Jump to content

Change Mode

I have ochelper.exe and I don’t know what other malware


crossword
 Share

Recommended Posts

About 10 days ago I downloaded CutePDF and it also installed Commodo Dragon browser though I had unticked the option. Afterwards I saw people on the net complain that CutePDF also automatically downloaded Commodo Dragon and also ASK.com installer for them too.

 

A couple days ago I tried to download Kindle for PC from Amazon but was taken to some page where I was asked to open a Microsoft account.

 

I complained to Amazon. They told me the download is simple and does not require such a thing. So I suspected I have a virus or malware that is redirecting my pages. So I ran a check with QuickHeal, which told me no virus or malware found. But in the quarantine files I found ochelper.exe.

 

I deleted it but again today I found ochelper.exe in the quarantine files.

 

I also downloaded 2 other pdf creators: bullzip and pdf24.

 

I installed both. I don’t know if they too have installed any malware. I installed all these programs only because I saw them recommended on the net.

 

Can you please tell me what to do to scan my computer and find any malware that may have been installed and help me delete it? Thank you.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-10-2014

Ran by Vidya Samson (administrator) on VIDYA on 06-10-2014 13:09:25

Running from C:\Users\Vidya Samson\Desktop

Loaded Profile: Vidya Samson (Available profiles: Vidya Samson)

Platform: Microsoft Windows 8 Enterprise (X86) OS Language: English (United States)

Internet Explorer Version 10

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE

(Aladdin Knowledge Systems, Ltd.) C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe

(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\OPSSVC.EXE

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\QUHLPSVC.EXE

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\SCANWSCS.EXE

(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\ONLINENT.EXE

(Aladdin Knowledge Systems, Ltd.) C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe

(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

(Microsoft Corporation) C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

(CANON INC.) C:\Windows\System32\CNAB4RPK.EXE

(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

(Microsoft Corporation) C:\Windows\splwow64.exe

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe

(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe

(Geek Software GmbH) C:\Program Files\PDF24\pdf24.exe

() C:\Program Files\WinRAR\WinRAR.exe

() C:\Users\Vidya Samson\AppData\Local\temp\Rar$EX00.872\Everything-1.2.1.371.exe

() C:\Program Files\WinRAR\WinRAR.exe

() C:\Program Files\WinRAR\WinRAR.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

(Farbar) C:\Users\Vidya Samson\Desktop\FRST 2.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [Quick Heal Core UI] => C:\Program Files\Quick Heal\Quick Heal Total Security\strtupap.exe [161264 2012-08-04] (Quick Heal Technologies (P) Ltd.)

HKLM\...\Run: [eTMonitor] => C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe [230752 2009-11-15] (Aladdin Knowledge Systems, Ltd.)

HKLM\...\Run: [] => [X]

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM\...\Run: [PDFPrint] => C:\Program Files\PDF24\pdf24.exe [191528 2014-07-04] (Geek Software GmbH)

HKU\S-1-5-21-2261785502-2541491869-2394418403-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1

Startup: C:\Users\Vidya Samson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

ShellIconOverlayIdentifiers: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

BootExecute: autocheck autochk * C:\PROGRA~1\QUICKH~1\QUICKH~1\PCTuner\ntdefrag.exe

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US

SearchScopes: HKLM - DefaultScope value is missing.

BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll (IvoSoft)

Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL (Microsoft Corporation)

Hosts: 127.0.0.1 localhost

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

 

FireFox:

========

FF ProfilePath: C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default

FF Homepage: hxxp://www.zoetrope.com/members/priv/index.cgi?show_page=discuss&owner=14437

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()

FF Plugin: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF Plugin: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin: @videolan.org/vlc,version=2.0.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Extension: EPUBReader - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2014-08-22]

FF Extension: ImageBlock - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\imageblock@hemantvats.com.xpi [2014-02-17]

FF Extension: Lightbeam - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2014-02-23]

FF Extension: NoScript - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-03-30]

FF Extension: Adblock Plus - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-03-30]

 

Chrome:

=======

 

========================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 Core Mail Protection; C:\Program Files\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE [29680 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 Core Scanning Server; C:\Program Files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [206320 2012-07-28] (Quick Heal Technologies (P) Ltd.)

S2 Core Scanning ServerEx; C:\Program Files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [206320 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 eTSrv; C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe [12640 2009-11-15] (Aladdin Knowledge Systems, Ltd.)

R2 Online Protection System; C:\Program Files\Quick Heal\Quick Heal Total Security\opssvc.exe [25584 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 Quick Update Service; C:\Program Files\Quick Heal\Quick Heal Total Security\quhlpsvc.exe [91120 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 ScanWscS; C:\Program Files\Quick Heal\Quick Heal Total Security\SCANWSCS.EXE [243320 2012-08-09] (Quick Heal Technologies (P) Ltd.)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [13344 2013-01-29] (Microsoft Corporation)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R3 AKSIFDH; C:\Windows\system32\DRIVERS\aksifdh.sys [48296 2008-07-29] (Aladdin Knowledge Systems, Ltd.)

R1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-26] (Microsoft Corporation)

R2 catflt; C:\Windows\System32\DRIVERS\catflt.sys [45672 2014-03-05] (Quick Heal Technologies (P) Ltd.)

R2 EMLSS; C:\Windows\System32\drivers\emltdi.sys [29424 2012-08-04] (Quick Heal Technologies (P) Ltd.)

R1 ggc; C:\Windows\System32\DRIVERS\ggc.sys [49904 2012-07-28] (Quick Heal Technologies (P) Ltd.)

S3 llio; C:\Windows\system32\DRIVERS\llio.sys [58728 2014-03-27] (Quick Heal Technologies (P) Ltd.)

S0 mscank; C:\Windows\System32\DRIVERS\mscank.sys [33136 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [16256 2013-05-17] ()

R1 wsnf; C:\Windows\system32\DRIVERS\wsnf.sys [38856 2012-07-10] (Quick Heal Technologies (P) Ltd.)

R1 wstif; C:\Windows\System32\drivers\wstif.sys [68448 2012-08-06] (Quick Heal Technologies (P) Ltd.)

 

==================== NetSvcs (Whitelisted) ===================

 

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-10-06 13:09 - 2014-10-06 13:09 - 00011169 _____ () C:\Users\Vidya Samson\Desktop\FRST.txt

2014-10-06 11:38 - 2014-10-06 11:38 - 01101312 _____ (Farbar) C:\Users\Vidya Samson\Desktop\FRST 2.exe

2014-10-06 10:44 - 2014-10-06 10:44 - 00001823 _____ () C:\Users\Public\Desktop\PDF24 Creator.lnk

2014-10-06 10:44 - 2014-10-06 10:44 - 00001803 _____ () C:\Users\Public\Desktop\PDF24 Fax.lnk

2014-10-06 10:44 - 2014-10-06 10:44 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\PDF24

2014-10-06 10:44 - 2014-10-06 10:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF24

2014-10-06 10:43 - 2014-10-06 10:44 - 00000000 ____D () C:\Program Files\PDF24

2014-10-06 10:42 - 2014-10-06 10:43 - 16319576 _____ (Geek Software GmbH ) C:\Users\Vidya Samson\Desktop\pdf24-creator-6.7.0.exe

2014-10-05 15:27 - 2014-10-05 15:27 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\PDF Writer

2014-10-05 15:27 - 2014-10-05 15:27 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\PDF Writer

2014-10-05 15:23 - 2014-10-05 15:26 - 00000000 ____D () C:\ProgramData\PDF Writer

2014-10-05 15:23 - 2014-10-05 15:23 - 00001081 _____ () C:\Users\Vidya Samson\Desktop\Bullzip PDF Printer.lnk

2014-10-05 15:23 - 2014-10-05 15:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bullzip

2014-10-05 15:23 - 2014-10-05 15:23 - 00000000 ____D () C:\Program Files\Common Files\Bullzip

2014-10-05 15:23 - 2014-10-05 15:23 - 00000000 ____D () C:\Program Files\Bullzip

2014-10-05 15:23 - 2014-09-03 14:16 - 00147456 _____ (Bullzip) C:\Windows\system32\bzpdfc.dll

2014-10-05 15:23 - 2013-09-01 16:29 - 01103872 _____ () C:\Windows\system32\CBLCtlsU.ocx

2014-10-05 15:23 - 2013-07-13 15:45 - 00805376 _____ () C:\Windows\system32\EditCtlsU.ocx

2014-10-05 15:23 - 2013-07-13 02:27 - 00539648 _____ () C:\Windows\system32\LblCtlsU.ocx

2014-10-05 15:23 - 2013-04-05 17:25 - 00476160 _____ () C:\Windows\system32\TabStripCtlU.ocx

2014-10-05 15:23 - 2013-03-29 02:43 - 00645632 _____ () C:\Windows\system32\BtnCtlsU.ocx

2014-10-05 15:23 - 2013-03-03 18:07 - 01061888 _____ () C:\Windows\system32\ExLvwU.ocx

2014-10-05 15:23 - 2008-10-30 14:16 - 00227840 _____ (Bullzip) C:\Windows\system32\bzFlRdr.dll

2014-10-05 15:23 - 2008-07-09 14:16 - 00103424 _____ (Bullzip) C:\Windows\system32\bzDCT.dll

2014-10-05 15:23 - 1999-05-07 03:30 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\comdlg32.OCX

2014-10-05 15:21 - 2014-10-05 15:22 - 07012872 _____ (Bullzip ) C:\Users\Vidya Samson\Desktop\Setup_BullzipPDFPrinter_10_8_0_2282_FREE.exe

2014-09-28 15:15 - 2014-09-28 15:15 - 01060864 _____ (Microsoft Corporation) C:\Windows\system32\mfc71.dll

2014-09-28 15:15 - 2014-09-28 15:15 - 00348160 _____ (Microsoft Corporation) C:\Windows\system32\msvcr71.dll

2014-09-24 19:04 - 2014-09-24 20:33 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CutePDF Writer

2014-09-24 18:47 - 2014-09-24 20:24 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CustomStamp

2014-09-24 18:33 - 2014-09-28 15:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo

2014-09-24 18:33 - 2014-09-24 18:33 - 00000000 ____D () C:\Program Files\GPLGS

2014-09-24 18:32 - 2014-09-24 18:32 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\Comodo

2014-09-24 18:28 - 2013-10-23 14:23 - 00089136 _____ () C:\Windows\system32\cpwmon2k.dll

2014-09-24 18:27 - 2014-09-24 18:27 - 02003352 _____ (Acro Software Inc. ) C:\Users\Vidya Samson\Desktop\CuteWriter.exe

2014-09-24 17:18 - 2014-09-24 21:44 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CutePDF_Pro

2014-09-24 17:18 - 2014-09-24 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CutePDF

2014-09-24 17:18 - 2014-09-24 18:28 - 00000000 ____D () C:\Program Files\Acro Software

2014-09-24 17:18 - 2014-09-24 17:18 - 00001239 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\CutePDF Pro (Evaluation).lnk

2014-09-24 17:18 - 2014-09-24 17:18 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CutePDF

2014-09-24 17:17 - 2014-09-24 17:18 - 04073784 _____ (Acro Software Inc. ) C:\Users\Vidya Samson\Desktop\CutePDFEvl.exe

2014-09-17 14:57 - 2014-10-01 07:35 - 00043258 _____ () C:\Windows\PFRO.log

2014-09-17 05:53 - 2014-09-17 05:53 - 00460312 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-09-16 19:43 - 2014-10-06 11:51 - 00970361 _____ () C:\Windows\WindowsUpdate.log

2014-09-10 07:09 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-09-10 06:53 - 2014-09-16 19:44 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-09-09 21:03 - 2014-09-09 21:03 - 00056533 _____ () C:\Users\Vidya Samson\Desktop\INCOME TAX.zip

2014-09-08 23:02 - 2014-09-08 23:03 - 00000861 _____ () C:\AdwCleaner[s9].txt

2014-09-08 23:01 - 2014-09-08 23:01 - 00000681 _____ () C:\AdwCleaner[R11].txt

2014-09-07 08:36 - 2014-09-07 08:36 - 00000499 _____ () C:\Users\Vidya Samson\Desktop\Kindle Checklist.htm

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-10-06 13:09 - 2014-02-15 14:50 - 00000000 ____D () C:\FRST

2014-10-06 13:05 - 2013-08-02 15:50 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\ClassicShell

2014-10-06 13:05 - 2013-07-31 22:59 - 00000000 ____D () C:\Users\Vidya Samson\Desktop\files to save on CD 2

2014-10-06 12:30 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\system32\sru

2014-10-06 12:16 - 2013-07-30 14:46 - 00000468 _____ () C:\Windows\Tasks\Resume Quickup Download.job

2014-10-06 11:13 - 2013-10-21 21:41 - 00000000 ____D () C:\Users\Vidya Samson\Desktop\SAMSON 2

2014-10-06 10:44 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\system32\FxsTmp

2014-10-06 10:16 - 2013-07-30 14:46 - 00000492 _____ () C:\Windows\Tasks\Quick Heal AntiMalware Scan.job

2014-10-06 08:23 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\Microsoft.NET

2014-10-06 07:18 - 2013-07-30 14:32 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-10-06 07:11 - 2012-07-26 11:34 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-10-01 07:35 - 2013-07-30 14:33 - 00000000 ____D () C:\Windows\system32\gprodat

2014-09-30 22:27 - 2012-07-26 09:47 - 00262144 ___SH () C:\Windows\system32\config\BBI

2014-09-30 21:12 - 2014-02-19 09:01 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CrashDumps

2014-09-30 15:25 - 2014-01-16 13:25 - 00815240 _____ () C:\Users\Vidya Samson\Desktop\imbl and bbb.zip

2014-09-28 15:33 - 2013-11-08 11:04 - 00002228 _____ () C:\Users\Vidya Samson\Desktop\Kindle.lnk

2014-09-28 15:25 - 2014-02-14 22:08 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\Wise Care 365

2014-09-28 15:25 - 2014-02-14 21:55 - 00000000 ____D () C:\Program Files\Wise

2014-09-19 16:31 - 2014-08-01 15:38 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2014-09-17 05:53 - 2012-07-26 12:19 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents

2014-09-16 18:36 - 2013-08-02 12:39 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\vlc

2014-09-16 12:15 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\AUInstallAgent

2014-09-10 15:08 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\Web

2014-09-10 07:09 - 2014-03-29 06:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-09-10 07:09 - 2014-03-29 06:24 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware

2014-09-08 23:00 - 2013-07-30 14:23 - 00000000 ____D () C:\Users\Vidya Samson

2014-09-08 22:57 - 2014-02-12 09:30 - 00000000 ____D () C:\Program Files\AdwareRemovalToolv3.7

2014-09-08 22:45 - 2014-02-17 12:12 - 00000000 ____D () C:\Program Files\Mozilla Firefox

 

Some content of TEMP:

====================

C:\Users\Vidya Samson\AppData\Local\temp\converter.exe

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.dll

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.exe

 

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-10-06 08:23

 

==================== End Of Log ============================

Link to comment
Share on other sites

  • Replies 64
  • Created
  • Last Reply

Top Posters In This Topic

What did Malwarebytes Anti-Malware and AdwCleaner find?

 

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.

Paste this into the open notepad. save it to the Desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

 

start

CloseProcesses:

C:\Users\Vidya Samson\AppData\Local\temp\converter.exe

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.dll

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.exe

 

EmptyTemp:

Hosts:

End

Open FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Can you please post these logs when finished.

Link to comment
Share on other sites

thanks. I ran Farbar and the log says ochelper.exe Moved successfully. What does that mean? Is it gone forever or will it return the next time I use cute pdf? I don’t think I pressed any fix it or delete button for Farbar; I just saw the log. SHOULD I UNINSTALL CUTE PDF?

 

Then I ran Malwarebytes and it found:

 

Files: 2

Trojan.Agent, c:\Users\Default\AppData\Roaming\skype.dat, , [b7cef5fa59229f97786b0a30e81c0af6],

Trojan.Agent, c:\Users\Vidya Samson\AppData\Roaming\skype.dat, , [ef96727dadcec274944ff7437a8a7d83],

 

 

I quarantined it. Can you please help me get rid of this once and for all? I downloaded skype YEARS ago. Never used it. And since some time ago too Malwarebytes showed a result like this, I'm pretty sure I uninstalled skype. I did a search with the program EVERYTHING and I can't find skype anywhere on my computer, so why does Malwarebytes keep finding it every time I run Malwarebytes?

 

The logs:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-10-2014

Ran by Vidya Samson at 2014-10-06 20:37:30 Run:2

Running from C:\Users\Vidya Samson\Desktop

Loaded Profile: Vidya Samson (Available profiles: Vidya Samson)

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

start

CloseProcesses:

C:\Users\Vidya Samson\AppData\Local\temp\converter.exe

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.dll

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.exe

 

EmptyTemp:

Hosts:

End

*****************

 

Processes closed successfully.

C:\Users\Vidya Samson\AppData\Local\temp\converter.exe => Moved successfully.

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.dll => Moved successfully.

C:\Users\Vidya Samson\AppData\Local\temp\ochelper.exe => Moved successfully.

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.

Hosts was reset successfully.

EmptyTemp: => Removed 180.9 MB temporary data.

 

 

The system needed a reboot.

 

==== End of Fixlog ====

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 10/6/2014

Scan Time: 9:17:46 PM

Logfile: malware.txt

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.10.06.06

Rootkit Database: v2014.09.19.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 8

CPU: x86

File System: NTFS

User: Vidya Samson

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 300722

Time Elapsed: 9 min, 27 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 2

Trojan.Agent, c:\Users\Default\AppData\Roaming\skype.dat, , [b7cef5fa59229f97786b0a30e81c0af6],

Trojan.Agent, c:\Users\Vidya Samson\AppData\Roaming\skype.dat, , [ef96727dadcec274944ff7437a8a7d83],

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

# AdwCleaner v2.303 - Logfile created 10/06/2014 at 21:33:46

# Updated 08/06/2013 by Xplode

# Operating system : Windows 8 Enterprise (32 bits)

# User : Vidya Samson - VIDYA

# Boot Mode : Normal

# Running from : C:\Users\Vidya Samson\Desktop\AdwCleaner.exe

# Option [search]

 

 

***** [services] *****

 

 

***** [Files / Folders] *****

 

 

***** [Registry] *****

 

 

***** [internet Browsers] *****

 

-\\ Internet Explorer v10.0.9200.16537

 

[OK] Registry is clean.

 

-\\ Mozilla Firefox v31.0 (x86 en-US)

 

*************************

 

AdwCleaner[R11].txt - [681 octets] - [08/09/2014 23:01:18]

AdwCleaner[R12].txt - [612 octets] - [06/10/2014 21:33:46]

AdwCleaner[s9].txt - [861 octets] - [08/09/2014 23:02:48]

 

########## EOF - C:\AdwCleaner[R12].txt - [731 octets] ##########

Edited by crossword
Link to comment
Share on other sites

Malwarebytes should had been able to quarantine what it found. We can scan again using FRST to try and locate other files.

I ran Farbar and the log says ochelper.exe Moved successfully. What does that mean?

I scripted out a bad file C:\Users\Vidya Samson\AppData\Local\temp\ochelper.exe

As you can see it was located in your temp folder.

 

Let's do this. Since your first Farbar's Recovery Scan Tool log was incomplete I want you to run another log.

 

drag the fixlist.txt I had you create earlier to the recycle bin.

 

~~~~~~~~~~~~~~~~~~~~~~

  • Run FRST
FRSTicon.jpg
  • Don´t change the checkboxes just click on Scan.
  • Logfiles are created on your desktop.
  • Post the FRST.txt
  • Please make sure there is a check mark next to Addition.txt - Please also paste that along with the FRST.txt into your reply.
Link to comment
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-10-2014

Ran by Vidya Samson (administrator) on VIDYA on 07-10-2014 17:11:22

Running from C:\Users\Vidya Samson\Desktop

Loaded Profile: Vidya Samson (Available profiles: Vidya Samson)

Platform: Microsoft Windows 8 Enterprise (X86) OS Language: English (United States)

Internet Explorer Version 10

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE

(Aladdin Knowledge Systems, Ltd.) C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe

(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\OPSSVC.EXE

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\QUHLPSVC.EXE

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\SCANWSCS.EXE

(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\ONLINENT.EXE

(Aladdin Knowledge Systems, Ltd.) C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe

(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Geek Software GmbH) C:\Program Files\PDF24\pdf24.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

(CANON INC.) C:\Windows\System32\CNAB4RPK.EXE

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe

(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe

(Quick Heal Technologies (P) Ltd.) C:\Program Files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE

(Microsoft Corporation) C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE

(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

(Microsoft Corporation) C:\Windows\splwow64.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe

(Farbar) C:\Users\Vidya Samson\Desktop\FRST 2.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [Quick Heal Core UI] => C:\Program Files\Quick Heal\Quick Heal Total Security\strtupap.exe [161264 2012-08-04] (Quick Heal Technologies (P) Ltd.)

HKLM\...\Run: [eTMonitor] => C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe [230752 2009-11-15] (Aladdin Knowledge Systems, Ltd.)

HKLM\...\Run: [] => [X]

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)

HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM\...\Run: [PDFPrint] => C:\Program Files\PDF24\pdf24.exe [191528 2014-07-04] (Geek Software GmbH)

HKU\S-1-5-21-2261785502-2541491869-2394418403-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1

Startup: C:\Users\Vidya Samson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

ShellIconOverlayIdentifiers: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

BootExecute: autocheck autochk * C:\PROGRA~1\QUICKH~1\QUICKH~1\PCTuner\ntdefrag.exe

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US

SearchScopes: HKLM - DefaultScope value is missing.

BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll (IvoSoft)

Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

 

FireFox:

========

FF ProfilePath: C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default

FF Homepage: hxxp://www.zoetrope.com/members/priv/index.cgi?show_page=discuss&owner=14437

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()

FF Plugin: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF Plugin: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin: @videolan.org/vlc,version=2.0.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Extension: EPUBReader - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2014-08-22]

FF Extension: ImageBlock - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\imageblock@hemantvats.com.xpi [2014-02-17]

FF Extension: Lightbeam - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2014-02-23]

FF Extension: NoScript - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-03-30]

FF Extension: Adblock Plus - C:\Users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-03-30]

 

Chrome:

=======

 

========================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 Core Mail Protection; C:\Program Files\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE [29680 2012-07-28] (Quick Heal Technologies (P) Ltd.)

S2 Core Scanning Server; C:\Program Files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [206320 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 Core Scanning ServerEx; C:\Program Files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [206320 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 eTSrv; C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe [12640 2009-11-15] (Aladdin Knowledge Systems, Ltd.)

R2 Online Protection System; C:\Program Files\Quick Heal\Quick Heal Total Security\opssvc.exe [25584 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 Quick Update Service; C:\Program Files\Quick Heal\Quick Heal Total Security\quhlpsvc.exe [91120 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R2 ScanWscS; C:\Program Files\Quick Heal\Quick Heal Total Security\SCANWSCS.EXE [243320 2012-08-09] (Quick Heal Technologies (P) Ltd.)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [13344 2013-01-29] (Microsoft Corporation)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R3 AKSIFDH; C:\Windows\system32\DRIVERS\aksifdh.sys [48296 2008-07-29] (Aladdin Knowledge Systems, Ltd.)

R1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-26] (Microsoft Corporation)

R2 catflt; C:\Windows\System32\DRIVERS\catflt.sys [45672 2014-03-05] (Quick Heal Technologies (P) Ltd.)

R2 EMLSS; C:\Windows\System32\drivers\emltdi.sys [29424 2012-08-04] (Quick Heal Technologies (P) Ltd.)

R1 ggc; C:\Windows\System32\DRIVERS\ggc.sys [49904 2012-07-28] (Quick Heal Technologies (P) Ltd.)

S3 llio; C:\Windows\system32\DRIVERS\llio.sys [58728 2014-03-27] (Quick Heal Technologies (P) Ltd.)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-10-07] (Malwarebytes Corporation)

S0 mscank; C:\Windows\System32\DRIVERS\mscank.sys [33136 2012-07-28] (Quick Heal Technologies (P) Ltd.)

R3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [16256 2013-05-17] ()

R1 wsnf; C:\Windows\system32\DRIVERS\wsnf.sys [38856 2012-07-10] (Quick Heal Technologies (P) Ltd.)

R1 wstif; C:\Windows\System32\drivers\wstif.sys [68448 2012-08-06] (Quick Heal Technologies (P) Ltd.)

 

==================== NetSvcs (Whitelisted) ===================

 

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-10-07 17:11 - 2014-10-07 17:11 - 00011076 _____ () C:\Users\Vidya Samson\Desktop\FRST.txt

2014-10-07 07:11 - 2014-10-07 07:11 - 00000350 _____ () C:\Windows\PFRO.log

2014-10-06 21:36 - 2014-10-07 12:30 - 00087121 _____ () C:\Windows\WindowsUpdate.log

2014-10-06 21:36 - 2014-10-06 21:36 - 00460312 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-10-06 21:34 - 2014-10-06 21:35 - 00000860 _____ () C:\AdwCleaner[s10].txt

2014-10-06 21:33 - 2014-10-06 21:33 - 00000800 _____ () C:\AdwCleaner[R12].txt

2014-10-06 21:29 - 2014-10-06 21:29 - 00001220 _____ () C:\Users\Vidya Samson\Desktop\malware.txt

2014-10-06 21:27 - 2014-10-06 21:27 - 00001220 _____ () C:\malware.txt

2014-10-06 11:38 - 2014-10-06 11:38 - 01101312 _____ (Farbar) C:\Users\Vidya Samson\Desktop\FRST 2.exe

2014-10-06 10:44 - 2014-10-06 10:44 - 00001823 _____ () C:\Users\Public\Desktop\PDF24 Creator.lnk

2014-10-06 10:44 - 2014-10-06 10:44 - 00001803 _____ () C:\Users\Public\Desktop\PDF24 Fax.lnk

2014-10-06 10:44 - 2014-10-06 10:44 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\PDF24

2014-10-06 10:44 - 2014-10-06 10:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF24

2014-10-06 10:43 - 2014-10-06 10:44 - 00000000 ____D () C:\Program Files\PDF24

2014-10-06 10:42 - 2014-10-06 10:43 - 16319576 _____ (Geek Software GmbH ) C:\Users\Vidya Samson\Desktop\pdf24-creator-6.7.0.exe

2014-10-05 15:27 - 2014-10-05 15:27 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\PDF Writer

2014-10-05 15:27 - 2014-10-05 15:27 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\PDF Writer

2014-10-05 15:23 - 2014-10-05 15:26 - 00000000 ____D () C:\ProgramData\PDF Writer

2014-10-05 15:23 - 2014-10-05 15:23 - 00001081 _____ () C:\Users\Vidya Samson\Desktop\Bullzip PDF Printer.lnk

2014-10-05 15:23 - 2014-10-05 15:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bullzip

2014-10-05 15:23 - 2014-10-05 15:23 - 00000000 ____D () C:\Program Files\Common Files\Bullzip

2014-10-05 15:23 - 2014-10-05 15:23 - 00000000 ____D () C:\Program Files\Bullzip

2014-10-05 15:23 - 2014-09-03 14:16 - 00147456 _____ (Bullzip) C:\Windows\system32\bzpdfc.dll

2014-10-05 15:23 - 2013-09-01 16:29 - 01103872 _____ () C:\Windows\system32\CBLCtlsU.ocx

2014-10-05 15:23 - 2013-07-13 15:45 - 00805376 _____ () C:\Windows\system32\EditCtlsU.ocx

2014-10-05 15:23 - 2013-07-13 02:27 - 00539648 _____ () C:\Windows\system32\LblCtlsU.ocx

2014-10-05 15:23 - 2013-04-05 17:25 - 00476160 _____ () C:\Windows\system32\TabStripCtlU.ocx

2014-10-05 15:23 - 2013-03-29 02:43 - 00645632 _____ () C:\Windows\system32\BtnCtlsU.ocx

2014-10-05 15:23 - 2013-03-03 18:07 - 01061888 _____ () C:\Windows\system32\ExLvwU.ocx

2014-10-05 15:23 - 2008-10-30 14:16 - 00227840 _____ (Bullzip) C:\Windows\system32\bzFlRdr.dll

2014-10-05 15:23 - 2008-07-09 14:16 - 00103424 _____ (Bullzip) C:\Windows\system32\bzDCT.dll

2014-10-05 15:23 - 1999-05-07 03:30 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\comdlg32.OCX

2014-10-05 15:21 - 2014-10-05 15:22 - 07012872 _____ (Bullzip ) C:\Users\Vidya Samson\Desktop\Setup_BullzipPDFPrinter_10_8_0_2282_FREE.exe

2014-09-28 15:15 - 2014-09-28 15:15 - 01060864 _____ (Microsoft Corporation) C:\Windows\system32\mfc71.dll

2014-09-28 15:15 - 2014-09-28 15:15 - 00348160 _____ (Microsoft Corporation) C:\Windows\system32\msvcr71.dll

2014-09-24 19:04 - 2014-09-24 20:33 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CutePDF Writer

2014-09-24 18:47 - 2014-09-24 20:24 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CustomStamp

2014-09-24 18:33 - 2014-09-28 15:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo

2014-09-24 18:33 - 2014-09-24 18:33 - 00000000 ____D () C:\Program Files\GPLGS

2014-09-24 18:32 - 2014-09-24 18:32 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\Comodo

2014-09-24 18:28 - 2013-10-23 14:23 - 00089136 _____ () C:\Windows\system32\cpwmon2k.dll

2014-09-24 18:27 - 2014-09-24 18:27 - 02003352 _____ (Acro Software Inc. ) C:\Users\Vidya Samson\Desktop\CuteWriter.exe

2014-09-24 17:18 - 2014-09-24 21:44 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CutePDF_Pro

2014-09-24 17:18 - 2014-09-24 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CutePDF

2014-09-24 17:18 - 2014-09-24 18:28 - 00000000 ____D () C:\Program Files\Acro Software

2014-09-24 17:18 - 2014-09-24 17:18 - 00001239 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\CutePDF Pro (Evaluation).lnk

2014-09-24 17:18 - 2014-09-24 17:18 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CutePDF

2014-09-24 17:17 - 2014-09-24 17:18 - 04073784 _____ (Acro Software Inc. ) C:\Users\Vidya Samson\Desktop\CutePDFEvl.exe

2014-09-10 07:09 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-09-10 06:53 - 2014-10-07 16:57 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-09-09 21:03 - 2014-09-09 21:03 - 00056533 _____ () C:\Users\Vidya Samson\Desktop\INCOME TAX.zip

2014-09-08 23:02 - 2014-09-08 23:03 - 00000861 _____ () C:\AdwCleaner[s9].txt

2014-09-08 23:01 - 2014-09-08 23:01 - 00000681 _____ () C:\AdwCleaner[R11].txt

2014-09-07 08:36 - 2014-09-07 08:36 - 00000499 _____ () C:\Users\Vidya Samson\Desktop\Kindle Checklist.htm

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-10-07 17:11 - 2014-02-15 14:50 - 00000000 ____D () C:\FRST

2014-10-07 16:57 - 2013-08-02 15:50 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\ClassicShell

2014-10-07 16:52 - 2013-07-31 22:59 - 00000000 ____D () C:\Users\Vidya Samson\Desktop\files to save on CD 2

2014-10-07 16:30 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\system32\sru

2014-10-07 16:16 - 2013-07-30 14:46 - 00000468 _____ () C:\Windows\Tasks\Resume Quickup Download.job

2014-10-07 15:12 - 2013-10-21 21:41 - 00000000 ____D () C:\Users\Vidya Samson\Desktop\SAMSON 2

2014-10-07 14:16 - 2013-07-30 14:46 - 00000492 _____ () C:\Windows\Tasks\Quick Heal AntiMalware Scan.job

2014-10-07 10:07 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\Microsoft.NET

2014-10-07 07:22 - 2013-07-30 14:32 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-10-07 07:17 - 2012-07-26 11:34 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-10-06 21:31 - 2014-02-12 09:30 - 00000000 ____D () C:\Program Files\AdwareRemovalToolv3.7

2014-10-06 21:21 - 2014-02-19 09:01 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\CrashDumps

2014-10-06 10:44 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\system32\FxsTmp

2014-10-01 07:35 - 2013-07-30 14:33 - 00000000 ____D () C:\Windows\system32\gprodat

2014-09-30 22:27 - 2012-07-26 09:47 - 00262144 ___SH () C:\Windows\system32\config\BBI

2014-09-30 15:25 - 2014-01-16 13:25 - 00815240 _____ () C:\Users\Vidya Samson\Desktop\imbl and bbb.zip

2014-09-28 15:33 - 2013-11-08 11:04 - 00002228 _____ () C:\Users\Vidya Samson\Desktop\Kindle.lnk

2014-09-28 15:25 - 2014-02-14 22:08 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\Wise Care 365

2014-09-28 15:25 - 2014-02-14 21:55 - 00000000 ____D () C:\Program Files\Wise

2014-09-19 16:31 - 2014-08-01 15:38 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2014-09-17 05:53 - 2012-07-26 12:19 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents

2014-09-16 18:36 - 2013-08-02 12:39 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Roaming\vlc

2014-09-16 12:15 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\AUInstallAgent

2014-09-10 15:08 - 2012-07-26 12:23 - 00000000 ____D () C:\Windows\Web

2014-09-10 07:09 - 2014-03-29 06:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-09-10 07:09 - 2014-03-29 06:24 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware

2014-09-08 23:00 - 2013-07-30 14:23 - 00000000 ____D () C:\Users\Vidya Samson

2014-09-08 22:45 - 2014-02-17 12:12 - 00000000 ____D () C:\Program Files\Mozilla Firefox

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-10-06 08:23

 

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 06-10-2014

Ran by Vidya Samson at 2014-10-07 17:12:28

Running from C:\Users\Vidya Samson\Desktop

Boot Mode: Normal

==========================================================

 

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AV: Quick Heal Total Security 2013 (Enabled - Up to date) {D8418B0E-EE80-1320-B172-3D5DEB3CE14F}

AS: Quick Heal Total Security 2013 (Enabled - Up to date) {63206AEA-C8BA-1CAE-8BC2-062F90BBABF2}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Quick Heal Firewall (Enabled) {E07A0A2B-A4EF-1278-9A2D-946815EFA634}

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.70 - Adobe Systems Incorporated)

Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)

Amazon Kindle (HKCU\...\Amazon Kindle) (Version: - Amazon)

Bullzip PDF Printer 10.8.0.2282 (HKLM\...\Bullzip PDF Printer_is1) (Version: 10.8.0.2282 - Bullzip)

Canon LBP2900 (HKLM\...\Canon LBP2900) (Version: - )

CCleaner (HKLM\...\CCleaner) (Version: 4.10 - Piriform)

Classic Shell (HKLM\...\{0E050520-CE46-49C7-B34F-089D06D69E93}) (Version: 3.9.0 - IvoSoft)

CutePDF Professional 3.71 (Evaluation) (HKLM\...\CutePDF Professional (Evaluation)_is1) (Version: - Acro Software Inc.)

CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - Acro Software Inc.)

eToken PKI Client 5.1 SP1 (HKLM\...\{3909BE71-2D8F-42D2-BA46-3831B60CFD0F}) (Version: 5.1.57.0 - Aladdin Knowledge Systems Ltd.)

Final Draft 5 (HKLM\...\Final Draft 5) (Version: - )

Java Auto Updater (Version: 2.0.6.1 - Sun Microsystems, Inc.) Hidden

Java 6 Update 30 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216030FF}) (Version: 6.0.300 - Oracle)

Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)

Microsoft Encarta Reference Library 2003 (HKLM\...\{034100E1-3975-4267-9F39-1DC4745090B7}) (Version: 2003 - Microsoft Corporation)

Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)

Microsoft Office Professional Plus 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000 - Microsoft Corporation) Hidden

Microsoft Text-to-Speech Engine 4.0 (English) (HKLM\...\MSTTS) (Version: - )

Mozilla Firefox 31.0 (x86 en-US) (HKLM\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)

Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)

Nero 7 Essentials (HKLM\...\{9B4E6CB9-E54D-47F7-A414-E2D5740E1033}) (Version: 7.02.8507 - Nero AG)

neroxml (Version: 1.0.0 - Nero AG) Hidden

OpenOffice.org 3.1 (HKLM\...\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}) (Version: 3.1.9399 - OpenOffice.org)

PDF24 Creator 6.7.0 (HKLM\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version: - PDF24.org)

Quick Heal Total Security (HKLM\...\Quick Heal Total Security) (Version: 14.00 - Quick Heal Technologies Pvt. Ltd.)

Quick Heal Total Security (Version: 14.00 - Quick Heal) Hidden

Scriptware for Windows (HKLM\...\Scriptware for Windows) (Version: - )

Shockwave (HKLM\...\Shockwave) (Version: - )

UBitMenu UK (HKLM\...\{C8748FFB-1713-4e95-B3DF-4F1622D96F93}_is1) (Version: 01.04 - UBit Schweiz AG)

VLC media player 2.0.3 (HKLM\...\VLC media player) (Version: 2.0.3 - VideoLAN)

WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )

 

==================== Custom CLSID (selected items): ==========================

 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

 

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{5100FEC1-212B-4BF5-9BF8-3E650FD794A3}\localserver32 -> C:\Program Files\Mozilla Firefox\CommandExecuteHandler.exe No File

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-2261785502-2541491869-2394418403-1001_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\Windows\system32\msxml4.dll (Microsoft Corporation)

 

==================== Restore Points =========================

 

19-09-2014 23:31:00 Scheduled Checkpoint

28-09-2014 00:47:54 Scheduled Checkpoint

06-10-2014 02:54:49 Scheduled Checkpoint

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2012-07-26 09:47 - 2014-10-07 16:57 - 00000035 ____A C:\Windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

 

Task: {1925A6D0-594B-4651-9F38-3E897FBB3AD7} - System32\Tasks\Resume Quickup Download => C:\Program Files\Quick Heal\Quick Heal Total Security\ACAPPAA.EXE [2014-02-05] (Quick Heal Technologies (P) Ltd.)

Task: {1E84DCB8-8C84-4436-A108-209A65086823} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList

Task: {1E892F61-E935-4D8E-919C-5ADD78DBF028} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2014-08-01] ()

Task: {40D8EB14-DD52-4C82-B0EC-62002AD333BA} - System32\Tasks\v => C:\Program Files\Quick Heal\Quick Heal Total Security\fbsch.exe [2012-07-28] (Quick Heal Technologies (P) Ltd.)

Task: {545C008C-4471-44F8-AD15-96CB8BB2BB0C} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState

Task: {56F59500-C4D1-4720-859F-13B4998AA792} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask

Task: {99768757-32DC-4E02-BE1E-2FE4783695EE} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing

Task: {9E226DCD-D634-4B29-A509-6A98CF3CCD06} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-01-21] (Piriform Ltd)

Task: {DEE9BD39-3CE6-43B5-8F58-474F9095BBA1} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => C:\Windows Activation Technologies\wat.exe [2006-04-21] ()

Task: {EF439AFE-12AD-457D-9E8E-BA44A01718C4} - System32\Tasks\Quick Heal AntiMalware Scan => C:\Program Files\Quick Heal\Quick Heal Total Security\ASMAIN.EXE [2012-07-28] (Quick Heal Technologies (P) Ltd.)

Task: {EF9592CE-7796-47A6-9CD5-8630640D45BB} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

Task: C:\Windows\Tasks\Quick Heal AntiMalware Scan.job => C:\Program Files\Quick Heal\Quick Heal Total Security\ASMAIN.EXE

Task: C:\Windows\Tasks\Resume Quickup Download.job => C:\Program Files\Quick Heal\Quick Heal Total Security\ACAPPAA.EXE

 

==================== Loaded Modules (whitelisted) =============

 

2014-09-24 18:28 - 2013-10-23 14:23 - 00089136 _____ () C:\Windows\System32\cpwmon2k.dll

2011-08-06 06:58 - 2011-08-06 06:58 - 00036864 _____ () C:\Program Files\Quick Heal\Quick Heal Total Security\SCANAPI.DLL

2012-08-23 02:50 - 2014-10-07 07:22 - 00573528 _____ () C:\Program Files\Quick Heal\Quick Heal Total Security\scansdk.dll

2012-08-25 09:27 - 2014-10-07 07:22 - 00323674 _____ () C:\Program Files\Quick Heal\Quick Heal Total Security\platform.dll

2012-01-07 00:32 - 2014-10-07 07:22 - 00036952 _____ () C:\Program Files\Quick Heal\Quick Heal Total Security\filesdk.dll

2009-09-22 11:13 - 2009-09-22 11:13 - 00020480 _____ () C:\Program Files\Quick Heal\Quick Heal Total Security\DRVCOMM.DLL

2010-01-09 20:18 - 2010-01-09 20:18 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

2010-01-21 01:34 - 2010-01-21 01:34 - 08793952 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

2013-07-29 23:56 - 2006-09-14 12:50 - 00126464 _____ () C:\Program Files\WinRAR\rarext.dll

2007-03-27 20:04 - 2007-03-27 20:04 - 01466368 ____R () C:\Program Files\Aladdin\eToken\PKIClient\x32\QtCore4.dll

2007-03-27 20:04 - 2007-03-27 20:04 - 05529600 ____R () C:\Program Files\Aladdin\eToken\PKIClient\x32\QtGui4.dll

2007-03-29 15:11 - 2007-03-29 15:11 - 00217088 _____ () C:\Program Files\Aladdin\eToken\PKIClient\x32\QtXml4.dll

2007-03-27 20:06 - 2007-03-27 20:06 - 00131072 ____R () C:\Program Files\Aladdin\eToken\PKIClient\x32\plugins\imageformats\qjpeg1.dll

2014-02-17 12:12 - 2014-07-30 15:55 - 03800688 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

2014-03-06 13:30 - 2014-03-06

Link to comment
Share on other sites

Have you had Comodo Security on the computer before? Could be old files but before I have you remove them I need to know they are not needed.

 

2014-09-24 18:33 - 2014-09-28 15:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo

2014-09-24 18:32 - 2014-09-24 18:32 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\Comodo

 

The dates show this has been recent.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~

 

C:\Windows\AutoKMS\AutoKMS.exe <-- this is concerning.

Autokms.exe was a keygen created to activate illegal copies of Microsoft Office

itself probably isn't a virus or security threat, but many antivirus companies flag such cracks/keygens as "potentially unwanted software" or "hacktools".

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.

Most reliable and thorough.

The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.

This scanner can take quite a bit of time to run, depending of course how full your computer is.

 

 

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note:

    For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan.
*************************************
Link to comment
Share on other sites

No, as I said, About 10 days ago I downloaded CutePDF and it also installed Commodo Dragon browser though I had unticked the option.

 

So is Commodo some malware? I'm sure I uninstalled it. But it has left traces?

 

SHOULD I UNINSTALL CUTE PDF?

 

Before I download anything further, is there no way to remove this Commodo with the tools I already have like Quickheal Av or Malwarebytes etc?

 

In a hurry now; will read properly what you said about Eset etc.

Link to comment
Share on other sites

No, as I said, About 10 days ago I downloaded CutePDF and it also installed Commodo Dragon browser though I had unticked the option.

 

So is Commodo some malware? I'm sure I uninstalled it. But it has left traces?

 

SHOULD I UNINSTALL CUTE PDF?

 

Before I download anything further, is there no way to remove this Commodo with the tools I already have like Quickheal Av or Malwarebytes etc?

 

In a hurry now; will read properly what you said about Eset etc.

Yes please uninstall CUTE PDF.

 

"If" the files related to Comodo are malicious I don't know why QuickHeal AV didn't find them. As far as those file being related to Comodo dragon browser hijacker....scans you have run previously before asking for help might have removed them, I don't know but, looking for the extensions that should be related to the infection is what I'm not finding.

We do see Comodo internet security, thats why I had asked if that had been on the machine.

 

With the tools you already have downloaded to your computer, FRST is the only one that we can designate files to be removed.

Malwarebytes could had removed part or all for this but without seeing the very first logs run I cannot tell.

 

 

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.

Paste this into the open notepad. save it to the Desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

 

start

CloseProcesses:

SearchScopes: HKLM - DefaultScope value is missing.

2014-09-24 18:33 - 2014-09-28 15:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo

2014-09-24 18:32 - 2014-09-24 18:32 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\Comodo

EmptyTemp:

Hosts:

End

Open FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

~~~~~

 

Also, please run the Eset scan and post the log it creates too.

Link to comment
Share on other sites

"If" the files related to Comodo are malicious I don't know why QuickHeal AV didn't find them. As far as those file being related to Comodo dragon browser hijacker....scans you have run previously before asking for help might have removed them, I don't know but, looking for the extensions that should be related to the infection is what I'm not finding."

 

The only things I did before asking for help was:

 

Run QuickHeal AV, which also cleans malware and rootkits

 

Run CCleaner

 

I don’t remember doing anything else. It may sound dumb that I can't exactly remember something so recent but I have tons on my plate and my memory really isnt what it used to be.

 

 

"We do see Comodo internet security, thats why I had asked if that had been on the machine.'

 

I know I never installed that. unless it came with the recent browser install, or with some other thing. When I had malware in the past I had tried to remove it with things like RogueKiller and others.

 

Will run all the stuff you told me soon as I can.

Link to comment
Share on other sites

Here's one log. Will run eset later. I didn’t press scan first, but just FIX as you told me to:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-10-2014
Ran by Vidya Samson at 2014-10-08 16:06:58 Run:3
Running from C:\Users\Vidya Samson\Desktop
Loaded Profile: Vidya Samson (Available profiles: Vidya Samson)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
SearchScopes: HKLM - DefaultScope value is missing.
2014-09-24 18:33 - 2014-09-28 15:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
2014-09-24 18:32 - 2014-09-24 18:32 - 00000000 ____D () C:\Users\Vidya Samson\AppData\Local\Comodo
EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo => Moved successfully.
C:\Users\Vidya Samson\AppData\Local\Comodo => Moved successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 40.6 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

Link to comment
Share on other sites

Can I download the ESET Online Scanner and then run it when offline or do I have to be online all the while I am running it? I suspect the latter. I ask so I will be able to choose the right time to run it since you said it will take some time.

Link to comment
Share on other sites

Can I download the ESET Online Scanner and then run it when offline or do I have to be online all the while I am running it? I suspect the latter. I ask so I will be able to choose the right time to run it since you said it will take some time.

I believe you can.

For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

 

After you download esetsmartinstaller_enu.exe, follow prompts, allow it to update if it asks, you should be able to leave the machine.

If I'm not wrong, after it checks for updates theres no need for internet connection after that.

Link to comment
Share on other sites

From this:

 

http://www.eset.com/us/online-scanner-popup/

 

it sounds like I have to be online all the time the scan is running, so I will have to do it at a time I will anyway be online for some time. can you please not close this thread until I can do this. Thanks.

 

I would have downloaded the free trial but they insist I must uninstall other AVs:

 

"Important: Before the installation we recommend you uninstall all other security solutions, including older versions of ESET. Click here to learn more."

 

And I don’t want to go through that. I suppose I COULD uninstall Quickheal but it was my tech who installed it and I would have to figure out how to install it again if I remove it.

 

So I guess ite better I just do the one time online scan? If it isnt at all difficult to reinstall my Quickheal from the DVD I have, then I could do that. will there be any problems if I uninstall and then reinstall the AV I bought ie Quickheal?

Link to comment
Share on other sites

I don't think you clicked on the Free Online Scan.

 

panda-av.jpg Scan with Panda Cloud Cleaner

 

Please download Panda Cloud Cleaner and save the file to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Install the scanner by right-click on panda-av.jpg icon and select RunAsAdmin.jpg Run as Administrator.
  • It should start itself automaticaly after the installation.
  • In the main console click Accept and Scan.
  • This scan won't take long, about several minutes (depending on your system specs). Let it run uninterrupted.
  • At the last stage you will see a couple of messages about veryfying & analyzing results. Wait patiently.
  • Upon completion you will see detections window. Enter one of them and click there View Report at the bottom right side.
  • A notepad window named PCloudCleaner.log will open. Save it to your desktop.
  • Please include the contents of that file in your next reply.

    Don't forget to re-enable your switched-off protection software!

    After that you may uninstall Panda Cloud Cleaner from your machine, if you wish to.

Link to comment
Share on other sites

the computer seems to be working ok for now. I suspect ochelper.exe was the main culprit and removing it solved the problem. i'll feel safer once I run the Eset Online Scan. Yes I did click on the Free Online Scan. I just haven’t run it yet.

 

Did you tell me to download Panda Cloud Cleaner because you thought I could not find Eset Online Scan? I'd rather run eset if thats the most reliable.

 

It bothers me that when I run Malwarebytes now and then, it finds the Trojan.Agent skype.dat

 

Would it be possible for you to write me a script that would get rid of it once and for all?

 

I uninstalled cutepdf but I still have bullzip.com and pdf24. Are these safe? they were highly recommended on one site but now I no longer trust any free software. Cutepdf was highly recommended too some some forums. A lot of my computer problems stem form my trusting recommended for free software like this.

Link to comment
Share on other sites

I trust Eset and is the one I use the most.

 

CutePDF should be a trusted source but, if downloading from scetchie sites then beware.

 

bullzip I am not familiar with at all, if you have a goof PDF writer no need for it and I would uninstall.

 

Found an article in reference to malwarebytes and Quickheal.

 

https://forums.malwarebytes.org/index.php?/topic/131510-mbam-detected-trojan-downloader-skypedat-but-cannot-delete-it/

 

few people running Quickheal reported to our researchers and this is what they told us

 

About quickheal

They use some sort of "blocklist" with filenames in it in order to prevent the creation of it. (as some sort of pro-active defense)

So during a malwarebytes scan, enumerating the rules probably triggers some sort of action in Quickheal (some sort of lock/access denied), so mbam acts upon that and treats /sees this as the file being present.

I rather think this is present in the Quick Heal Internet Security (maybe the pro-active defense settings? Or some sort of app-blocker in there?)

 

 

Is FRST still on desktop?

 

Let's see if we can find it.

 

If FRST ask to update please allow it.

 

 

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.

Paste this into the open notepad. save it to the Desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

 

start

CloseProcesses:

c:\Users\Default\AppData\Roaming\skype.dat

c:\Users\Vidya Samson\AppData\Roaming\skype.dat

EmptyTemp:

Hosts:

End

Open FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

~~~~~~~~~~~~~~~~~~~~~~~

 

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :folderfind
    skype.dat
    :filefind
    skype.dat
    :regfind
    skype.dat
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Link to comment
Share on other sites

Thanks! I have no problem posting scans on here; after all I did post all these so far. I'm just very busy and been putting off running the Eset though I know I should do it. For now I ran this and will download what you told me to in the last post:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-10-2014
Ran by Vidya Samson at 2014-10-16 19:49:57 Run:4
Running from C:\Users\Vidya Samson\Desktop
Loaded Profile: Vidya Samson (Available profiles: Vidya Samson)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
c:\Users\Default\AppData\Roaming\skype.dat
c:\Users\Vidya Samson\AppData\Roaming\skype.dat
EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
"c:\Users\Default\AppData\Roaming\skype.dat" => File/Directory not found.
"c:\Users\Vidya Samson\AppData\Roaming\skype.dat" => File/Directory not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 83.3 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

Link to comment
Share on other sites

SystemLook 30.07.11 by jpshortstuff
Log created at 20:47 on 16/10/2014 by Vidya Samson
Administrator - Elevation successful

========== folderfind ==========

Searching for "skype.dat"
No folders found.

========== filefind ==========

Searching for "skype.dat"
No files found.

========== regfind ==========

Searching for "skype.dat"
No data found.

-= EOF =-

Link to comment
Share on other sites

The below scanner should be quicker.

 

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.
Link to comment
Share on other sites

Here are the results. How do I get rid of Comodo\Dragon? And it seems to show some problem in CCleaner too.

 

Also for some reason when I plugged in my ext hard drive it didn’t show. I kept clicking COMPUTER to see all the drives. The drive is only a couple years old I think and is a Seagate, so its good quality. Is there some command I can give to make my drive show up on screen so I can then check it out?

 

C:\FRST\Quarantine\C\Users\Vidya Samson\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\aaaalipaokhkccgmgkdglfinfnfhflko\30.10_0\background\ChromeUtilPlugin.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application

C:\Users\Vidya Samson\Desktop\ccsetup410.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

D:\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share


×
×
  • Create New...