corporation) C:\WINDOWS\system32\MBMediaManager.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00292352 _____ (Microsoft Corporation) C:\WINDOWS\system32\provengine.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00286208 _____ (Microsoft Corporation) C:\WINDOWS\system32\provhandlers.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00165376 _____ (Microsoft Corporation) C:\WINDOWS\system32\provdatastore.dll
    2015-12-17 22:55 - 2015-12-06 22:58 - 00459776 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapConfiguration.dll
    2015-12-17 22:55 - 2015-12-06 22:57 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StoreAgent.dll
    2015-12-17 22:55 - 2015-12-06 22:57 - 00387072 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
    2015-12-17 22:55 - 2015-12-06 22:57 - 00270848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSFlacDecoder.dll
    2015-12-17 22:55 - 2015-12-06 22:56 - 00607232 _____ (Microsoft Corporation) C:\WINDOWS\system32\wcmsvc.dll
    2015-12-17 22:55 - 2015-12-06 22:56 - 00497152 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmkvsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 22:55 - 07979008 _____ (Microsoft Corporation) C:\WINDOWS\system32\mos.dll
    2015-12-17 22:55 - 2015-12-06 22:55 - 00346112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapConfiguration.dll
    2015-12-17 22:55 - 2015-12-06 22:54 - 00850432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsStore.dll
    2015-12-17 22:55 - 2015-12-06 22:54 - 00569856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
    2015-12-17 22:55 - 2015-12-06 22:53 - 00381952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmkvsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 22:51 - 01318912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wifinetworkmanager.dll
    2015-12-17 22:55 - 2015-12-06 22:51 - 00223232 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapibase.dll
    2015-12-17 22:55 - 2015-12-06 22:50 - 01131520 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Audio.dll
    2015-12-17 22:55 - 2015-12-06 22:49 - 01105920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Audio.dll
    2015-12-17 22:55 - 2015-12-06 22:48 - 06297088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mos.dll
    2015-12-17 22:55 - 2015-12-06 22:47 - 03428864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
    2015-12-17 22:55 - 2015-12-06 22:45 - 00900608 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Networking.BackgroundTransfer.dll
    2015-12-17 22:55 - 2015-12-06 22:45 - 00683008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Networking.BackgroundTransfer.dll
    2015-12-17 22:55 - 2015-12-06 22:44 - 02796032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
    2015-12-17 22:55 - 2015-12-06 22:43 - 00931328 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSMPEG2ENC.DLL
    2015-12-17 22:55 - 2015-12-06 22:41 - 02061824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFMediaEngine.dll
    2015-12-17 22:55 - 2015-12-06 22:40 - 03593216 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
    2015-12-17 22:55 - 2015-12-06 22:39 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
    2015-12-17 22:55 - 2015-12-06 22:38 - 00871936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSMPEG2ENC.DLL
    2015-12-17 22:55 - 2015-12-06 22:33 - 00375296 _____ (Microsoft Corporation) C:\WINDOWS\system32\MDEServer.exe
    2015-12-17 22:55 - 2015-12-06 22:32 - 00126464 _____ (Microsoft Corporation) C:\WINDOWS\system32\dialserver.dll

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-16 16:43 - 2015-10-30 01:28 - 00000000 ____D C:\Windows
    2016-01-16 16:38 - 2015-10-03 15:29 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2016-01-16 16:06 - 2015-10-03 15:29 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
    2016-01-16 14:32 - 2015-10-03 15:30 - 00004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8884C0D3-6CBD-4E47-9640-E7E1C4272A96}
    2016-01-16 14:29 - 2015-10-25 20:12 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2016-01-16 06:45 - 2015-12-11 04:59 - 00000000 ____D C:\Users\Corinne
    2016-01-16 02:55 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
    2016-01-16 01:56 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
    2016-01-16 01:00 - 2015-07-21 19:55 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Corinne\Downloads\tdsskiller (1).exe
    2016-01-16 00:59 - 2015-09-18 21:28 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2016-01-16 00:57 - 2015-11-07 12:19 - 00003960 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1446916789
    2016-01-16 00:57 - 2015-11-07 12:19 - 00001120 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
    2016-01-16 00:57 - 2015-09-18 23:07 - 00000000 ____D C:\Program Files (x86)\Opera
    2016-01-16 00:52 - 2015-12-11 05:06 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2016-01-15 23:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\LiveKernelReports
    2016-01-14 19:19 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
    2016-01-12 19:46 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
    2016-01-10 14:41 - 2015-09-18 21:25 - 00000000 ____D C:\Users\Corinne\AppData\Local\Packages
    2016-01-10 14:27 - 2015-10-03 21:11 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2016-01-10 14:26 - 2015-10-30 01:28 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
    2016-01-02 20:40 - 2015-10-30 02:26 - 00826872 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
    2016-01-02 20:40 - 2015-10-30 02:26 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
    2016-01-02 01:03 - 2015-09-20 20:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
    2016-01-02 01:03 - 2015-09-20 20:05 - 00000000 ____D C:\Program Files (x86)\Java
    2015-12-29 20:53 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\NDF
    2015-12-29 20:50 - 2011-08-16 13:34 - 60296312 _____ C:\Users\Corinne\Downloads\eppx-win-4_0_0-en.exe
    2015-12-28 18:38 - 2015-10-03 15:29 - 00004032 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
    2015-12-28 18:38 - 2015-10-03 15:29 - 00003816 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
    2015-12-18 03:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
    2015-12-18 03:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\Provisioning
    2015-12-18 03:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\bcastdvr

    ==================== Files in the root of some directories =======

    2015-12-11 04:56 - 2015-12-11 04:56 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-01-12 19:48

    ==================== End of FRST.txt ============================


    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2016-01-16 16:53:10
    -----------------------------
    16:53:10.176 OS Version: Windows x64 6.2.9200
    16:53:10.176 Number of processors: 4 586 0x2A07
    16:53:10.176 ComputerName: CORINNE-PC UserName: Corinne
    16:53:11.072 Initialize success
    16:53:11.087 VM: initialized successfully
    16:53:11.103 VM: Intel CPU BiosDisabled
    17:00:03.424 AVAST engine defs: 16011603
    17:00:39.711 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
    17:00:39.711 Disk 0 Vendor: WDC_WD5002AALX-00J37A0 15.01H15 Size: 476940MB BusType: 3
    17:00:39.836 Disk 0 MBR read successfully
    17:00:39.836 Disk 0 MBR scan
    17:00:39.836 Disk 0 Windows 7 default MBR code
    17:00:39.836 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    17:00:39.836 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476388 MB offset 206848
    17:00:39.867 Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 450 MB offset 975849472
    17:00:39.914 Disk 0 scanning C:\WINDOWS\system32\drivers
    17:00:44.430 Service scanning
    17:00:51.308 Modules scanning
    17:00:51.808 Disk 0 trace - called modules:
    17:00:51.808 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys hal.dll PCIIDEX.SYS atapi.sys
    17:00:51.824 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0008b0f4060]
    17:00:51.824 3 CLASSPNP.SYS[fffff800fcd37d95] -> nt!IofCallDriver -> [0xffffe0008af07e40]
    17:00:51.824 5 ACPI.sys[fffff800fc281361] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0xffffe0008af0f060]
    17:00:52.427 AVAST engine scan C:\WINDOWS
    17:00:53.599 AVAST engine scan C:\WINDOWS\system32
    17:01:51.090 AVAST engine scan C:\WINDOWS\system32\drivers
    17:01:57.700 AVAST engine scan C:\Users\Corinne
    17:04:15.255 File: C:\Users\Corinne\AppData\LocalLow\Zynga\hk64tbZyn2.dll **INFECTED** Win32:SearchProtect-DU [Adw]
    17:04:16.050 File: C:\Users\Corinne\AppData\LocalLow\Zynga\tbZyn1.dll **INFECTED** Win32:BHO-APX [Adw]
    17:04:53.317 AVAST engine scan C:\ProgramData
    17:05:33.662 Disk 0 statistics 920412/0/0 @ 1.72 MB/s
    17:05:33.678 Scan finished successfully
    17:17:06.015 Disk 0 MBR has been saved successfully to "C:\Users\Corinne\Desktop\MBR.dat"
    17:17:06.018 The log file has been saved successfully to "C:\Users\Corinne\Desktop\aswMBR.txt"
    Attached Files Attached Files
    Last edited by tashi; 2016-01-18 at 07:11. Reason: Copy pasted 2 logs into topic

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default



    You have a bit going on. All our tools and scanners work best when downloaded and run from the desktop, so lets do this


    Your running FRST64 from your Downloads folder, our tools and scanners work more efficiently when run from the Desktop in lieu of being buried in some folder, so go to your Downloads folder and look for FRST64, right click on it and select CUT, then come back to your Desktop and right click on a blank space and select PASTE, then we will have FRST64 exactly where we want it to be.

    You ran TDSKiller, did it find and remove anything ?? If you can post that log please



    Open notepad , Go to Start --> All Programs --> Accessories --> Notepad.
    Please copy the entire contents Inside of the code box below beginning with START and ending with END
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
    Name the file Fixlist, Save it to your desktop where you have FRST/FRST64 or the fix wont work, . Then open up FRST/FRST64 and click on FIX (Not Scan) It won't take long, after your computer reboots you will find a FIXLOG.TXT on your desktop, post it please


    Code:
    Start
    CloseProcesses:
    CreateRestorePoint: 
    2016-01-01 04:42 - 2015-11-22 18:35 - 00450771 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160101-044255.backup
    Hosts:
    CMD: ipconfig /flushdns
    EmptyTemp:
    End

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system







    -AdwCleaner-by Xplode


    Click on this link to download : ADWCleaner TO YOUR DESKTOP
    Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.
    Use my link only, do not do a search for AdwCleaner as there is a bogus copy going around by scammers




    Do not click on any links in the top Advertisment.






    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Scan.
    • After the scan is complete click on "Clean"
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.






    ===============================================================================






    Please download Junkware Removal Tool TO YOUR DESKTOP

    • Download the one from Bleeping Computer
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Jan 2016
    Posts
    27

    Default Sorry did downloads wrong

    Will attempt to re-do them & other instructions - I am on another computer now @ work & will do tonite when I get home, if I can. TDS Killer did not find anything, but 1 of the others that are in Spybots instructions to run did find 2 corrupt Zygna files & I did not fix them as directed to - can I rerun that & fix them now?? My system last night started acting weird again freezing up, black page, would not load & would not shut off I found out this am - I powered off & it was on this am still with a black unresponsive screen.
    You are asking for 2 new logs afrom adwcleaner & junkware removal that I am to run tonite hopefully. If I can't get on my system tonight what should I do (besides throw it out the window!) Many thanks for your help,
    Corinne

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    The fix i posted using FRST is to remove a corrupted backup of the host file that are causing problems. I know games are fun but a lot of game sites are a hotbed of infections....just saying

    Sometimes you may have to boot your computer a few times until it boots up, lets see how it goes this evening and go from there.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Jan 2016
    Posts
    27

    Default Got new downloaded files for your reading pleasure!

    Hi, think I have done all you need to see if everything is good. I did neglect to say one of the files that I first downloaded/FRST I think, I saw files that were porn or sex themed. Let me say as a female I have never visited any sex or porn sites, so can assume these came from zlob trojan?? How can I be sure these are deleted from my computer? Yes, I do play a lot of farmville & think I picked up this virus from clicking on links people post - "movie" clips, so I won't do that anymore, hope they don't come from just playing the game.

    Anyway, have attached new copied on desktop FRST64, fixlog.txt, adwcleaner & JRT (which shows zero yay!) Only comment can make is instructions for ADW cleaner there were no blue download buttons, rather just 1 that was green box saying download now, which is 1 I used, I did not use download @ top of their page, but green 1 inside their dialogue box & I did get page that looked like one you attached.

    Let me say I personally do so appreciate all of your help & I will be making donation - can't be much as I would like, since I'm @ low end of "middle class" but something to show my appreciation. Will await your reply if I passed all these logs. Thanks again,
    CorinneJRT.txtFixlog.txtTDSSKiller.3.0.0.44_16.01.2016_01.00.28_log.txtAdwCleaner[S1].txtFRST.txt

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    Thanks for the heads up on the AdwCleaner link, haven't downloaded it myself if a while so was unaware it had changed, time to redo my instructions.

    Its easier for me to evaluated logs in you just copy and paste them into the thread in lieu of attaching them. All the logs from the tools we run will open in Notepad, just open it and on the top left click Edit>Select All......Edit>Copy and just paste them into the thread.

    The log from AdwCleaner is showing the Scan log, after it scanned did you run it again to CLEAN ????

    Lets run Malwarebytes and see if if finds any leftovers or anything that the other scans may have missed. Read through the instructions for setting it up so that everything it finds is automatically Quarantined.

    Download Malwarebytes' Anti-Malware TO YOUR DESKTOP



    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"








    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Detections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan
    • When the scan is finished on the bottom right click on SAVE RESULTS then select Copy to Clipboard
    • Please paste the log back into this thread for review
    • Exit Malwarebytes
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Junior Member
    Join Date
    Jan 2016
    Posts
    27

    Default downloads copies from notepads

    Ok will go back & copy my logs & paste here, then run Malwarebytes & post. I believe I did clean from Adwcleaner, but reran scan & clean & have that to copy first:
    # AdwCleaner v5.030 - Logfile created 20/01/2016 at 19:00:36
    # Updated 17/01/2016 by Xplode
    # Database : 2016-01-19.2 [Server]
    # Operating system : Windows 10 Pro (x64)
    # Username : Corinne - CORINNE-PC
    # Running from : C:\Users\Corinne\Downloads\AdwCleaner.exe
    # Option : Cleaning
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****


    ***** [ Folders ] *****



    ***** [ Files ] *****


    ***** [ DLLs ] *****


    ***** [ Shortcuts ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Registry ] *****


    ***** [ Web browsers ] *****


    *************************

    :: "Tracing" keys removed
    :: Winsock settings cleared

    ########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [660 bytes] ##########

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01
    Ran by Corinne (administrator) on CORINNE-PC (16-01-2016 16:43:31)
    Running from C:\Users\Corinne\Downloads
    Loaded Profiles: Corinne (Available Profiles: Corinne)
    Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Opera)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDOnAccess.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera_crashreporter.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera.exe
    (Opera Software) C:\Program Files (x86)\Opera\34.0.2036.47\opera_autoupdate.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8492800 2015-06-24] (Realtek Semiconductor)
    HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4127488 2015-06-16] (Safer-Networking Ltd.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
    Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\RunOnce: [Uninstall C:\Users\Corinne\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Corinne\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
    Tcpip\..\Interfaces\{b0bd7e33-ea32-450a-9299-30cc53ef45df}: [DhcpNameServer] 192.168.1.1 192.168.1.1

    Internet Explorer:
    ==================
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-11-22] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-11-22] (Oracle Corporation)

    FireFox:
    ========
    FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-11-22] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-11-22] (Oracle Corporation)

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.google.com/
    CHR StartupUrls: Default -> "hxxp://www.google.com/"
    CHR Profile: C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Docs) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-09-18]
    CHR Extension: (Google Drive) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-18]
    CHR Extension: (YouTube) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-18]
    CHR Extension: (Google Search) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-09-18]
    CHR Extension: (Gmail) - C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-18]

    Opera:
    =======
    OPR StartupUrls: "hxxp://msn.com/"
    OPR Session Restore: -> is enabled.
    OPR Extension: (Adblock Fast) - C:\Users\Corinne\AppData\Roaming\Opera Software\Opera Stable\Extensions\klhobddcbiabdfjmomildokiglpmdicc [2015-11-23]
    OPR Extension: (Adblock Plus) - C:\Users\Corinne\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2016-01-07]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1750712 2015-06-16] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2102496 2015-06-16] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [224712 2015-07-24] (Safer-Networking Ltd.)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
    R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-16] (Malwarebytes)
    S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
    R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek )
    R1 SDHookDriver; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [65576 2015-06-16] (Safer-Networking Ltd.)
    S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
    R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-16 16:43 - 2016-01-16 16:43 - 00008374 _____ C:\Users\Corinne\Downloads\FRST.txt
    2016-01-16 16:43 - 2016-01-16 16:43 - 00000000 ____D C:\FRST
    2016-01-16 16:40 - 2016-01-16 16:40 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-CORINNE-PC-Windows-10-Pro-(64-bit).dat
    2016-01-16 16:40 - 2016-01-16 16:40 - 00000000 ____D C:\RegBackup
    2016-01-16 16:39 - 2016-01-16 16:39 - 00002312 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
    2016-01-16 16:39 - 2016-01-16 16:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
    2016-01-16 16:39 - 2016-01-16 16:39 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
    2016-01-16 16:38 - 2016-01-16 16:39 - 00016401 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
    2016-01-16 16:34 - 2016-01-16 16:38 - 04777232 _____ (Tweaking.com) C:\Users\Corinne\Downloads\tweaking.com_registry_backup_setup.exe
    2016-01-16 16:33 - 2016-01-16 16:42 - 02370560 _____ (Farbar) C:\Users\Corinne\Downloads\FRST64.exe
    2016-01-16 16:32 - 2016-01-16 16:32 - 05198336 _____ (AVAST Software) C:\Users\Corinne\Downloads\aswMBR.exe
    2016-01-16 01:01 - 2016-01-16 01:02 - 00062360 _____ C:\TDSSKiller.3.1.0.9_16.01.2016_01.01.39_log.txt
    2016-01-16 01:00 - 2016-01-16 01:01 - 04633146 _____ C:\Users\Corinne\Downloads\tdsskiller (1).zip
    2016-01-16 01:00 - 2016-01-16 01:00 - 00000366 _____ C:\TDSSKiller.3.0.0.44_16.01.2016_01.00.28_log.txt
    2016-01-09 13:00 - 2016-01-09 13:00 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
    2016-01-01 04:42 - 2015-11-22 18:35 - 00450771 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160101-044255.backup
    2015-12-29 02:26 - 2015-12-29 02:26 - 02560144 _____ (Microsoft Corporation) C:\Users\Corinne\Downloads\DefaultPack (2).EXE
    2015-12-28 22:03 - 2015-12-28 22:03 - 00000000 ___HD C:\WINDOWS\msdownld.tmp
    2015-12-28 22:00 - 2015-12-28 22:02 - 58082952 _____ (Microsoft Corporation) C:\Users\Corinne\Downloads\EIE11_EN-US_MCM_WIN764 (1).EXE
    2015-12-28 21:40 - 2015-12-28 21:40 - 00584288 _____ (Oracle Corporation) C:\Users\Corinne\Downloads\JavaSetup8u66 (2).exe
    2015-12-28 21:39 - 2015-12-28 21:40 - 00584288 _____ (Oracle Corporation) C:\Users\Corinne\Downloads\JavaSetup8u66 (1).exe
    2015-12-28 18:38 - 2015-12-28 18:38 - 19607232 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe
    2015-12-17 22:56 - 2015-12-06 23:57 - 00973664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LicenseManager.dll
    2015-12-17 22:56 - 2015-12-06 23:55 - 01281376 _____ (Microsoft Corporation) C:\WINDOWS\system32\LicenseManager.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 02544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 02180136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 01299504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 01155944 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfasfsrcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 01118208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 00983464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfasfsrcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:48 - 00823264 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmpeg2srcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:47 - 00716928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmpeg2srcsnk.dll
    2015-12-17 22:56 - 2015-12-06 23:46 - 03671888 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2015-12-17 22:56 - 2015-12-06 23:46 - 02919320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2015-12-17 22:56 - 2015-12-06 23:10 - 00824320 _____ (Microsoft Corporation) C:\WINDOWS\system32\WpcWebFilter.dll
    2015-12-17 22:56 - 2015-12-06 23:07 - 16984064 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
    2015-12-17 22:56 - 2015-12-06 23:03 - 13017600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
    2015-12-17 22:56 - 2015-12-06 22:58 - 24601600 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2015-12-17 22:56 - 2015-12-06 22:53 - 19339264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2015-12-17 22:56 - 2015-12-06 22:45 - 02582016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFMediaEngine.dll
    2015-12-17 22:56 - 2015-12-06 22:43 - 02598400 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
    2015-12-17 22:56 - 2015-12-06 22:40 - 01995776 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll
    2015-12-17 22:56 - 2015-12-06 22:40 - 01706496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll
    2015-12-17 22:55 - 2015-12-06 23:49 - 00412512 _____ (Microsoft Corporation) C:\WINDOWS\system32\wifitask.exe
    2015-12-17 22:55 - 2015-12-06 23:48 - 01092456 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfplat.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 01065080 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmp4srcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 01020096 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00884256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmp4srcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00794888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfds.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00696160 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00670928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfds.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00526856 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfreadwrite.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00502112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00498448 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFCaptureEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00462760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfreadwrite.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00450904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFCaptureEngine.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00337840 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFPlay.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00289248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFPlay.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00245848 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
    2015-12-17 22:55 - 2015-12-06 23:48 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
    2015-12-17 22:55 - 2015-12-06 23:47 - 00925064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfplat.dll
    2015-12-17 22:55 - 2015-12-06 23:47 - 00898184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 23:47 - 00116720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
    2015-12-17 22:55 - 2015-12-06 23:45 - 00264544 _____ (Microsoft Corporation) C:\WINDOWS\system32\ContentDeliveryManager.Utilities.dll
    2015-12-17 22:55 - 2015-12-06 23:15 - 01035776 _____ (Microsoft Corporation) C:\WINDOWS\system32\XboxNetApiSvc.dll
    2015-12-17 22:55 - 2015-12-06 23:15 - 00075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Networking.XboxLive.ProxyStub.dll
    2015-12-17 22:55 - 2015-12-06 23:09 - 00133120 _____ (Microsoft Corporation) C:\WINDOWS\system32\flvprophandler.dll
    2015-12-17 22:55 - 2015-12-06 23:09 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\policymanagerprecheck.dll
    2015-12-17 22:55 - 2015-12-06 23:09 - 00030208 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorageUsage.dll
    2015-12-17 22:55 - 2015-12-06 23:07 - 00134656 _____ (Microsoft Corporation) C:\WINDOWS\system32\wificonnapi.dll
    2015-12-17 22:55 - 2015-12-06 23:07 - 00077312 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProvPluginEng.dll
    2015-12-17 22:55 - 2015-12-06 23:06 - 00572928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WpcWebFilter.dll
    2015-12-17 22:55 - 2015-12-06 23:06 - 00231936 _____ (Microsoft Corporation) C:\WINDOWS\system32\KnobsCore.dll
    2015-12-17 22:55 - 2015-12-06 23:06 - 00199168 _____ (Microsoft Corporation) C:\WINDOWS\system32\InstallAgent.exe
    2015-12-17 22:55 - 2015-12-06 23:05 - 00192000 _____ (Microsoft Corporation) C:\WINDOWS\system32\provisioningcsp.dll
    2015-12-17 22:55 - 2015-12-06 23:05 - 00036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\BackgroundTransferHost.exe
    2015-12-17 22:55 - 2015-12-06 23:04 - 00066560 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshost.dll
    2015-12-17 22:55 - 2015-12-06 23:04 - 00056320 _____ (Microsoft Corporation) C:\WINDOWS\system32\provtool.exe
    2015-12-17 22:55 - 2015-12-06 23:02 - 00269824 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshostcore.dll
    2015-12-17 22:55 - 2015-12-06 23:02 - 00161280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InstallAgent.exe
    2015-12-17 22:55 - 2015-12-06 23:01 - 00543232 _____ (Microsoft Corporation) C:\WINDOWS\system32\StoreAgent.dll
    2015-12-17 22:55 - 2015-12-06 23:01 - 00034304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BackgroundTransferHost.exe
    2015-12-17 22:55 - 2015-12-06 23:00 - 00618496 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorSvc.dll
    2015-12-17 22:55 - 2015-12-06 23:00 - 00323072 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSFlacDecoder.dll
    2015-12-17 22:55 - 2015-12-06 23:00 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\wcmcsp.dll
    2015-12-17 22:55 - 2015-12-06 23:00 - 00203776 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00558080 _____ (Microsoft Corporation) C:\WINDOWS\system32\MBMediaManager.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00292352 _____ (Microsoft Corporation) C:\WINDOWS\system32\provengine.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00286208 _____ (Microsoft Corporation) C:\WINDOWS\system32\provhandlers.dll
    2015-12-17 22:55 - 2015-12-06 22:59 - 00165376 _____ (Microsoft Corporation) C:\WINDOWS\system32\provdatastore.dll
    2015-12-17 22:55 - 2015-12-06 22:58 - 00459776 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapConfiguration.dll
    2015-12-17 22:55 - 2015-12-06 22:57 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StoreAgent.dll
    2015-12-17 22:55 - 2015-12-06 22:57 - 00387072 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
    2015-12-17 22:55 - 2015-12-06 22:57 - 00270848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSFlacDecoder.dll
    2015-12-17 22:55 - 2015-12-06 22:56 - 00607232 _____ (Microsoft Corporation) C:\WINDOWS\system32\wcmsvc.dll
    2015-12-17 22:55 - 2015-12-06 22:56 - 00497152 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmkvsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 22:55 - 07979008 _____ (Microsoft Corporation) C:\WINDOWS\system32\mos.dll
    2015-12-17 22:55 - 2015-12-06 22:55 - 00346112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapConfiguration.dll
    2015-12-17 22:55 - 2015-12-06 22:54 - 00850432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsStore.dll
    2015-12-17 22:55 - 2015-12-06 22:54 - 00569856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
    2015-12-17 22:55 - 2015-12-06 22:53 - 00381952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmkvsrcsnk.dll
    2015-12-17 22:55 - 2015-12-06 22:51 - 01318912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wifinetworkmanager.dll
    2015-12-17 22:55 - 2015-12-06 22:51 - 00223232 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapibase.dll
    2015-12-17 22:55 - 2015-12-06 22:50 - 01131520 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Audio.dll
    2015-12-17 22:55 - 2015-12-06 22:49 - 01105920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Audio.dll
    2015-12-17 22:55 - 2015-12-06 22:48 - 06297088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mos.dll
    2015-12-17 22:55 - 2015-12-06 22:47 - 03428864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
    2015-12-17 22:55 - 2015-12-06 22:45 - 00900608 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Networking.BackgroundTransfer.dll
    2015-12-17 22:55 - 2015-12-06 22:45 - 00683008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Networking.BackgroundTransfer.dll
    2015-12-17 22:55 - 2015-12-06 22:44 - 02796032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
    2015-12-17 22:55 - 2015-12-06 22:43 - 00931328 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSMPEG2ENC.DLL
    2015-12-17 22:55 - 2015-12-06 22:41 - 02061824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFMediaEngine.dll
    2015-12-17 22:55 - 2015-12-06 22:40 - 03593216 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
    2015-12-17 22:55 - 2015-12-06 22:39 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
    2015-12-17 22:55 - 2015-12-06 22:38 - 00871936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSMPEG2ENC.DLL
    2015-12-17 22:55 - 2015-12-06 22:33 - 00375296 _____ (Microsoft Corporation) C:\WINDOWS\system32\MDEServer.exe
    2015-12-17 22:55 - 2015-12-06 22:32 - 00126464 _____ (Microsoft Corporation) C:\WINDOWS\system32\dialserver.dll

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-16 16:43 - 2015-10-30 01:28 - 00000000 ____D C:\Windows
    2016-01-16 16:38 - 2015-10-03 15:29 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2016-01-16 16:06 - 2015-10-03 15:29 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
    2016-01-16 14:32 - 2015-10-03 15:30 - 00004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8884C0D3-6CBD-4E47-9640-E7E1C4272A96}
    2016-01-16 14:29 - 2015-10-25 20:12 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2016-01-16 06:45 - 2015-12-11 04:59 - 00000000 ____D C:\Users\Corinne
    2016-01-16 02:55 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
    2016-01-16 01:56 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
    2016-01-16 01:00 - 2015-07-21 19:55 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Corinne\Downloads\tdsskiller (1).exe
    2016-01-16 00:59 - 2015-09-18 21:28 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2016-01-16 00:57 - 2015-11-07 12:19 - 00003960 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1446916789
    2016-01-16 00:57 - 2015-11-07 12:19 - 00001120 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
    2016-01-16 00:57 - 2015-09-18 23:07 - 00000000 ____D C:\Program Files (x86)\Opera
    2016-01-16 00:52 - 2015-12-11 05:06 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2016-01-15 23:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\LiveKernelReports
    2016-01-14 19:19 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
    2016-01-12 19:46 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
    2016-01-10 14:41 - 2015-09-18 21:25 - 00000000 ____D C:\Users\Corinne\AppData\Local\Packages
    2016-01-10 14:27 - 2015-10-03 21:11 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2016-01-10 14:26 - 2015-10-30 01:28 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
    2016-01-02 20:40 - 2015-10-30 02:26 - 00826872 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
    2016-01-02 20:40 - 2015-10-30 02:26 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
    2016-01-02 01:03 - 2015-09-20 20:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
    2016-01-02 01:03 - 2015-09-20 20:05 - 00000000 ____D C:\Program Files (x86)\Java
    2015-12-29 20:53 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\NDF
    2015-12-29 20:50 - 2011-08-16 13:34 - 60296312 _____ C:\Users\Corinne\Downloads\eppx-win-4_0_0-en.exe
    2015-12-28 18:38 - 2015-10-03 15:29 - 00004032 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
    2015-12-28 18:38 - 2015-10-03 15:29 - 00003816 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
    2015-12-18 03:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
    2015-12-18 03:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\Provisioning
    2015-12-18 03:15 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\bcastdvr

    ==================== Files in the root of some directories =======

    2015-12-11 04:56 - 2015-12-11 04:56 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-01-12 19:48

    ==================== End of FRST.txt ============================

    Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
    Ran by Corinne (2016-01-19 21:01:05) Run:1
    Running from C:\Users\Corinne\Desktop
    Loaded Profiles: Corinne (Available Profiles: Corinne)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start
    CloseProcesses:
    CreateRestorePoint:
    2016-01-01 04:42 - 2015-11-22 18:35 - 00450771 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160101-044255.backup
    Hosts:
    CMD: ipconfig /flushdns
    EmptyTemp:
    End
    *****************

    Processes closed successfully.
    Restore point was successfully created.
    C:\WINDOWS\system32\Drivers\etc\hosts.20160101-044255.backup => moved successfully
    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========

    EmptyTemp: => 349.7 MB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 21:01:29 ====

    # AdwCleaner v5.030 - Logfile created 19/01/2016 at 21:06:38
    # Updated 17/01/2016 by Xplode
    # Database : 2016-01-19.2 [Server]
    # Operating system : Windows 10 Pro (x64)
    # Username : Corinne - CORINNE-PC
    # Running from : C:\Users\Corinne\Downloads\AdwCleaner.exe
    # Option : Scan
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****


    ***** [ Folders ] *****

    Folder Found : C:\Users\Corinne\AppData\LocalLow\Conduit
    Folder Found : C:\Users\Corinne\AppData\LocalLow\Zynga

    ***** [ Files ] *****


    ***** [ DLL ] *****


    ***** [ Shortcuts ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Registry ] *****

    Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\internet-explorer-11-windows-7.en.softonic.com
    Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
    Key Found : HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\internet-explorer-11-windows-7.en.softonic.com
    Key Found : HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com

    ***** [ Web browsers ] *****

    [C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
    [C:\Users\Corinne\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com

    ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1798 bytes] ##########

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.0.2 (01.06.2016)
    Operating System: Windows 10 Pro x64
    Ran by Corinne (Administrator) on Tue 01/19/2016 at 21:28:52.46
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 0




    Registry: 0





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Tue 01/19/2016 at 21:30:03.94
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Ran Malware don't have clipboard w/MS10 have to "buy" as free app - tried setting that up, but it's looking for password associated w/my email & not sure what that is - bottom line is Malware said NO treats discovered. I have not re run whichever scan that showed those porn sites, & wondering if those came from this Zlob trojan?? Please let me know if you feel all is good. Did Spybot scan last nite after going on line & it did find & fix files low level.
    Also, when I turned off spybot & then turned back on after running last nite, I cannot get update files automatically to turn back on - would appreciate knowing how to get that done also.

  8. #8
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    No need to post previous logs, just the current ones will do. Not sure if Spybot removed those files , lets do this


    Open up FRST64 by right clicking on it and selecting Run as Administrator. MAKE SURE THERE IS A CHECK MARK IN ADDITIONS, leave everything else as is, run a new scan and post both the FRST64 and Additions logs and lets see if there is anything else to do.

    When where done if you still have problems with Spybot i will link you to one of the techs that are more in tune to the inner workings of Spybot
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #9
    Junior Member
    Join Date
    Jan 2016
    Posts
    27

    Default

    Quote Originally Posted by ken545 View Post
    No need to post previous logs, just the current ones will do. Not sure if Spybot removed those files , lets do this


    Open up FRST64 by right clicking on it and selecting Run as Administrator. MAKE SURE THERE IS A CHECK MARK IN ADDITIONS, leave everything else as is, run a new scan and post both the FRST64 and Additions logs and lets see if there is anything else to do.

    When where done if you still have problems with Spybot i will link you to one of the techs that are more in tune to the inner workings of Spybot
    Hit reply with quote by mistake Hi Ken!
    Here is FRST.txt & addition.txt copied - I did NOT click fix when it was done, as you did not direct me to & not sure if I should.
    Other note I meant to mention yesterday when you had me re run Malware - I usually run it a few times a week & Malware never alerted me that I had a trojan & the settings you wanted me to be sure were checked, already were. Only difference is yesterday I ran as admin. & I usually don't. Same happened with spybot - it hung up on this trojan until I ran as admin. so guessing I should always run these programs that way.
    I went to spybot home/main page where I usually scan & it did say it was being updated - clicked on help & it says spybot sets us a windows schedule task to automatically update & I did see in FRST file it said there was an error with that, so wondering if that "turned" it back on.
    Will await your reply & many thanks,
    Corinne

    Additional scan result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
    Ran by Corinne (2016-01-21 20:05:09)
    Running from C:\Users\Corinne\Desktop
    Windows 10 Pro (X64) (2015-12-11 10:09:26)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-3611819408-1750479240-3027513373-500 - Administrator - Disabled)
    Corinne (S-1-5-21-3611819408-1750479240-3027513373-1000 - Administrator - Enabled) => C:\Users\Corinne
    DefaultAccount (S-1-5-21-3611819408-1750479240-3027513373-503 - Limited - Disabled)
    Guest (S-1-5-21-3611819408-1750479240-3027513373-501 - Limited - Disabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AV: Spybot - Search and Destroy (Enabled - Out of date) {1A0DDE8C-B4BA-EFDD-22A8-0F557C7985F0}
    AS: Spybot - Search and Destroy (Enabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}
    AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Flash Player 20 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 20.0.0.286 - Adobe Systems Incorporated)
    Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
    Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 38.3.0 - Mozilla)
    Mozilla Thunderbird 38.5.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 38.5.0 (x86 en-US)) (Version: 38.5.0 - Mozilla)
    Mozilla Thunderbird 38.5.1 (x86 en-US) (HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\Mozilla Thunderbird 38.5.1 (x86 en-US)) (Version: 38.5.1 - Mozilla)
    Opera Stable 34.0.2036.47 (HKLM-x32\...\Opera 34.0.2036.47) (Version: 34.0.2036.47 - Opera Software)
    Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7535 - Realtek Semiconductor Corp.)
    Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.5.43 - Safer-Networking Ltd.)
    Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 3.3.1 - Tweaking.com)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    CustomCLSID: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Corinne\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\FileCoAuth.exe (Microsoft Corporation)

    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {0CFE2E40-6A97-48C5-9F38-DE82315CF1B0} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
    Task: {9526477D-1FA2-44D1-876B-49FCCAB3F606} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2015-06-16] (Safer-Networking Ltd.)
    Task: {95E78B6A-CD02-4A66-A90B-8BFE559D1A6C} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_20_0_0_286_pepper.exe [2016-01-19] (Adobe Systems Incorporated)
    Task: {A13B2A34-ED8B-48CC-92A2-12855582C95A} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-01-19] (Microsoft Corporation)
    Task: {ADF2A0F0-28D4-4044-A9A4-B5022F30E16B} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan most recently used file in the background => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDOnAccess.exe [2015-06-16] (Safer-Networking Ltd.)
    Task: {B8A541D8-126D-43D0-A242-8A3AD16C255D} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2015-06-16] (Safer-Networking Ltd.)
    Task: {C55C14AB-2F0F-4CD3-9315-5B15A833484B} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-01-19] (Adobe Systems Incorporated)
    Task: {E7D58741-BC92-46C5-B91F-0CF0F1D77E87} - System32\Tasks\Opera scheduled Autoupdate 1446916789 => C:\Program Files (x86)\Opera\launcher.exe [2016-01-08] (Opera Software)
    Task: {F47F2896-5E71-4A90-98D6-A8D53894270D} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2015-06-16] (Safer-Networking Ltd.)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_20_0_0_286_pepper.exe
    Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2015-10-30 02:18 - 2015-10-30 02:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
    2015-12-11 07:48 - 2015-12-11 07:48 - 02653816 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
    2015-12-11 07:48 - 2015-12-11 07:48 - 02653816 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
    2015-12-17 22:55 - 2015-12-06 23:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
    2015-12-17 22:55 - 2015-12-06 23:00 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
    2016-01-16 03:02 - 2016-01-04 20:29 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
    2016-01-16 03:02 - 2016-01-04 20:23 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
    2016-01-16 03:02 - 2016-01-04 20:24 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
    2016-01-16 03:02 - 2016-01-04 20:26 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
    2015-06-01 20:00 - 2015-06-01 20:00 - 00102912 _____ () C:\Windows\System32\IccLibDll_x64.dll
    2015-09-27 18:55 - 2014-05-13 11:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
    2015-09-27 18:55 - 2014-05-13 11:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
    2015-09-27 18:55 - 2014-05-13 11:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== EXE Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)

    IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
    IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
    IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
    IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
    IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
    IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
    IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
    IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
    IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
    IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
    IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
    IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
    IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
    IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
    IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
    IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
    IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
    IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
    IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
    IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

    There are 7866 more sites.

    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\007guard.com -> install.007guard.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\008i.com -> 008i.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\008k.com -> www.008k.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\00hq.com -> www.00hq.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\010402.com -> 010402.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\0scan.com -> www.0scan.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\1-2005-search.com -> www.1-2005-search.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\1000gratisproben.com -> www.1000gratisproben.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\1001namen.com -> www.1001namen.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\100888290cs.com -> mir.100888290cs.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\100sexlinks.com -> www.100sexlinks.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\10sek.com -> www.10sek.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\12-26.net -> user1.12-26.net
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\12-27.net -> user1.12-27.net
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\123fporn.info -> www.123fporn.info
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\123moviedownload.com -> www.123moviedownload.com
    IE restricted site: HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\...\123simsen.com -> www.123simsen.com

    There are 7866 more sites.


    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2015-09-19 01:02 - 2016-01-20 00:17 - 00449968 ____R C:\WINDOWS\system32\Drivers\etc\hosts

    127.0.0.1 localhost127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    127.0.0.1 10sek.com
    127.0.0.1 www.10sek.com
    127.0.0.1 www.1-2005-search.com
    127.0.0.1 1-2005-search.com
    127.0.0.1 123fporn.info
    127.0.0.1 www.123fporn.info
    127.0.0.1 123haustiereundmehr.com
    127.0.0.1 www.123haustiereundmehr.com
    127.0.0.1 123moviedownload.com
    127.0.0.1 www.123moviedownload.com

    There are 15463 more lines.


    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-3611819408-1750479240-3027513373-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Corinne\AppData\Local\Microsoft\Windows\Themes\img19.jpg
    DNS Servers: 192.168.1.1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)


    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

    ==================== Restore Points =========================

    05-01-2016 23:04:23 Windows Update
    19-01-2016 19:36:36 Windows Update
    19-01-2016 21:26:24 JRT Pre-Junkware Removal
    19-01-2016 21:28:52 JRT Pre-Junkware Removal

    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (01/20/2016 11:12:27 PM) (Source: Perflib) (EventID: 1008) (User: )
    Description: BITSC:\Windows\System32\bitsperf.dll8

    Error: (01/19/2016 09:28:52 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

    System Error:
    Access is denied.
    .

    Error: (01/19/2016 09:26:35 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

    System Error:
    Access is denied.
    .

    Error: (01/19/2016 07:56:06 PM) (Source: Perflib) (EventID: 1008) (User: )
    Description: BITSC:\Windows\System32\bitsperf.dll8

    Error: (01/19/2016 07:36:49 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

    System Error:
    Access is denied.
    .

    Error: (01/19/2016 10:18:00 AM) (Source: ESENT) (EventID: 412) (User: )
    Description: %1 (%2) %3Unable to read the header of logfile %4. Error %5.

    Error: (01/19/2016 10:18:00 AM) (Source: ESENT) (EventID: 481) (User: )
    Description: %1 (%2) %3An attempt to read from the file "%4" at offset %5 for %6 bytes failed after %10 seconds with system error %8: "%9". The read operation will fail with error %7. If this error persists then the file may be damaged and may need to be restored from a previous backup.

    Error: (01/19/2016 10:18:00 AM) (Source: ESENT) (EventID: 412) (User: )
    Description: %1 (%2) %3Unable to read the header of logfile %4. Error %5.

    Error: (01/19/2016 10:18:00 AM) (Source: ESENT) (EventID: 481) (User: )
    Description: %1 (%2) %3An attempt to read from the file "%4" at offset %5 for %6 bytes failed after %10 seconds with system error %8: "%9". The read operation will fail with error %7. If this error persists then the file may be damaged and may need to be restored from a previous backup.

    Error: (01/19/2016 10:18:00 AM) (Source: ESENT) (EventID: 412) (User: )
    Description: %1 (%2) %3Unable to read the header of logfile %4. Error %5.


    System errors:
    =============
    Error: (01/21/2016 07:20:30 PM) (Source: DCOM) (EventID: 10016) (User: Corinne-PC)
    Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}Corinne-PCCorinneS-1-5-21-3611819408-1750479240-3027513373-1000LocalHost (Using LRPC)Microsoft.WindowsStore_2015.25.15.0_x64__8wekyb3d8bbweS-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157

    Error: (01/21/2016 03:09:29 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 5

    Error: (01/21/2016 03:09:25 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The User Data Access_23f3f service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (01/21/2016 03:09:25 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The User Data Storage_23f3f service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (01/21/2016 03:09:25 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Contact Data_23f3f service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (01/21/2016 03:09:25 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Sync Host_23f3f service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (01/21/2016 02:27:52 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 4

    Error: (01/20/2016 07:00:51 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Sync Host_7c8e96 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    Error: (01/20/2016 07:00:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Spybot-S&D 2 Updating Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

    Error: (01/20/2016 07:00:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.


    CodeIntegrity:
    ===================================
    Date: 2016-01-19 21:28:58.202
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:26:43.214
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:21:05.762
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:17:28.435
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:13:54.626
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:11:47.952
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:06:10.502
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:06:05.858
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:05:04.917
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

    Date: 2016-01-19 21:04:48.901
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDHook32.dll that did not meet the Microsoft signing level requirements.


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
    Percentage of memory in use: 14%
    Total physical RAM: 8103.23 MB
    Available physical RAM: 6945.82 MB
    Total Virtual: 9383.23 MB
    Available Virtual: 8253.91 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:465.22 GB) (Free:443.31 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: E85AD74F)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=465.2 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

    ==================== End of Addition.txt ============================

  10. #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi Corrine,

    You posted the Additions log but not the main FRST log, I need to see that
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •