Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer with audio ads virus and 100% cpu usage


  • This topic is locked This topic is locked
13 replies to this topic

#1 audreyd

audreyd

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 02 January 2014 - 10:58 PM

Hey there guys!
 
3 or 4 days ago my computer started playing a ton of audio ads with no programs running, with at least 4 or so different audio tracks on top of one another.  My comp has also been running very slowly, with CPU usage at or near 100% a lot of the time.  I was thinking that it might be a rootkit, but I've been running every single anti-rootkit and anti-virus I could find, and none of them are picking up on it.  I've tried TDSSKiller, AVG, SuperAntiSpyware, MalwareBytes, Sophos, and nothing is working.  I guess what I'm trying to figure out is if there's anything else I should try, or if I'm resigned to completely wiping my hard drive and starting over.  Thanks for your help!
 
Audrey
 
DDS LOG
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 1.6.0_24
Run by Audrey at 23:01:24 on 2014-01-02
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3893.1270 [GMT -5:00]
.
AV: AVG AntiVirus 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe
C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe
C:\Program Files (x86)\Expat Shield\bin\hsswd.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\SlimCleaner Plus\SlimServiceFactory.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
c:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Audrey\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\AVG\AVG2014\avgui.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\SlimCleaner Plus\SlimService.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Audrey\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uDefault_Page_URL = g.msn.com/USCON/1
mStart Page = hxxp://search.myheritage.com
mDefault_Page_URL = hxxp://www.yahoo.com
uProxyOverride = localhost; 127.0.0.1; <local>
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Expat Shield Class: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [SlimCleaner Plus] "C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe" /minimize
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
StartupFolder: C:\Users\Audrey\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Audrey\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{AAC0F677-2774-4E0D-8074-35E72AF8567A} : NameServer = 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
TCP: Interfaces\{D05C00D1-B23B-4F4C-91B4-F3750FEC5486} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{D05C00D1-B23B-4F4C-91B4-F3750FEC5486}\2656C6B696E6E2336616E2765756374737 : DHCPNameServer = 192.168.169.1
TCP: Interfaces\{D05C00D1-B23B-4F4C-91B4-F3750FEC5486}\34963736F6D244 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{D05C00D1-B23B-4F4C-91B4-F3750FEC5486}\45754424330333 : DHCPNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
TCP: Interfaces\{D05C00D1-B23B-4F4C-91B4-F3750FEC5486}\66F687E6564777F627B6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D05C00D1-B23B-4F4C-91B4-F3750FEC5486}\F424857514E4D22393 : DHCPNameServer = 8.8.8.8 8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Expat Shield Class: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Audrey\AppData\Roaming\Mozilla\Firefox\Profiles\q3mzci01.default\
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\TVUPlayer\npTVUAx.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Audrey\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: C:\Users\Audrey\AppData\Local\RunRev\Components\LiveCodePlayer\9\nplcplugin.dll
FF - plugin: C:\Users\Audrey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Audrey\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Audrey\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Users\Audrey\Documents\Millisecond Software\Inquisit 3.0 Mozilla Plugin\npInquisit_3040.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: SocialRibbons: {0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc} - %profile%\extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-10-24 194872]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-10-31 294712]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-10-1 123704]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-9-10 31544]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-9-4 55856]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2013-11-5 150808]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-11-4 240920]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-10-31 212280]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-8-1 251192]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-3 46368]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-9-4 98208]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2013-11-11 3478544]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2013-9-24 348008]
R2 CodeMeter.exe;CodeMeter Runtime Server;C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [2013-4-8 2571704]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 ExpatShieldService;Expat Shield Service;C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe [2012-1-17 331608]
R2 ExpatSrv;Expat Shield Routing Service;C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe [2012-1-4 363336]
R2 ExpatWd;Expat Shield Monitoring Service;C:\Program Files (x86)\Expat Shield\bin\hsswd.exe -product Expat --> C:\Program Files (x86)\Expat Shield\bin\hsswd.exe -product Expat [?]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-12-30 418376]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-9-4 673088]
R2 SlimService;SlimWare Utility Service Launcher;C:\Program Files\SlimCleaner Plus\SlimServiceFactory.exe [2013-12-31 232256]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-9-4 2320920]
R3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\System32\drivers\bcmvwl64.sys [2010-9-4 20984]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2010-9-4 172704]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-9-4 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-9-4 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-9-4 271872]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-9-4 74280]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2010-5-7 30304]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-12-30 25928]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-12-30 701512]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2012-9-19 102368]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
S3 LVUVC64;Logitech HD Webcam C510(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-9-4 245792]
S3 SophosVirusRemovalTool;Sophos Virus Removal Tool;C:\Program Files (x86)\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [2013-11-6 151848]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2012-9-19 203104]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-11-6 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 ExpatTrayService;Expat Shield Tray Service;C:\Program Files (x86)\Expat Shield\bin\EXPATTrayService.exe [2012-1-17 77520]
.
=============== Created Last 30 ================
.
2014-01-03 02:21:37 -------- d-----w- C:\Users\Audrey\AppData\Local\SlimWare Utilities Inc
2014-01-03 02:20:46 -------- d-----w- C:\ProgramData\SlimWare Utilities Inc
2014-01-03 02:20:39 -------- d-----w- C:\Program Files\SlimCleaner Plus
2014-01-02 00:58:00 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2014-01-02 00:46:09 -------- d-----w- C:\Windows\pss
2014-01-02 00:30:27 57344 ----a-r- C:\Users\Audrey\AppData\Roaming\Microsoft\Installer\{1B2035BA-BFB0-4F1F-A702-80CF1377285D}\NewShortcut2_D6EB88B17A2D418382FBD144606692BF.exe
2014-01-02 00:30:27 53248 ----a-r- C:\Users\Audrey\AppData\Roaming\Microsoft\Installer\{1B2035BA-BFB0-4F1F-A702-80CF1377285D}\ARPPRODUCTICON.exe
2014-01-02 00:30:26 -------- d-----w- C:\Users\Audrey\AppData\Roaming\Verizon
2013-12-31 18:28:29 -------- d-----w- C:\ProgramData\HitmanPro
2013-12-31 15:40:50 89304 ----a-w- C:\Windows\System32\drivers\723860CF.sys
2013-12-31 02:58:54 -------- d-----w- C:\Users\Audrey\AppData\Roaming\SUPERAntiSpyware.com
2013-12-31 02:58:54 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-12-31 00:36:20 -------- d-----w- C:\Users\Audrey\AppData\Roaming\AVG2014
2013-12-31 00:27:19 -------- d-----w- C:\Users\Audrey\AppData\Roaming\TuneUp Software
2013-12-31 00:24:38 -------- d--h--w- C:\$AVG
2013-12-31 00:24:37 -------- d-----w- C:\ProgramData\AVG2014
2013-12-31 00:19:56 -------- d-----w- C:\Program Files (x86)\AVG
2013-12-30 23:39:01 -------- d-----w- C:\Users\Audrey\AppData\Local\MFAData
2013-12-30 23:39:01 -------- d-----w- C:\Users\Audrey\AppData\Local\Avg2014
2013-12-30 23:39:01 -------- d-----w- C:\ProgramData\MFAData
2013-12-30 23:24:04 -------- d-----w- C:\Users\Audrey\AppData\Local\FileTypeAssistant
2013-12-30 23:19:40 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{01C8AC33-7574-467A-9084-8AA1CE5ABCC7}\offreg.dll
2013-12-30 23:13:49 -------- d-----w- C:\AdwCleaner
2013-12-30 18:17:27 -------- d-----w- C:\ProgramData\Sophos
2013-12-30 18:17:13 73728 ----a-r- C:\Users\Audrey\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-12-30 18:17:13 73728 ----a-r- C:\Users\Audrey\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-12-30 18:17:13 73728 ----a-r- C:\Users\Audrey\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-12-30 18:16:37 -------- d-----w- C:\Program Files (x86)\Sophos
2013-12-30 14:51:52 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-30 14:48:00 -------- d-----w- C:\Users\Audrey\AppData\Roaming\Malwarebytes
2013-12-30 14:47:49 -------- d-----w- C:\ProgramData\Malwarebytes
2013-12-30 14:47:48 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-12-30 14:47:47 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-30 14:47:33 -------- d-----w- C:\Users\Audrey\AppData\Local\Programs
2013-12-30 13:41:16 -------- d-----w- C:\Program Files\Enigma Software Group
2013-12-30 13:38:03 -------- d-----w- C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-12-30 13:37:49 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-12-27 16:32:29 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{01C8AC33-7574-467A-9084-8AA1CE5ABCC7}\mpengine.dll
2013-12-20 23:35:35 -------- d-----w- C:\Users\Audrey\AppData\Roaming\JRT Studio
2013-12-20 23:35:13 -------- d-----w- C:\Program Files (x86)\JRT Studio
2013-12-05 04:15:22 -------- d-sh--w- C:\found.000
.
==================== Find3M  ====================
.
2013-12-11 06:58:24 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-11 06:58:24 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-19 08:33:38 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-11 04:01:24 46368 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2013-11-06 02:55:48 150808 ----a-w- C:\Windows\System32\drivers\avgdiska.sys
2013-11-05 02:52:42 240920 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2013-11-01 04:00:18 212280 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2013-11-01 03:49:46 294712 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2013-10-25 03:25:58 194872 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
.
============= FINISH: 23:06:13.22 ===============


Edited by audreyd, 02 January 2014 - 11:10 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:36 PM

Posted 03 January 2014 - 09:59 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Also

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#3 audreyd

audreyd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 03 January 2014 - 10:33 AM

Hi! Just an update, I haven't had the ads come on in about 12 hours, but the CPU is still running pretty slowly.
 
FRST.txt
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-01-2014
Ran by Audrey (administrator) on AUDREY-PC on 03-01-2014 10:04:29
Running from C:\Users\Audrey\Downloads
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
() C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe
(AnchorFree Inc.) C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe
() C:\Program Files (x86)\Expat Shield\bin\hsswd.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\LVPrS64H.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
(SoftThinks) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimCleaner Plus\SlimServiceFactory.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(SlimWare Utilities, Inc.) C:\Program Files\SlimCleaner Plus\SlimService.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Dropbox, Inc.) C:\Users\Audrey\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Apache Software Foundation) C:\Program Files (x86)\OpenOffice 4\program\swriter.exe
(Apache Software Foundation) C:\Program Files (x86)\OpenOffice 4\program\soffice.exe
(Apache Software Foundation) C:\Program Files (x86)\OpenOffice 4\program\soffice.bin
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10144288 2010-04-13] (Realtek Semiconductor)
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6563096 2013-12-19] (SUPERAntiSpyware)
HKCU\...\Run: [SlimCleaner Plus] - C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe [26164032 2013-12-31] (SlimWare Utilities, Inc.)
MountPoints2: F - F:\Autorun\autorun.exe
MountPoints2: G - G:\VZW_Software_upgrade_assistant.exe
MountPoints2: {c9ea7eaf-4554-11e2-8178-fddbd4723fa0} - G:\VZW_Software_upgrade_assistant.exe
MountPoints2: {fe7b2e8b-4a38-11e3-93db-a171055ad83a} - G:\VZW_Software_upgrade_assistant.exe
Startup: C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Audrey\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
URLSearchHook: HKCU - Default Value = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {63E630AC-1308-4DE4-A411-453FAF171493} URL = 
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}
BHO: Expat Shield Class - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll (AnchorFree Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Expat Shield Class - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE.dll (AnchorFree Inc.)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{AAC0F677-2774-4E0D-8074-35E72AF8567A}: [NameServer]8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
 
FireFox:
========
FF ProfilePath: C:\Users\Audrey\AppData\Roaming\Mozilla\Firefox\Profiles\q3mzci01.default
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @millisecond.com/npInquisit,version=3.0 - C:\Users\Audrey\Documents\Millisecond Software\Inquisit 3.0 Mozilla Plugin\npInquisit_3040.dll (Millisecond Software)
FF Plugin-x32: @pages.tvunetworks.com/WebPlayer - C:\Program Files (x86)\TVUPlayer\npTVUAx.dll No File
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 - C:\Program Files (x86)\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)
FF Plugin HKCU: @livecode.runrev.com/LiveCode Player;version=1 - C:\Users\Audrey\AppData\Local\RunRev\Components\LiveCodePlayer\9\nplcplugin.dll ()
FF Plugin HKCU: @millisecond.com/npInquisit,version=3.0 - C:\Users\Audrey\Documents\Millisecond Software\Inquisit 3.0 Mozilla Plugin\npInquisit_3040.dll (Millisecond Software)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Audrey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Audrey\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\Audrey\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Audrey\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Audrey\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: FoxyProxy Standard - C:\Users\Audrey\AppData\Roaming\Mozilla\Firefox\Profiles\q3mzci01.default\Extensions\foxyproxy@eric.h.jung
FF Extension: SocialRibbons - C:\Users\Audrey\AppData\Roaming\Mozilla\Firefox\Profiles\q3mzci01.default\Extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
 
Chrome: 
=======
CHR RestoreOnStartup: "settings": {
      "privacy": {
         "drm_salt": "C99A938E4DB0F13539B06743A25176BEBFB6E294277D273528ECCDE327AB6D6D"
CHR Plugin: (Shockwave Flash) - C:\Users\Audrey\AppData\Local\Google\Chrome\Application\31.0.1650.63\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Audrey\AppData\Local\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Audrey\AppData\Local\Google\Chrome\Application\31.0.1650.63\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.240.7) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U24) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (downloadUpdater) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll No File
CHR Plugin: (downloadUpdater2) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\\npsitesafety.dll No File
CHR Plugin: (DivX Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Yahoo! activeX Plug-in Bridge) - C:\Program Files (x86)\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Audrey\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (LiveCode Player Browser Plugin) - C:\Users\Audrey\AppData\Local\RunRev\Components\LiveCodePlayer\9\nplcplugin.dll ()
CHR Plugin: (Inquisit Web Edition) - C:\Users\Audrey\Documents\Millisecond Software\Inquisit 3.0 Mozilla Plugin\npInquisit_3040.dll (Millisecond Software)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10516.0\npctrl.dll No File
CHR Extension: (Google Docs) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Proxy Switchy!) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\caehdcpeofiiigpdhbabniblemipncjj\1.6.3_0
CHR Extension: (Adblock Plus) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.7.2_0
CHR Extension: (Google Search) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Google Wallet) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_0
CHR Extension: (Gmail) - C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM-x32\...\Chrome\Extension: [jimmegiofifickhcnpbllambfpmadfof] - C:\Users\Audrey\AppData\Local\Temp\jimmegiofifickhcnpbllambfpmadfof.crx
CHR StartMenuInternet: Google Chrome - C:\Users\Audrey\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [144152 2013-10-10] (SUPERAntiSpyware.com)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
R2 ExpatShieldService; C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe [331608 2012-01-17] ()
S4 ExpatTrayService; C:\Program Files (x86)\Expat Shield\bin\ExpatTrayService.EXE [77520 2012-01-17] ()
R2 ExpatWd; C:\Program Files (x86)\Expat Shield\bin\hsswd.exe [329544 2012-01-04] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 SlimService; C:\Program Files\SlimCleaner Plus\SlimServiceFactory.exe [232256 2013-12-31] (SlimWare Utilities, Inc.)
S3 SophosVirusRemovalTool; C:\Program Files (x86)\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [151848 2013-11-06] (Sophos Limited)
 
==================== Drivers (Whitelisted) ====================
 
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [150808 2013-11-05] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [240920 2013-11-04] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [194872 2013-10-24] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-10-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-09-10] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-11-10] (AVG Technologies)
R3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [x]
S3 MFE_RR; \??\C:\Users\Audrey\AppData\Local\Temp\mfe_rr.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-03 10:04 - 2014-01-03 10:06 - 00020482 _____ C:\Users\Audrey\Downloads\FRST.txt
2014-01-03 10:04 - 2014-01-03 10:04 - 00000000 ____D C:\FRST
2014-01-03 10:03 - 2014-01-03 10:03 - 01931750 _____ (Farbar) C:\Users\Audrey\Downloads\FRST64.exe
2014-01-02 23:22 - 2014-01-02 23:38 - 00000000 ____D C:\Users\Audrey\AppData\Local\FileTypeAssistant
2014-01-02 23:21 - 2014-01-02 23:21 - 00000000 ____H C:\ProgramData\cm-lock
2014-01-02 23:13 - 2014-01-02 23:13 - 01233962 _____ C:\Users\Audrey\Downloads\adwcleaner.exe
2014-01-02 23:06 - 2014-01-02 23:06 - 00023438 _____ C:\Users\Audrey\Desktop\attach.txt
2014-01-02 23:06 - 2014-01-02 23:06 - 00021132 _____ C:\Users\Audrey\Desktop\dds.txt
2014-01-02 23:00 - 2014-01-02 23:00 - 00688992 ____R (Swearware) C:\Users\Audrey\Downloads\dds.com
2014-01-02 22:17 - 2014-01-02 22:17 - 04101441 _____ C:\Users\Audrey\Downloads\tdsskiller.zip
2014-01-02 22:10 - 2014-01-02 22:10 - 00001552 _____ C:\Windows\PFRO.log
2014-01-02 21:58 - 2014-01-02 21:58 - 00000877 _____ C:\Users\Audrey\Desktop\BitTorrent.lnk
2014-01-02 21:58 - 2014-01-02 21:58 - 00000857 _____ C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2014-01-02 21:58 - 2014-01-02 21:58 - 00000557 _____ C:\Windows\system32\MyDefrag.debuglog
2014-01-02 21:57 - 2014-01-02 21:57 - 00002774 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-01-02 21:21 - 2014-01-02 23:27 - 00003050 _____ C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Audrey)
2014-01-02 21:21 - 2014-01-02 23:27 - 00000432 _____ C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Audrey).job
2014-01-02 21:21 - 2014-01-02 21:21 - 00000000 ____D C:\Users\Audrey\AppData\Local\SlimWare Utilities Inc
2014-01-02 21:20 - 2014-01-02 21:20 - 00002465 _____ C:\Users\Public\Desktop\SlimCleaner Plus.lnk
2014-01-02 21:20 - 2014-01-02 21:20 - 00000000 ____D C:\Users\Public\Documents\Downloaded Installers
2014-01-02 21:20 - 2014-01-02 21:20 - 00000000 ____D C:\ProgramData\SlimWare Utilities Inc
2014-01-02 21:20 - 2014-01-02 21:20 - 00000000 ____D C:\Program Files\SlimCleaner Plus
2014-01-02 21:14 - 2014-01-02 21:14 - 00858432 _____ (SlimWare Utilities, Inc.) C:\Users\Audrey\Downloads\SlimCleanerPlus-setup.exe
2014-01-02 18:57 - 2014-01-02 18:57 - 00056271 _____ C:\Users\Audrey\Documents\The Macys It Girl.odt
2014-01-01 20:32 - 2014-01-01 20:49 - 00007605 _____ C:\Users\Audrey\AppData\Local\Resmon.ResmonCfg
2014-01-01 19:58 - 2014-01-01 19:58 - 00001770 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-01-01 19:58 - 2014-01-01 19:58 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2014-01-01 19:47 - 2014-01-02 23:21 - 00000448 _____ C:\Windows\setupact.log
2014-01-01 19:47 - 2014-01-01 19:47 - 00000000 _____ C:\Windows\setuperr.log
2014-01-01 19:46 - 2014-01-01 20:24 - 00000000 ____D C:\Windows\pss
2014-01-01 19:30 - 2014-01-01 19:30 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Verizon
2014-01-01 14:26 - 2014-01-03 01:24 - 00023908 _____ C:\Users\Audrey\Documents\ideas.odt
2014-01-01 14:26 - 2014-01-03 01:24 - 00000108 ____H C:\Users\Audrey\Documents\.~lock.ideas.odt#
2013-12-31 14:42 - 2013-12-31 14:42 - 00000908 _____ C:\Windows\system32\.crusader
2013-12-31 13:28 - 2013-12-31 14:42 - 00000000 ____D C:\ProgramData\HitmanPro
2013-12-31 11:24 - 2013-12-31 11:24 - 00006576 ____N C:\bootsqm.dat
2013-12-31 10:40 - 2013-12-31 10:40 - 00089304 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\723860CF.sys
2013-12-30 21:58 - 2013-12-30 21:58 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\SUPERAntiSpyware.com
2013-12-30 21:58 - 2013-12-30 21:58 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-12-30 20:56 - 2013-12-30 21:01 - 00000320 _____ C:\Users\Audrey\Desktop\avgrep.txt
2013-12-30 19:36 - 2013-12-30 19:36 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\AVG2014
2013-12-30 19:28 - 2013-12-30 19:28 - 00003230 _____ C:\Windows\System32\Tasks\SidebarExecute
2013-12-30 19:27 - 2013-12-30 19:27 - 00000967 _____ C:\Users\Public\Desktop\AVG 2014.lnk
2013-12-30 19:27 - 2013-12-30 19:27 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\TuneUp Software
2013-12-30 19:24 - 2013-12-30 19:28 - 00000000 ____D C:\ProgramData\AVG2014
2013-12-30 19:24 - 2013-12-30 19:24 - 00000000 ___HD C:\$AVG
2013-12-30 19:19 - 2013-12-30 19:19 - 00000000 ____D C:\Program Files (x86)\AVG
2013-12-30 18:39 - 2014-01-03 08:49 - 00000000 ____D C:\ProgramData\MFAData
2013-12-30 18:39 - 2013-12-30 20:56 - 00000000 ____D C:\Users\Audrey\AppData\Local\Avg2014
2013-12-30 18:39 - 2013-12-30 18:39 - 00000000 ____D C:\Users\Audrey\AppData\Local\MFAData
2013-12-30 18:13 - 2014-01-02 23:18 - 00000000 ____D C:\AdwCleaner
2013-12-30 16:28 - 2013-12-30 16:32 - 00001634 _____ C:\Users\Audrey\Desktop\Rkill.txt
2013-12-30 13:17 - 2013-12-30 13:18 - 00000000 ____D C:\ProgramData\Sophos
2013-12-30 13:17 - 2013-12-30 13:17 - 00003211 _____ C:\Users\Audrey\Desktop\Sophos Virus Removal Tool.lnk
2013-12-30 13:17 - 2013-12-30 13:17 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2013-12-30 13:16 - 2013-12-30 13:16 - 00000000 ____D C:\Program Files (x86)\Sophos
2013-12-30 09:51 - 2013-12-30 15:48 - 00000000 ____D C:\Users\Audrey\Desktop\mbar
2013-12-30 09:51 - 2013-12-30 11:17 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-30 09:48 - 2013-12-30 09:48 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Malwarebytes
2013-12-30 09:47 - 2013-12-30 09:47 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-30 09:47 - 2013-12-30 09:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-30 09:47 - 2013-12-30 09:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-30 09:47 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-12-30 08:43 - 2013-12-30 08:43 - 00000000 _____ C:\autoexec.bat
2013-12-30 08:41 - 2013-12-30 08:41 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-12-30 08:38 - 2013-12-30 15:27 - 00000000 ____D C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-12-30 08:17 - 2013-12-30 08:18 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Audrey\Downloads\iexplore.exe
2013-12-29 22:40 - 2013-12-29 22:40 - 00037376 _____ C:\Windows\system32\vose.hsl
2013-12-29 22:29 - 2014-01-03 09:12 - 00000080 _____ C:\Windows\system32\vikkiqa.gho
2013-12-29 22:29 - 2013-12-29 22:40 - 00000095 _____ C:\Windows\system32\hbcei.myr
2013-12-29 22:29 - 2013-12-29 22:29 - 00000064 _____ C:\Windows\system32\hjpdc.foj
2013-12-29 22:14 - 2013-12-29 22:14 - 00219314 ____S C:\Windows\system32\vlboe.ant
2013-12-20 18:35 - 2014-01-01 19:21 - 00000000 ____D C:\Users\Audrey\Documents\JRT Studio
2013-12-20 18:35 - 2014-01-01 02:05 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\JRT Studio
2013-12-20 18:35 - 2013-12-20 18:35 - 00000000 ____D C:\Program Files (x86)\JRT Studio
2013-12-04 23:15 - 2013-12-04 23:15 - 00000000 __SHD C:\found.000
 
==================== One Month Modified Files and Folders =======
 
2014-01-03 10:06 - 2014-01-03 10:04 - 00020482 _____ C:\Users\Audrey\Downloads\FRST.txt
2014-01-03 10:04 - 2014-01-03 10:04 - 00000000 ____D C:\FRST
2014-01-03 10:03 - 2014-01-03 10:03 - 01931750 _____ (Farbar) C:\Users\Audrey\Downloads\FRST64.exe
2014-01-03 09:58 - 2013-01-05 15:15 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-03 09:22 - 2010-11-05 20:48 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2436820655-3590828986-179067172-1001UA.job
2014-01-03 09:12 - 2013-12-29 22:29 - 00000080 _____ C:\Windows\system32\vikkiqa.gho
2014-01-03 08:51 - 2012-10-11 09:51 - 01057886 _____ C:\Windows\WindowsUpdate.log
2014-01-03 08:49 - 2013-12-30 18:39 - 00000000 ____D C:\ProgramData\MFAData
2014-01-03 01:24 - 2014-01-01 14:26 - 00023908 _____ C:\Users\Audrey\Documents\ideas.odt
2014-01-03 01:24 - 2014-01-01 14:26 - 00000108 ____H C:\Users\Audrey\Documents\.~lock.ideas.odt#
2014-01-03 00:58 - 2012-12-16 15:47 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Dropbox
2014-01-02 23:38 - 2014-01-02 23:22 - 00000000 ____D C:\Users\Audrey\AppData\Local\FileTypeAssistant
2014-01-02 23:31 - 2012-12-16 15:49 - 00000000 ___RD C:\Users\Audrey\Dropbox
2014-01-02 23:31 - 2010-11-05 20:41 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-02 23:31 - 2009-07-13 23:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-02 23:31 - 2009-07-13 23:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-02 23:30 - 2012-12-16 15:49 - 00001025 _____ C:\Users\Audrey\Desktop\Dropbox.lnk
2014-01-02 23:30 - 2012-12-16 15:48 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-01-02 23:27 - 2014-01-02 21:21 - 00003050 _____ C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Audrey)
2014-01-02 23:27 - 2014-01-02 21:21 - 00000432 _____ C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Audrey).job
2014-01-02 23:21 - 2014-01-02 23:21 - 00000000 ____H C:\ProgramData\cm-lock
2014-01-02 23:21 - 2014-01-01 19:47 - 00000448 _____ C:\Windows\setupact.log
2014-01-02 23:21 - 2013-06-08 01:43 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job
2014-01-02 23:21 - 2013-06-02 19:04 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2014-01-02 23:21 - 2010-11-06 15:48 - 00000000 ____D C:\Windows\SysWOW64\logishrd
2014-01-02 23:21 - 2010-11-06 15:48 - 00000000 ____D C:\Windows\system32\logishrd
2014-01-02 23:21 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-02 23:18 - 2013-12-30 18:13 - 00000000 ____D C:\AdwCleaner
2014-01-02 23:13 - 2014-01-02 23:13 - 01233962 _____ C:\Users\Audrey\Downloads\adwcleaner.exe
2014-01-02 23:06 - 2014-01-02 23:06 - 00023438 _____ C:\Users\Audrey\Desktop\attach.txt
2014-01-02 23:06 - 2014-01-02 23:06 - 00021132 _____ C:\Users\Audrey\Desktop\dds.txt
2014-01-02 23:00 - 2014-01-02 23:00 - 00688992 ____R (Swearware) C:\Users\Audrey\Downloads\dds.com
2014-01-02 22:20 - 2010-11-06 16:11 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\BitTorrent
2014-01-02 22:17 - 2014-01-02 22:17 - 04101441 _____ C:\Users\Audrey\Downloads\tdsskiller.zip
2014-01-02 22:11 - 2012-08-26 22:08 - 00000404 _____ C:\Windows\Tasks\FreeFileViewerUpdateChecker.job
2014-01-02 22:10 - 2014-01-02 22:10 - 00001552 _____ C:\Windows\PFRO.log
2014-01-02 22:05 - 2010-11-13 03:53 - 00000404 ____H C:\Windows\Tasks\Norton Security Scan for Audrey.job
2014-01-02 21:58 - 2014-01-02 21:58 - 00000877 _____ C:\Users\Audrey\Desktop\BitTorrent.lnk
2014-01-02 21:58 - 2014-01-02 21:58 - 00000857 _____ C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2014-01-02 21:58 - 2014-01-02 21:58 - 00000557 _____ C:\Windows\system32\MyDefrag.debuglog
2014-01-02 21:58 - 2010-11-06 16:11 - 00000000 ____D C:\Program Files (x86)\BitTorrent
2014-01-02 21:57 - 2014-01-02 21:57 - 00002774 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-01-02 21:57 - 2010-11-06 13:14 - 00000784 _____ C:\Users\Public\Desktop\CCleaner.lnk
2014-01-02 21:57 - 2010-11-06 13:13 - 00000000 ____D C:\Program Files\CCleaner
2014-01-02 21:55 - 2010-09-04 14:30 - 00000000 ____D C:\Program Files (x86)\Dell
2014-01-02 21:50 - 2012-11-17 17:04 - 00000000 ____D C:\Users\Audrey\AppData\Local\AOL
2014-01-02 21:44 - 2012-08-26 22:08 - 00003104 _____ C:\Windows\System32\Tasks\FreeFileViewerUpdateChecker
2014-01-02 21:38 - 2011-11-05 12:26 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\dvdcss
2014-01-02 21:38 - 2010-11-05 21:24 - 00000000 ____D C:\ProgramData\DVD Shrink
2014-01-02 21:38 - 2010-09-04 16:36 - 00000000 ____D C:\Windows\Panther
2014-01-02 21:36 - 2012-06-15 17:10 - 00000000 ____D C:\MOVIES
2014-01-02 21:21 - 2014-01-02 21:21 - 00000000 ____D C:\Users\Audrey\AppData\Local\SlimWare Utilities Inc
2014-01-02 21:20 - 2014-01-02 21:20 - 00002465 _____ C:\Users\Public\Desktop\SlimCleaner Plus.lnk
2014-01-02 21:20 - 2014-01-02 21:20 - 00000000 ____D C:\Users\Public\Documents\Downloaded Installers
2014-01-02 21:20 - 2014-01-02 21:20 - 00000000 ____D C:\ProgramData\SlimWare Utilities Inc
2014-01-02 21:20 - 2014-01-02 21:20 - 00000000 ____D C:\Program Files\SlimCleaner Plus
2014-01-02 21:14 - 2014-01-02 21:14 - 00858432 _____ (SlimWare Utilities, Inc.) C:\Users\Audrey\Downloads\SlimCleanerPlus-setup.exe
2014-01-02 18:57 - 2014-01-02 18:57 - 00056271 _____ C:\Users\Audrey\Documents\The Macys It Girl.odt
2014-01-02 18:45 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2014-01-02 13:22 - 2010-11-05 20:48 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2436820655-3590828986-179067172-1001Core.job
2014-01-02 10:10 - 2009-07-14 00:13 - 00727334 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-01 20:49 - 2014-01-01 20:32 - 00007605 _____ C:\Users\Audrey\AppData\Local\Resmon.ResmonCfg
2014-01-01 20:24 - 2014-01-01 19:46 - 00000000 ____D C:\Windows\pss
2014-01-01 19:58 - 2014-01-01 19:58 - 00001770 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-01-01 19:58 - 2014-01-01 19:58 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2014-01-01 19:47 - 2014-01-01 19:47 - 00000000 _____ C:\Windows\setuperr.log
2014-01-01 19:30 - 2014-01-01 19:30 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Verizon
2014-01-01 19:30 - 2012-12-30 13:10 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Verizon
2014-01-01 19:30 - 2010-11-06 14:42 - 00000000 ____D C:\ProgramData\Lavasoft
2014-01-01 19:28 - 2012-12-30 13:07 - 00000000 ____D C:\Users\Public\Documents\Verizon_Android
2014-01-01 19:27 - 2013-05-17 13:50 - 00003608 _____ C:\Windows\System32\Tasks\Ad-Aware Update (Weekly)
2014-01-01 19:21 - 2013-12-20 18:35 - 00000000 ____D C:\Users\Audrey\Documents\JRT Studio
2014-01-01 19:19 - 2010-12-17 03:17 - 00108318 _____ C:\aaw7boot.log
2014-01-01 02:05 - 2013-12-20 18:35 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\JRT Studio
2013-12-31 14:42 - 2013-12-31 14:42 - 00000908 _____ C:\Windows\system32\.crusader
2013-12-31 14:42 - 2013-12-31 13:28 - 00000000 ____D C:\ProgramData\HitmanPro
2013-12-31 14:42 - 2010-11-07 22:43 - 00000000 ____D C:\Program Files (x86)\MagicDisc
2013-12-31 11:24 - 2013-12-31 11:24 - 00006576 ____N C:\bootsqm.dat
2013-12-31 10:40 - 2013-12-31 10:40 - 00089304 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\723860CF.sys
2013-12-30 23:58 - 2012-06-30 22:12 - 00000000 ____D C:\TV SHOWS
2013-12-30 22:33 - 2012-11-16 11:29 - 00001074 _____ C:\Windows\MyHeritage.INI
2013-12-30 21:58 - 2013-12-30 21:58 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\SUPERAntiSpyware.com
2013-12-30 21:58 - 2013-12-30 21:58 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-12-30 21:01 - 2013-12-30 20:56 - 00000320 _____ C:\Users\Audrey\Desktop\avgrep.txt
2013-12-30 20:56 - 2013-12-30 18:39 - 00000000 ____D C:\Users\Audrey\AppData\Local\Avg2014
2013-12-30 19:36 - 2013-12-30 19:36 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\AVG2014
2013-12-30 19:28 - 2013-12-30 19:28 - 00003230 _____ C:\Windows\System32\Tasks\SidebarExecute
2013-12-30 19:28 - 2013-12-30 19:24 - 00000000 ____D C:\ProgramData\AVG2014
2013-12-30 19:27 - 2013-12-30 19:27 - 00000967 _____ C:\Users\Public\Desktop\AVG 2014.lnk
2013-12-30 19:27 - 2013-12-30 19:27 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\TuneUp Software
2013-12-30 19:24 - 2013-12-30 19:24 - 00000000 ___HD C:\$AVG
2013-12-30 19:19 - 2013-12-30 19:19 - 00000000 ____D C:\Program Files (x86)\AVG
2013-12-30 18:39 - 2013-12-30 18:39 - 00000000 ____D C:\Users\Audrey\AppData\Local\MFAData
2013-12-30 18:18 - 2011-02-11 11:45 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-12-30 16:32 - 2013-12-30 16:28 - 00001634 _____ C:\Users\Audrey\Desktop\Rkill.txt
2013-12-30 15:48 - 2013-12-30 09:51 - 00000000 ____D C:\Users\Audrey\Desktop\mbar
2013-12-30 15:27 - 2013-12-30 08:38 - 00000000 ____D C:\Windows\72AAF4551E54475BB0AB5413C78D0E63.TMP
2013-12-30 13:18 - 2013-12-30 13:17 - 00000000 ____D C:\ProgramData\Sophos
2013-12-30 13:17 - 2013-12-30 13:17 - 00003211 _____ C:\Users\Audrey\Desktop\Sophos Virus Removal Tool.lnk
2013-12-30 13:17 - 2013-12-30 13:17 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2013-12-30 13:16 - 2013-12-30 13:16 - 00000000 ____D C:\Program Files (x86)\Sophos
2013-12-30 11:17 - 2013-12-30 09:51 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-30 09:48 - 2013-12-30 09:48 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\Malwarebytes
2013-12-30 09:47 - 2013-12-30 09:47 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-30 09:47 - 2013-12-30 09:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-30 09:47 - 2013-12-30 09:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-30 08:43 - 2013-12-30 08:43 - 00000000 _____ C:\autoexec.bat
2013-12-30 08:41 - 2013-12-30 08:41 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-12-30 08:32 - 2013-12-03 17:28 - 00000000 ____D C:\Program Files (x86)\Steam
2013-12-30 08:18 - 2013-12-30 08:17 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Audrey\Downloads\iexplore.exe
2013-12-29 22:40 - 2013-12-29 22:40 - 00037376 _____ C:\Windows\system32\vose.hsl
2013-12-29 22:40 - 2013-12-29 22:29 - 00000095 _____ C:\Windows\system32\hbcei.myr
2013-12-29 22:29 - 2013-12-29 22:29 - 00000064 _____ C:\Windows\system32\hjpdc.foj
2013-12-29 22:14 - 2013-12-29 22:14 - 00219314 ____S C:\Windows\system32\vlboe.ant
2013-12-28 10:17 - 2010-12-10 15:54 - 00000000 ____D C:\Users\Audrey\AppData\Roaming\vlc
2013-12-20 18:35 - 2013-12-20 18:35 - 00000000 ____D C:\Program Files (x86)\JRT Studio
2013-12-11 01:58 - 2013-01-05 15:15 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-12-11 01:58 - 2013-01-05 15:15 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-12-11 01:58 - 2013-01-05 15:15 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-12-04 23:15 - 2013-12-04 23:15 - 00000000 __SHD C:\found.000
 
Files to move or delete:
====================
C:\Users\Audrey\install_flash_player.exe
 
 
Some content of TEMP:
====================
C:\Users\Audrey\AppData\Local\Temp\GdiPlus.dll
C:\Users\Audrey\AppData\Local\Temp\HitmanPro.exe
C:\Users\Audrey\AppData\Local\Temp\msvcp80.dll
C:\Users\Audrey\AppData\Local\Temp\msvcr80.dll
C:\Users\Audrey\AppData\Local\Temp\Quarantine.exe
C:\Users\Audrey\AppData\Local\Temp\Restarter.exe
C:\Users\Audrey\AppData\Local\Temp\SUAComnCtrl.dll
C:\Users\Audrey\AppData\Local\Temp\SUARefresh.exe
C:\Users\Audrey\AppData\Local\Temp\ToolkitPro1331vc80U.dll
C:\Users\Audrey\AppData\Local\Temp\ToolLauncher.exe
C:\Users\Audrey\AppData\Local\Temp\UTEngine.dll
C:\Users\Audrey\AppData\Local\Temp\UtilApplicationAgent.exe
C:\Users\Audrey\AppData\Local\Temp\UtilityApplication.exe
C:\Users\Audrey\AppData\Local\Temp\VerizonCM.dll
C:\Users\Audrey\AppData\Local\Temp\VerizonCM_TL.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-12-20 01:51
 
==================== End Of Log ============================
 
 
 
Search.txt
 
Farbar Recovery Scan Tool (x64) Version: 03-01-2014
Ran by Audrey at 2014-01-03 10:16:30
Running from C:\Users\Audrey\Downloads
Boot Mode: Normal
 
================== Search: "rpcss.dll" ===================
 
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 19:00] - [2009-07-13 20:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
C:\Windows\System32\rpcss.dll
[2009-07-13 19:00] - [2009-07-13 20:41] - 0510464 ____A (Microsoft Corporation) 40F09D13617BAFE0E195042DE0EA07BF
 
====== End Of Search ======

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:36 PM

Posted 03 January 2014 - 06:08 PM

Hello,

 

 

Go ahead and uninstall

 

File Type Assistant

 

from the Control Panel.

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 audreyd

audreyd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 03 January 2014 - 06:24 PM

Fixlog.txt
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2014
Ran by Audrey at 2014-01-03 18:16:51 Run:1
Running from C:\Users\Audrey\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
CHR HKLM-x32\...\Chrome\Extension: [jimmegiofifickhcnpbllambfpmadfof] - C:\Users\Audrey\AppData\Local\Temp\jimmegiofifickhcnpbllambfpmadfof.crx
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
S3 MFE_RR; \??\C:\Users\Audrey\AppData\Local\Temp\mfe_rr.sys [x]
2014-01-01 19:27 - 2013-05-17 13:50 - 00003608 _____ C:\Windows\System32\Tasks\Ad-Aware Update (Weekly)
2014-01-02 23:22 - 2014-01-02 23:38 - 00000000 ____D C:\Users\Audrey\AppData\Local\FileTypeAssistant
cmd: type C:\Users\Audrey\Desktop\Rkill.txt
2013-12-29 22:40 - 2013-12-29 22:40 - 00037376 _____ C:\Windows\system32\vose.hsl
2013-12-29 22:29 - 2014-01-03 09:12 - 00000080 _____ C:\Windows\system32\vikkiqa.gho
2013-12-29 22:29 - 2013-12-29 22:40 - 00000095 _____ C:\Windows\system32\hbcei.myr
2013-12-29 22:29 - 2013-12-29 22:29 - 00000064 _____ C:\Windows\system32\hjpdc.foj
2013-12-29 22:14 - 2013-12-29 22:14 - 00219314 ____S C:\Windows\system32\vlboe.ant
2013-12-04 23:15 - 2013-12-04 23:15 - 00000000 __SHD C:\found.000
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll
Task: {1A3FAC41-FDE9-4E82-8D62-392148657838} - System32\Tasks\ProgramUpdateCheck => C:\Program Files (x86)\File Type Assistant\tsassist.exe [2012-08-10] (Trusted Software ApS) <==== ATTENTION
C:\Program Files (x86)\File Type Assistant
Task: {3D8FFDE7-D36E-44B0-9DB3-2498E6F1A34D} - System32\Tasks\Norton Security Scan for Audrey => C:\Program Files (x86)\Norton Security Scan\Engine\3.0.1.8\Nss.exe [2012-10-03] (Symantec Corporation)
C:\Program Files (x86)\Norton Security Scan
Task: {707645E4-B352-4F38-92E0-89167389011E} - \BackgroundContainer Startup Task No Task File
Task: {DD84BF7E-E256-43F8-B256-B2EC28452332} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\Program Files (x86)\Lavasoft
Task: C:\Windows\Tasks\Norton Security Scan for Audrey.job => C:\PROGRA~2\NORTON~2\Engine\301~1.8\Nss.exe
C:\Users\Audrey\AppData\Local\Temp
end
*****************
 
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk => Moved successfully.
C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk not found.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A6E44449-F358-4C6C-8A72-D4CF39A00FA8} => Key deleted successfully.
HKCR\CLSID\{A6E44449-F358-4C6C-8A72-D4CF39A00FA8} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jimmegiofifickhcnpbllambfpmadfof => Key deleted successfully.
"C:\Users\Audrey\AppData\Local\Temp\jimmegiofifickhcnpbllambfpmadfof.crx" => File/Directory not found.
esgiguard => Service deleted successfully.
Lavasoft Kernexplorer => Service deleted successfully.
MFE_RR => Service deleted successfully.
C:\Windows\System32\Tasks\Ad-Aware Update (Weekly) => Moved successfully.
C:\Users\Audrey\AppData\Local\FileTypeAssistant => Moved successfully.
 
=========  type C:\Users\Audrey\Desktop\Rkill.txt =========
 
Rkill 2.6.4 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 12/30/2013 04:28:42 PM in x64 mode.
Windows Version: Windows 7 Home Premium 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]
 
Backup Registry file created at:
 C:\Users\Audrey\Desktop\rkill\rkill-12-30-2013-04-29-02.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
========= End of CMD: =========
 
C:\Windows\system32\vose.hsl => Moved successfully.
C:\Windows\system32\vikkiqa.gho => Moved successfully.
Could not move "C:\Windows\system32\hbcei.myr" => Scheduled to move on reboot.
C:\Windows\system32\hjpdc.foj => Moved successfully.
Could not move "C:\Windows\system32\vlboe.ant" => Scheduled to move on reboot.
C:\found.000 => Moved successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A3FAC41-FDE9-4E82-8D62-392148657838} => Key not found.
C:\Windows\System32\Tasks\ProgramUpdateCheck not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProgramUpdateCheck => Key not found.
"C:\Program Files (x86)\File Type Assistant" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3D8FFDE7-D36E-44B0-9DB3-2498E6F1A34D} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D8FFDE7-D36E-44B0-9DB3-2498E6F1A34D} => Key deleted successfully.
C:\Windows\System32\Tasks\Norton Security Scan for Audrey => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Security Scan for Audrey => Key deleted successfully.
C:\Program Files (x86)\Norton Security Scan => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{707645E4-B352-4F38-92E0-89167389011E} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{707645E4-B352-4F38-92E0-89167389011E} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BackgroundContainer Startup Task => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD84BF7E-E256-43F8-B256-B2EC28452332} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD84BF7E-E256-43F8-B256-B2EC28452332} => Key deleted successfully.
C:\Windows\System32\Tasks\Ad-Aware Update (Weekly) not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ad-Aware Update (Weekly) => Key deleted successfully.
"C:\Program Files (x86)\Lavasoft" => File/Directory not found.
C:\Windows\Tasks\Norton Security Scan for Audrey.job => Moved successfully.
 
"C:\Users\Audrey\AppData\Local\Temp" directory move:
 
C:\Users\Audrey\AppData\Local\Temp\AdobeARM.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\AdwCleaner.jpg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\ArmUI.ini => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Attach.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\au-descriptor-1.7.0_45-b18.xml => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_2108.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_2440.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_2444.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_4272.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_4320.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_4352.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_4512.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\bitrock_installer_4672.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Cleaning.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\DDS.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Donate.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_18fQhRyg2JEygVl => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\etilqs_4Tp8oDMqizUPopS" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\etilqs_6Bd5PHddClDYCuA => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_chNfLBSsHo2B9gI => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_io35AGQYaQF6fhQ => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_MhjtLbS7vM0tkVr => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_QRutTksc0QuFsYz => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_Vza3ACVYbZDX3zp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\fla4A19.tmp => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\GdiPlus.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\HitmanPro.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\info.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jusched.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\LuUpdater.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Microsoft.VC80.CRT.manifest => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Microsoft.VC80.MFC.manifest => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\msvcp80.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\msvcr80.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\QTInstallCode.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\qtsingleapp-camera-94b-1-lockfile => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\qtsingleapp-lwsexe-e418-1-lockfile => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Report.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Restarter.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Scan.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\SUA.msi => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\SUAComnCtrl.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\SUARefresh.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\ToolkitPro1331vc80U.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\ToolLauncher.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Uninstall.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\updates.ini => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\users00 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\UTEngine.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\UtilApplicationAgent.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\UtilityApplication.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\uttA000.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\uttA000.tmp.old => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\VerizonCM.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\VerizonCM_TL.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\VerizonINIFile.ini => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\wmplog00.sqm => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\wmplog01.sqm => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\wmplog02.sqm => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\wmplog03.sqm => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\wmsetup.log => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\_iu14D2N.tmp => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\svh6zg.tmp\0.odt" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\svh6zg.tmp\sv2ogfj.tmp" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\SUPERSetup\languages.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\SUPERSetup\setup.db3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\SUPERSetup\setup.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir776_4826\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir776_4826\Cookies-journal => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir776_4826\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir776_4826\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir776_4826\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir776_4826\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir776_4826\index => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\Cookies" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\Cookies-journal" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\index => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\Cookies-journal => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_0" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_1" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_2" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_3" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\index" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\Cookies-journal => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_0" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_1" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_2" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_3" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\index" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\Rar$EX00.666\TDSSKiller.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\khtfucee\khtfucee.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divFB4E.tmp\div2972.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divFB4E.tmp\divFD43.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divE648.tmp\div781D.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divE648.tmp\div7995.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divE648.tmp\divA180.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divE648.tmp\divEB.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divDC3A.tmp\divE36D.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divDC3A.tmp\divE762.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divC689.tmp\div2C5E.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divC689.tmp\divC726.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divA801.tmp\divAC65.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\divA801.tmp\divD8F2.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div86EA.tmp\div87F5.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div86EA.tmp\divAB9C.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div7177.tmp\div168.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div7177.tmp\div7BE4.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div3033.tmp\div35C0.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div3033.tmp\div8096.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div225E.tmp\div28B5.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\div225E.tmp\div68D2.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51\twapi-be29e7f1-71ae-4703-50cb-1d52be512f51.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Avg2014\imdhnk.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\6808_24897\crl-set => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\6808_24897\manifest.fingerprint => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\6808_24897\manifest.json => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5952_2285\crl-set => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5952_2285\manifest.fingerprint => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5952_2285\manifest.json => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5488_17311\crl-set => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5488_17311\manifest.fingerprint => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5488_17311\manifest.json => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5056_32582\crl-set => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5056_32582\manifest.fingerprint => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\5056_32582\manifest.json => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\4692_18747\crl-set => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\4692_18747\manifest.fingerprint => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\4692_18747\manifest.json => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\1688_6013\crl-set => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\1688_6013\manifest.fingerprint => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\1688_6013\manifest.json => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp" directory. => Scheduled to move on reboot.
 
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-03 18:21:04)<=
 
C:\Windows\system32\hbcei.myr => Moved successfully.
C:\Windows\system32\vlboe.ant => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_4Tp8oDMqizUPopS => Is moved successfully.
"C:\Users\Audrey\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => File could not move.
C:\Users\Audrey\AppData\Local\Temp\svh6zg.tmp\0.odt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\svh6zg.tmp\sv2ogfj.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3792_20245\Cookies-journal => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3652_18988\index => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3384_26424\index => Moved successfully.
"C:\Users\Audrey\AppData\Local\Temp" => Directory could not move.
 
==== End of Fixlog ====


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:36 PM

Posted 03 January 2014 - 08:48 PM

Hi,

 

 

Is the computer still playing the random Audio ads?

 

Also I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

 

STEP 1

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.

 

 

 

STEP 4

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 5

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#7 audreyd

audreyd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 03 January 2014 - 10:56 PM

Hi!

 

The computer has been playing the audio ads on and off today it'll go for a few hours without any ads and then if I restart the computer it will usually start up again.

 

I've also noticed that starting today, whenever I do a google search it will take me to a website called click.dealshark.com or fastdailyfind.com, then when I go back to google and click the same link it will work normally.

 

Here's the RK report log:

http://pastebin.com/raw.php?i=AirjQv7s

 

Here's the TDSSKiller log:

pastebin.com/XWU6aVYf

 

MBAM log

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.01.03.07
 
Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Audrey :: AUDREY-PC [administrator]
 
Protection: Disabled
 
1/3/2014 9:59:17 PM
mbam-log-2014-01-03 (21-59-17).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214201
Time elapsed: 11 minute(s), 51 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)

 

 
Hitman Log
 

HitmanPro 3.7.8.208
www.hitmanpro.com
 
   Computer name . . . . : AUDREY-PC
   Windows . . . . . . . : 6.1.0.7600.X64/2
   User name . . . . . . : Audrey-PC\Audrey
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Trial (27 days left)
 
   Scan date . . . . . . : 2014-01-03 22:25:34
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 13m 59s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 11
 
   Objects scanned . . . : 1,572,638
   Files scanned . . . . : 61,560
   Remnants scanned  . . : 439,913 files / 1,071,165 keys
 
Cookies _____________________________________________________________________
 
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:2o7.net
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.auditude.com
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:dmtracker.com
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:uk.sitestat.com
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:warnerbros.112.2o7.net
   C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com
   C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Cookies\1LEES4S1.txt
   C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Cookies\ECRBUQI9.txt
   C:\Users\Audrey\AppData\Roaming\Microsoft\Windows\Cookies\WAKQU83T.txt
 
 
 
 
Checkup.txt
 

 Results of screen317's Security Check version 0.99.78  
 Windows 7  x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
AVG AntiVirus 2014   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java™ 6 Update 24  
 Java version out of Date! 
 Adobe Reader 10.1.2 Adobe Reader out of Date!  
 Mozilla Firefox (3.6.18) Firefox out of Date!  
 Google Chrome 31.0.1650.57  
 Google Chrome 31.0.1650.63  
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2% 
````````````````````End of Log`````````````````````` 
 
 
 


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:36 PM

Posted 04 January 2014 - 08:48 AM

Hello,

 

The logs look ok now but let's make a few checks just to be sure.

 

 

STEP 1

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

 

STEP 2

 

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

STEP 3

 

 

Please download a fresh copy of FRST from here, run a new scan and attach both logs to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#9 audreyd

audreyd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 05 January 2014 - 09:35 PM

Sorry about the delay, I've been away from my computer for the weekend.  As of today, the audio ads are gone and CPU usage is back to a normal level.

 

AdwCleaner Log

 

# AdwCleaner v3.016 - Report created 05/01/2014 at 20:42:42

# Updated 23/12/2013 by Xplode
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : Audrey - AUDREY-PC
# Running from : C:\Users\Audrey\Downloads\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files (x86)\Mozilla Firefox\Extensions\afurladvisor@anchorfree.com
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16476
 
 
-\\ Mozilla Firefox v3.6.18 (en-US)
 
[ File : C:\Users\Audrey\AppData\Roaming\Mozilla\Firefox\Profiles\q3mzci01.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Audrey\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [38909 octets] - [30/12/2013 18:13:55]
AdwCleaner[R1].txt - [1214 octets] - [02/01/2014 23:13:44]
AdwCleaner[R2].txt - [1214 octets] - [05/01/2014 20:40:30]
AdwCleaner[S0].txt - [39308 octets] - [30/12/2013 18:16:57]
AdwCleaner[S1].txt - [1283 octets] - [02/01/2014 23:18:18]
AdwCleaner[S2].txt - [1138 octets] - [05/01/2014 20:42:42]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1198 octets] ##########
 
 
JRT.txt
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.9 (01.01.2014:1)
OS: Windows 7 Home Premium x64
Ran by Audrey on Sun 01/05/2014 at 20:50:27.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Audrey\appdata\local\best buy pc app"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/05/2014 at 21:02:42.75
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 

Attached Files



#10 audreyd

audreyd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 05 January 2014 - 09:43 PM

Thanks for all of your help!  I've also been noticing that for the past couple days, google has been taking me to random sites when I try to click on links.  It doesn't happen all the time, but it's enough to make me wonder what's been going on.  I've heard of the google redirect virus, but I don't know why it wouldn't be coming up in any of the scans that we've been doing.  Any thoughts?



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:36 PM

Posted 06 January 2014 - 05:58 AM

Hello,

 

 

Registry Editor / Cleaner Warning !!


The following is referring to SlimCleanerPlus.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:

  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

For more information about why you should avoid using a such programs please take a look here => Registry Cleaners and System Tweaking Tools

 

 

 

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Libre Office or GIMP."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software

 

 

As of today, the audio ads are gone and CPU usage is back to a normal level.

 

Yes, the patched.dll was replaced with a clean copy and the malware should be gone.

 

 

Thanks for all of your help!  I've also been noticing that for the past couple days, google has been taking me to random sites when I try to click on links.  It doesn't happen all the time, but it's enough to make me wonder what's been going on.  I've heard of the google redirect virus, but I don't know why it wouldn't be coming up in any of the scans that we've been doing.  Any thoughts?

 

I didn't notice any of the symptoms caused by the Google redirect virus but I saw an entry which look like Trojan.Tracur or Trojan.Medfos and we should take care of it.

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Next go ahead and reset Internet Explorer

 

http://support.microsoft.com/kb/923737

 

Google Chrome

 

https://support.google.com/chrome/answer/3296214?hl=en

 

and Mozilla Firefox

 

https://support.mozilla.org/bg/kb/reset-preferences-fix-problems

 

and see if the problem still exist.

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 06 January 2014 - 05:59 AM.

cXfZ4wS.png


#12 audreyd

audreyd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 06 January 2014 - 01:09 PM

I think that did the trick!  Thank you so much for all of your help, I was really at the end of my rope with this one!

 

Fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-01-2014

Ran by Audrey at 2014-01-06 12:31:54 Run:2
Running from C:\Users\Audrey\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
HKCU\...\Run: [Avg2014] - rundll32 "C:\Users\Audrey\AppData\Local\Temp\Avg2014\imdhnk.dll",DllRegisterServer <===== ATTENTION
C:\Users\Audrey\AppData\Local\Temp\Avg2014\imdhnk.dll
FF Extension: No Name - C:\Users\Audrey\AppData\Roaming\Mozilla\Firefox\Profiles\q3mzci01.default\Extensions\{12a9db21-42a2-492d-a85c-cdde0c88b608}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\13118448.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SophosVirusRemovalTool => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\13118448.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SophosVirusRemovalTool => ""="Service"
C:\Users\Audrey\AppData\Local\Temp
end
*****************
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Avg2014 => Value deleted successfully.
"C:\Users\Audrey\AppData\Local\Temp\Avg2014\imdhnk.dll" => File/Directory not found.
C:\Users\Audrey\AppData\Roaming\Mozilla\Firefox\Profiles\q3mzci01.default\Extensions\{12a9db21-42a2-492d-a85c-cdde0c88b608} => Moved successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\13118448.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SophosVirusRemovalTool => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\13118448.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SophosVirusRemovalTool => Key deleted successfully.
 
"C:\Users\Audrey\AppData\Local\Temp" directory move:
 
C:\Users\Audrey\AppData\Local\Temp\AdwCleaner.jpg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Cleaning.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Donate.ico => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\etilqs_aNxOGy4sYgGNV4c" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\etilqs_CVVxvvi9VhEYmd7" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\etilqs_QyFyr4MQcZAEDer => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_rFWsSWlZus7Amhw => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\JRT.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Report.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\RK_Mtx => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Scan.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\Uninstall.ico => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\users00 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\sv34njm.tmp\0.odt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\sv34njm.tmp\sv34tka.tmp => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4652_23822\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4652_23822\Cookies-journal => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4652_23822\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4652_23822\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4652_23822\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4652_23822\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4652_23822\index => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\Cookies" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\Cookies-journal" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\index => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\Cookies-journal => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_0" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_1" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_2" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_3" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\index" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\Cookies-journal => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_0" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_1" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_2" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_3" => Scheduled to move on reboot.
Could not move "C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\index" => Scheduled to move on reboot.
C:\Users\Audrey\AppData\Local\Temp\jrt\APPID_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\APPID_files.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\appinit64_null.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\appinit_null.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\APPPATHS.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\ask.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\askCLSID.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\askregkey_x64.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\askregkey_x86.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\askregvalue_x64.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\askregvalue_x86.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\askservices.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\badAPPINIT.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\badFOLDERS.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\badFOLDERScom.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\badFOLDERSstart.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\badLNK.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\badvalues.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\BHO_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\BHO_name.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\browsermngr_keys.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\browsermngr_values.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CHOICE.DAT => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\chrome.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CHRregkey_x64.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CHRregkey_x86.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CHR_extensions.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CHR_open_x64.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CHR_open_x86.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\clean_shortcut.vbs => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CLSID_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\currentmd5.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\CUT.DAT => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\datamngr_del.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\defaultscope.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\delfolders.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\delorphans.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\ELEVATIONPOLICY_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\ev_clear.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\EXT.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFbrowsermngr.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFextensions.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFpluginREG.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFplugins.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFprefs.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFregkey_x64.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFregkey_x86.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFwhtlist.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFXML.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FFXPI.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FF_open_x64.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FF_open_x86.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\firefox.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FWCLSID.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\FWPolicy.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\get.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\IEwhtlst.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\iexplore.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\IE_open_x64.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\IE_open_x86.reg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\IFEO.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\INTERFACE_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\JRT.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\medfos.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\MENUEXT.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\misc.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\modules.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\modules.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\moduleservices.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\newmd5.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\NIRCMD.DAT => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\NOTIFY.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\PREAPPROVED_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\prelim.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\PRODUCTS.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\REGhcr.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\REGhkcu_and_hklm_allow.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\REGhkcu_and_hklm_software.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\REGhkcu_software_appdatalow.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\REGhkcu_software_microsoft.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\REGhklm_software_classes.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\REGISTRYUSERSID.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\runvalues.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\runvalues_x64.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\runvalues_x86.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\S1518COMPONENTS.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\searchlnk.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\SED.DAT => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\sednewline.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\services.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\serviceseventlog.cfg => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\SETTINGS_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\SHORTCUT.DAT => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\STATS_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\TDL4.bat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\TRACING.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\TYPELIB_clsid.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\UNINSTALL.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\UpgradeCodes.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\WGET.DAT => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\WOW6432NODE.dat => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\temp\null.txt => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\erunt\ERDNT.E_E => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\erunt\ERDNTDOS.LOC => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\erunt\ERDNTWIN.LOC => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\erunt\ERUNT.EXE => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\erunt\ERUNT.EXE.manifest => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\erunt\ERUNT.LOC => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\jrt\erunt\README.TXT => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\4016_11211\crl-set => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\4016_11211\manifest.fingerprint => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\4016_11211\manifest.json => Moved successfully.
Could not move "C:\Users\Audrey\AppData\Local\Temp" directory. => Scheduled to move on reboot.
 
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-06 12:35:51)<=
 
C:\Users\Audrey\AppData\Local\Temp\etilqs_aNxOGy4sYgGNV4c => Is moved successfully.
C:\Users\Audrey\AppData\Local\Temp\etilqs_CVVxvvi9VhEYmd7 => Is moved successfully.
"C:\Users\Audrey\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => File could not move.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\Cookies => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4504_21415\Cookies-journal => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir4332_28700\index => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_0 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_1 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_2 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\data_3 => Moved successfully.
C:\Users\Audrey\AppData\Local\Temp\scoped_dir3848_18670\index => Moved successfully.
"C:\Users\Audrey\AppData\Local\Temp" => Directory could not move.
 
==== End of Fixlog ====


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:36 PM

Posted 06 January 2014 - 07:25 PM

Hi,

 

 

I am glad to hear the things are better.

  • Now can you please go to C:\FRST\Quarantine and right click on the file => imdhnk.dll, select send to compressed(zip) folder that will make a zipped copy of this file.
  • Then please upload it to www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.
  • After that please delete the zip files you just created.

 

 

UPDATING TASKS

 

Please create a new restore point and then download and install Service Pack 1 for Windows 7 from here.

 

 

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 11.0.04 to your PC's desktop.
 

  • Uninstall Adobe Reader 10.1.2 via Start => Control Panel > Uninstall a program
  • Install the new downloaded updated software.
  • Also please download and install the following update 11.0.05

Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.

 

 

 

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.
 

  • Download the latest version of Java SE 7.
  • Click the Java™ 7 Update 45 "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-7u45-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java:
    Java™ 6 Update 24
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version. (Vista/Windows 7 users, right click on the jre-7u45-windows-i586.exe and select "Run as an Administrator.")

 

Or you can simple uninstall JAVA and try avoid installing Java unless absolutely required by your applications: (it's your call)...
 
http://www.techsuppo...ell-the-coffee/
 
 
Next please run JavaRa.

  • Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Choose Remove JRE and from the drop-down menu select any Java version (if listed) and press Run Uninstaller. (If Java is not listed please click on Next).
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please attach the log to your next reply.
  • Close JavaRa by clicking the red cross button.

 

 

Your Mozilla Firefox is out of date!
Download and install the latest version Mozilla Firefox 26 Final for Windows
Do a backup of your existing profile using Mozbackup or FEBE before you proceed with the update.

 

  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.  
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

 

 

Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.  
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

 

When done please post a new log from SecurityCheck.

I'll give you my final recommendations in the next post. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:36 PM

Posted 11 January 2014 - 05:40 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users