Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Name Not Available" playing various ad audio


  • This topic is locked This topic is locked
18 replies to this topic

#1 Zorbis

Zorbis

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 05 January 2014 - 07:33 PM

I've actually already seen this problem handled here, and while trying to follow of the solutions realized that I might need some personal help.
 
The computer already had a lot of assorted malware that has been (mostly) dealt with with Malwarebytes and Spybot S&D scans, though this problem presists (also, a "MyPC Backup" PUP that's yet to go away as the files that need to be deleted are always in use apparently).
 
My main concern though is the audio issue. It plays sounds from what I assume are ads, before I even have the chance to launch Firefox (I thought it could've just been an ad or hidden pop up window at first). The only thing I've been able to connect it to is the "Name Not Available" option in the audio mixer, which muting causes it to stop, though I'd rather eliminate the problem completely than just muting it and pretending that it's not there.
 
DDS Log:
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 10.45.2
Run by sheila at 18:26:02 on 2014-01-05
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3032.791 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\sheila\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
LSP: C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{3D5B2344-A153-4405-BEC6-942CB5843C3A} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{3D5B2344-A153-4405-BEC6-942CB5843C3A}\34963736F66393937353 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3D5B2344-A153-4405-BEC6-942CB5843C3A}\641637477596C6C6F677D27657563747 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{3D5B2344-A153-4405-BEC6-942CB5843C3A}\75869647560516E64616 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{729D38C1-DA61-43D5-98FE-4C0AD4F86568} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3316074&CUI=UN28461369103101322&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxps://idm.east.cox.net/coxlogin/ui/webmail?TYPE=33554432&REALMOID=06-7c148874-a6e4-100b-825f-8481a2040cb3&GUID=1&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-6Ju5JqjXiOZJoKYxdXmKDPrElnx1sjmfKZGvYCUoNVMGLvEkRM4E7wXi%2fGFCBKcQ&TARGET=-SM-http%3a%2f%2fwebmail%2eeast%2ecox%2enet%2fdo%2fmail%2ffolder%2fview
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3316074&SearchSource=2&CUI=UN28461369103101322&UM=2&q=
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMSS.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll
FF - plugin: C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\extensions\{ecf9d4ae-b571-42c2-9745-74fdb8b0d27a}\plugins\np-mswmp.dll
FF - plugin: C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\extensions\{ecf9d4ae-b571-42c2-9745-74fdb8b0d27a}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-11-07 14:37; firefox@rolimno.net; C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\extensions\firefox@rolimno.net.xpi
FF - ExtSQL: 2013-11-21 11:58; {ecf9d4ae-b571-42c2-9745-74fdb8b0d27a}; C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\extensions\{ecf9d4ae-b571-42c2-9745-74fdb8b0d27a}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: extensions.autoDisableScopes - 0
FF - user.js: extensions.shownSelectionUI - true
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-8-14 28600]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-8-14 108440]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2010-8-10 172704]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-1-5 25928]
R3 NMgamingmsFltr;USB Optical Mouse;C:\Windows\System32\drivers\NMgamingms.sys [2009-7-24 11264]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-6-25 215552]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2010-6-25 393728]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-7 59392]
.
=============== Created Last 30 ================
.
2014-01-05 18:55:16    --------    d-----w-    C:\Users\sheila\AppData\Roaming\Malwarebytes
2014-01-05 18:54:10    --------    d-----w-    C:\ProgramData\Malwarebytes
2014-01-05 18:53:45    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-01-05 18:53:44    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
.
==================== Find3M  ====================
.
2013-12-19 02:29:19    84720    ----a-w-    C:\Windows\System32\drivers\avnetflt.sys
2013-12-19 02:29:19    108440    ----a-w-    C:\Windows\System32\drivers\avgntflt.sys
2013-12-13 03:11:12    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-13 03:11:12    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-17 00:45:28    499712    ----a-w-    C:\Windows\SysWow64\msvcp71.dll
2013-11-17 00:45:28    348160    ----a-w-    C:\Windows\SysWow64\msvcr71.dll
2013-10-08 12:50:37    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
============= FINISH: 18:28:15.39 ===============

Attached Files


Edited by Queen-Evie, 05 January 2014 - 08:24 PM.
moved from Windows 7 to Malware Removal Logs, which is the only forum DDS logs are allowed in


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 08 January 2014 - 08:54 PM

Hello, Zorbis.
My name is etavares and I will be helping you with this log.
 
Here are some guidelines to ensure we are able to get your machine back under your control.
 
  • Please do not run any unsupervised scans, fixes, etc.  We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so.  Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned.  Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first.  There's no harm in asking questions!
  •  
     
     
    Step 1
     
    Please download Farbar Recovery Scan Tool and save it to a flash drive.
     
    Plug the flashdrive into the infected PC.
     
    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
     
    If you are using Vista or Windows 7 enter System Recovery Options
     
    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  •  
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  •  
    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
     
    Select Command Prompt
     
    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64)  and press Enter 
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  •  
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #3 Zorbis

    Zorbis
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:11:53 PM

    Posted 09 January 2014 - 11:31 AM

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-01-2014 01
    Ran by SYSTEM on MININT-9R634G9 on 09-01-2014 09:22:18
    Running from E:\FARBAR
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [384296 2010-04-05] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-02-25] (IDT, Inc.)
    HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE [4968960 2009-07-16] (Dell Inc.)
    HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\quickset.exe [3180624 2009-07-02] (Dell Inc.)
    HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe [186904 2009-06-04] (Intel Corporation)
    HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
    HKLM-x32\...\Run: [DellSupportCenter] - "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
    HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
    HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [684600 2013-12-18] (Avira Operations GmbH & Co. KG)
    HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)
    HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [295512 2013-11-16] (RealNetworks, Inc.)
    HKLM-x32\...\Runonce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [x]
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKU\sheila\...\Run: [] - [x]
    Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
    Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
    Startup: C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
    ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

    ==================== Services (Whitelisted) =================

    S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
    S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440376 2013-12-18] (Avira Operations GmbH & Co. KG)
    S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440376 2013-11-25] (Avira Operations GmbH & Co. KG)
    S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [1011768 2013-12-18] (Avira Operations GmbH & Co. KG)
    S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
    S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
    S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe [244736 2010-02-25] (IDT, Inc.)
    S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE [33280 2009-07-16] ()
    S3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [x]

    ==================== Drivers (Whitelisted) ====================

    S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-18] (Avira Operations GmbH & Co. KG)
    S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-18] (Avira Operations GmbH & Co. KG)
    S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-10-07] (Avira Operations GmbH & Co. KG)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
    S3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [11264 2009-07-24] (Primax Ltd)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2014-01-09 09:22 - 2014-01-09 09:22 - 00000000 ____D C:\FRST
    2014-01-05 18:28 - 2014-01-05 18:28 - 00016213 _____ C:\Users\sheila\Desktop\dds.txt
    2014-01-05 18:28 - 2014-01-05 18:28 - 00007952 _____ C:\Users\sheila\Desktop\attach.txt
    2014-01-05 18:25 - 2014-01-05 18:25 - 00688992 ____R (Swearware) C:\Users\sheila\Downloads\dds.com
    2014-01-05 18:18 - 2014-01-05 18:20 - 00012630 _____ C:\Users\sheila\Downloads\hijackthis.log
    2014-01-05 18:17 - 2014-01-05 18:17 - 00388608 _____ (Trend Micro Inc.) C:\Users\sheila\Downloads\HijackThis.exe
    2014-01-05 17:44 - 2014-01-05 17:44 - 00000000 ____D C:\Users\sheila\AppData\Roaming\vlc
    2014-01-05 15:49 - 2014-01-05 15:49 - 00002584 _____ C:\Windows\wininit.ini
    2014-01-05 12:55 - 2014-01-05 12:55 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Malwarebytes
    2014-01-05 12:54 - 2014-01-05 12:54 - 00000000 ____D C:\ProgramData\Malwarebytes
    2014-01-05 12:53 - 2014-01-05 12:54 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2014-01-05 12:53 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2014-01-05 12:52 - 2014-01-05 12:52 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\sheila\Downloads\mbam-setup-1.75.0.1300.exe
    2014-01-05 12:12 - 2014-01-05 12:12 - 00001266 _____ C:\Users\sheila\Desktop\Revo Uninstaller.lnk
    2014-01-04 15:31 - 2014-01-04 15:31 - 00037376 _____ C:\Windows\System32\wjeh.blp
    2014-01-04 15:21 - 2014-01-09 10:00 - 00000083 _____ C:\Windows\System32\bplib.alh
    2014-01-04 15:20 - 2014-01-04 15:31 - 00000097 _____ C:\Windows\System32\tzhpkte.xju
    2014-01-04 15:20 - 2014-01-04 15:20 - 00000064 _____ C:\Windows\System32\ipzqbo.kep
    2014-01-04 10:31 - 2014-01-04 10:31 - 00219314 ____S C:\Windows\System32\tjfhubt.rsg
    2013-12-20 19:33 - 2014-01-05 12:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-12-15 09:28 - 2013-12-15 09:28 - 00004030 _____ C:\Windows\System32\Tasks\LaunchApp

    ==================== One Month Modified Files and Folders =======

    2014-01-09 10:13 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2014-01-09 10:13 - 2009-07-13 22:51 - 00128794 _____ C:\Windows\setupact.log
    2014-01-09 10:12 - 2009-07-13 23:10 - 01717828 _____ C:\Windows\WindowsUpdate.log
    2014-01-09 10:11 - 2012-06-10 19:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2014-01-09 10:07 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-01-09 10:07 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-01-09 10:00 - 2014-01-04 15:21 - 00000083 _____ C:\Windows\System32\bplib.alh
    2014-01-09 09:22 - 2014-01-09 09:22 - 00000000 ____D C:\FRST
    2014-01-06 14:56 - 2010-09-01 18:43 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Skype
    2014-01-05 18:28 - 2014-01-05 18:28 - 00016213 _____ C:\Users\sheila\Desktop\dds.txt
    2014-01-05 18:28 - 2014-01-05 18:28 - 00007952 _____ C:\Users\sheila\Desktop\attach.txt
    2014-01-05 18:25 - 2014-01-05 18:25 - 00688992 ____R (Swearware) C:\Users\sheila\Downloads\dds.com
    2014-01-05 18:20 - 2014-01-05 18:18 - 00012630 _____ C:\Users\sheila\Downloads\hijackthis.log
    2014-01-05 18:17 - 2014-01-05 18:17 - 00388608 _____ (Trend Micro Inc.) C:\Users\sheila\Downloads\HijackThis.exe
    2014-01-05 17:44 - 2014-01-05 17:44 - 00000000 ____D C:\Users\sheila\AppData\Roaming\vlc
    2014-01-05 17:42 - 2013-11-28 08:11 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
    2014-01-05 15:56 - 2010-08-10 23:33 - 00152072 _____ C:\Windows\PFRO.log
    2014-01-05 15:50 - 2013-11-28 08:11 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2014-01-05 15:49 - 2014-01-05 15:49 - 00002584 _____ C:\Windows\wininit.ini
    2014-01-05 15:21 - 2010-08-19 17:35 - 00000000 ____D C:\users\sheila
    2014-01-05 14:15 - 2013-11-21 06:59 - 00000000 ____D C:\ProgramData\Conduit
    2014-01-05 14:00 - 2010-08-25 15:39 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Vezyp
    2014-01-05 12:55 - 2014-01-05 12:55 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Malwarebytes
    2014-01-05 12:54 - 2014-01-05 12:54 - 00000000 ____D C:\ProgramData\Malwarebytes
    2014-01-05 12:54 - 2014-01-05 12:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2014-01-05 12:52 - 2014-01-05 12:52 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\sheila\Downloads\mbam-setup-1.75.0.1300.exe
    2014-01-05 12:20 - 2013-12-20 19:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2014-01-05 12:19 - 2013-11-16 18:47 - 00000000 ____D C:\ProgramData\DivX
    2014-01-05 12:15 - 2013-11-16 18:48 - 00000000 ____D C:\Program Files (x86)\DivX
    2014-01-05 12:14 - 2013-11-16 18:49 - 00000000 ____D C:\Program Files\DivX
    2014-01-05 12:12 - 2014-01-05 12:12 - 00001266 _____ C:\Users\sheila\Desktop\Revo Uninstaller.lnk
    2014-01-04 15:31 - 2014-01-04 15:31 - 00037376 _____ C:\Windows\System32\wjeh.blp
    2014-01-04 15:31 - 2014-01-04 15:20 - 00000097 _____ C:\Windows\System32\tzhpkte.xju
    2014-01-04 15:20 - 2014-01-04 15:20 - 00000064 _____ C:\Windows\System32\ipzqbo.kep
    2014-01-04 10:31 - 2014-01-04 10:31 - 00219314 ____S C:\Windows\System32\tjfhubt.rsg
    2014-01-04 10:31 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\sysprep
    2013-12-22 12:52 - 2009-07-13 23:08 - 00032560 _____ C:\Windows\Tasks\SCHEDLGU.TXT
    2013-12-21 16:15 - 2012-07-09 23:00 - 00000000 ___RD C:\Program Files (x86)\Skype
    2013-12-21 16:15 - 2010-08-10 21:50 - 00000000 ____D C:\ProgramData\Skype
    2013-12-21 06:17 - 2013-11-16 18:44 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Real
    2013-12-21 05:38 - 2012-10-01 15:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-12-18 20:29 - 2013-08-14 18:59 - 00084720 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
    2013-12-18 20:29 - 2013-08-14 18:57 - 00131576 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
    2013-12-18 20:29 - 2013-08-14 18:57 - 00108440 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
    2013-12-15 09:28 - 2013-12-15 09:28 - 00004030 _____ C:\Windows\System32\Tasks\LaunchApp
    2013-12-12 21:11 - 2012-06-10 19:21 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-12-12 21:11 - 2012-06-10 19:21 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2013-12-12 21:11 - 2011-05-15 18:42 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-12-12 06:36 - 2012-12-11 19:26 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2013-12-12 06:36 - 2009-07-14 01:44 - 00000000 ___RD C:\Users\Public\Recorded TV
    2013-12-12 06:36 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration
    2013-12-12 06:33 - 2013-11-21 06:59 - 00000000 ____D C:\Program Files (x86)\Conduit

    Some content of TEMP:
    ====================
    C:\Users\sheila\AppData\Local\Temp\avgnt.exe


    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll
    [2011-06-07 19:34] - [2010-11-20 07:27] - 0512512 ____A (Microsoft Corporation) 37444D1164301F66135BE0DA395014B8

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points  =========================

    Restore point made on: 2013-11-21 19:44:27
    Restore point made on: 2013-11-28 07:36:08
    Restore point made on: 2013-11-28 07:40:18
    Restore point made on: 2013-11-28 07:44:34
    Restore point made on: 2013-11-28 07:48:37
    Restore point made on: 2013-11-28 07:49:41
    Restore point made on: 2013-11-28 07:51:56
    Restore point made on: 2013-11-28 07:54:48
    Restore point made on: 2013-11-28 07:57:19
    Restore point made on: 2013-11-28 07:59:52
    Restore point made on: 2013-11-28 08:09:07
    Restore point made on: 2013-12-13 20:50:31
    Restore point made on: 2014-01-05 12:12:58
    Restore point made on: 2014-01-05 12:19:59
    Restore point made on: 2014-01-05 12:24:25
    Restore point made on: 2014-01-05 12:27:07
    Restore point made on: 2014-01-05 12:30:59
    Restore point made on: 2014-01-05 12:35:50
    Restore point made on: 2014-01-05 12:39:18
    Restore point made on: 2014-01-05 12:43:57
    Restore point made on: 2014-01-05 13:59:46
    Restore point made on: 2014-01-05 21:32:17

    ==================== Memory info ===========================

    Percentage of memory in use: 18%
    Total physical RAM: 3032.36 MB
    Available physical RAM: 2478.41 MB
    Total Pagefile: 3030.51 MB
    Available Pagefile: 2498.29 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.88 MB

    ==================== Drives ================================

    Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:239.52 GB) NTFS
    Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.09 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive e: () (Removable) (Total:1.83 GB) (Free:1.71 GB) FAT
    Drive f: (1000335524) (CDROM) (Total:6.18 GB) (Free:0 GB) UDF
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 298 GB) (Disk ID: DCE8681E)
    Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
    Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=283 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (Size: 2 GB) (Disk ID: 00000000)
    Partition 1: (Not Active) - (Size=2 GB) - (Type=06)


    LastRegBack: 2013-06-12 12:56

    ==================== End Of Log ============================



    #4 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:53 AM

    Posted 09 January 2014 - 09:02 PM

    Hello, Zorbis.
     
     
    Step 1
     
    Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
     

    HKU\sheila\...\Run: [] - [x]

    2014-01-04 15:31 - 2014-01-04 15:31 - 00037376 _____ C:\Windows\System32\wjeh.blp
    2014-01-04 15:21 - 2014-01-09 10:00 - 00000083 _____ C:\Windows\System32\bplib.alh
    2014-01-04 15:20 - 2014-01-04 15:31 - 00000097 _____ C:\Windows\System32\tzhpkte.xju
    2014-01-04 15:20 - 2014-01-04 15:20 - 00000064 _____ C:\Windows\System32\ipzqbo.kep
    2014-01-04 10:31 - 2014-01-04 10:31 - 00219314 ____S C:\Windows\System32\tjfhubt.rsg
    2014-01-05 14:15 - 2013-11-21 06:59 - 00000000 ____D C:\ProgramData\Conduit
    2014-01-05 14:00 - 2010-08-25 15:39 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Vezyp
    2013-12-12 06:33 - 2013-11-21 06:59 - 00000000 ____D C:\Program Files (x86)\Conduit
     

     

     
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
     
     
    On Vista or Windows 7: Now please enter System Recovery Options.
     
    On Windows XP: Now please boot into the PE (Preinstallation Environment) disk.
     
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.
     
     
     
    Step 2
     
     
    While still in FRST, type rpcss.dll into the search box and click Search File(s).  Post the resulting log (search.txt) that will appear where FRST is run from.
     
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #5 Zorbis

    Zorbis
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:11:53 PM

    Posted 10 January 2014 - 11:34 AM

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-01-2014 01
    Ran by SYSTEM at 2014-01-10 08:24:27 Run:1
    Running from E:\FARBAR
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
        HKU\sheila\...\Run: [] - [x]
        2014-01-04 15:31 - 2014-01-04 15:31 - 00037376 _____ C:\Windows\System32\wjeh.blp
        2014-01-04 15:21 - 2014-01-09 10:00 - 00000083 _____ C:\Windows\System32\bplib.alh
        2014-01-04 15:20 - 2014-01-04 15:31 - 00000097 _____ C:\Windows\System32\tzhpkte.xju
        2014-01-04 15:20 - 2014-01-04 15:20 - 00000064 _____ C:\Windows\System32\ipzqbo.kep
        2014-01-04 10:31 - 2014-01-04 10:31 - 00219314 ____S C:\Windows\System32\tjfhubt.rsg
        2014-01-05 14:15 - 2013-11-21 06:59 - 00000000 ____D C:\ProgramData\Conduit
        2014-01-05 14:00 - 2010-08-25 15:39 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Vezyp
        2013-12-12 06:33 - 2013-11-21 06:59 - 00000000 ____D C:\Program Files (x86)\Conduit
    *****************

    HKU\sheila\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
    C:\Windows\System32\wjeh.blp => Moved successfully.
    C:\Windows\System32\bplib.alh => Moved successfully.
    C:\Windows\System32\tzhpkte.xju => Moved successfully.
    C:\Windows\System32\ipzqbo.kep => Moved successfully.
    C:\Windows\System32\tjfhubt.rsg => Moved successfully.
    C:\ProgramData\Conduit => Moved successfully.
    C:\Users\sheila\AppData\Roaming\Vezyp => Moved successfully.
    C:\Program Files (x86)\Conduit => Moved successfully.

    ==== End of Fixlog ====

     

     

     

     

    Farbar Recovery Scan Tool (x64) Version: 08-01-2014 01
    Ran by SYSTEM at 2014-01-10 08:25:07
    Running from E:\FARBAR
    Boot Mode: Recovery

    ================== Search: "rpcss.dll" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
    [2011-06-07 19:34] - [2010-11-20 07:27] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

    C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
    [2009-07-13 18:00] - [2009-07-13 19:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

    C:\Windows\System32\rpcss.dll
    [2011-06-07 19:34] - [2010-11-20 07:27] - 0512512 ____A (Microsoft Corporation) 37444D1164301F66135BE0DA395014B8

    X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
    [2009-07-13 18:00] - [2009-07-13 19:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

    X:\Windows\System32\rpcss.dll
    [2009-07-13 18:00] - [2009-07-13 19:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

    ====== End Of Search ======

     

     

     

     

     

     

    I attempted to launch Windows again after this and it just sits at a black screen with the mouse before ever going to the sign in screen. Did I do something wrong?


    Edited by Zorbis, 10 January 2014 - 12:26 PM.


    #6 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:53 AM

    Posted 10 January 2014 - 12:40 PM

    Hi,

     

    The black screen is pretty common with this virus.  It should be resolved this with this.  Please open Notepad and copy/paste the contents of the code box into it.  Save it as fixlist.txt to the flash drive with FRST.

     

    Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll

     

    Boot up the computer as before and in FRST press Fix just once.  It will make a log on the flash drive called fixlog.txt.  Post that in your reply.  Also, try to boot normally after that and let me know how that goes as well.

     

    -etavares



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #7 Zorbis

    Zorbis
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:11:53 PM

    Posted 10 January 2014 - 01:04 PM

    Launches fine now, and it looks like the sound issue was taken care of, thank you!

     

     

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-01-2014 01
    Ran by SYSTEM at 2014-01-10 08:58:52 Run:2
    Running from E:\FARBAR
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll
    *****************

    C:\Windows\System32\rpcss.dll => Moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

    ==== End of Fixlog ====



    #8 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:53 AM

    Posted 10 January 2014 - 01:22 PM

    Great!  We're not done yet.  Please run FRST as before and press Scan and post the resulting log (FRST.txt) in your reply.  If that looks good, we'll move on and clean up the remaining issues.

     

    -etavares



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #9 Zorbis

    Zorbis
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:11:53 PM

    Posted 10 January 2014 - 01:45 PM

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-01-2014 01
    Ran by SYSTEM on MININT-47JA8VG on 10-01-2014 08:40:55
    Running from G:\FARBAR
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [384296 2010-04-05] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-02-25] (IDT, Inc.)
    HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE [4968960 2009-07-16] (Dell Inc.)
    HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\quickset.exe [3180624 2009-07-02] (Dell Inc.)
    HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe [186904 2009-06-04] (Intel Corporation)
    HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
    HKLM-x32\...\Run: [DellSupportCenter] - "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
    HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
    HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [684600 2013-12-18] (Avira Operations GmbH & Co. KG)
    HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)
    HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [295512 2013-11-16] (RealNetworks, Inc.)
    HKLM-x32\...\Runonce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [x]
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
    Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
    Startup: C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
    ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

    ==================== Services (Whitelisted) =================

    S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
    S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440376 2013-12-18] (Avira Operations GmbH & Co. KG)
    S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440376 2013-11-25] (Avira Operations GmbH & Co. KG)
    S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [1011768 2013-12-18] (Avira Operations GmbH & Co. KG)
    S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
    S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
    S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe [244736 2010-02-25] (IDT, Inc.)
    S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE [33280 2009-07-16] ()
    S3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [x]

    ==================== Drivers (Whitelisted) ====================

    S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-18] (Avira Operations GmbH & Co. KG)
    S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-18] (Avira Operations GmbH & Co. KG)
    S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-10-07] (Avira Operations GmbH & Co. KG)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
    S3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [11264 2009-07-24] (Primax Ltd)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2014-01-09 09:22 - 2014-01-09 09:22 - 00000000 ____D C:\FRST
    2014-01-05 18:28 - 2014-01-05 18:28 - 00016213 _____ C:\Users\sheila\Desktop\dds.txt
    2014-01-05 18:28 - 2014-01-05 18:28 - 00007952 _____ C:\Users\sheila\Desktop\attach.txt
    2014-01-05 18:25 - 2014-01-05 18:25 - 00688992 ____R (Swearware) C:\Users\sheila\Downloads\dds.com
    2014-01-05 18:18 - 2014-01-05 18:20 - 00012630 _____ C:\Users\sheila\Downloads\hijackthis.log
    2014-01-05 18:17 - 2014-01-05 18:17 - 00388608 _____ (Trend Micro Inc.) C:\Users\sheila\Downloads\HijackThis.exe
    2014-01-05 17:44 - 2014-01-05 17:44 - 00000000 ____D C:\Users\sheila\AppData\Roaming\vlc
    2014-01-05 15:49 - 2014-01-05 15:49 - 00002584 _____ C:\Windows\wininit.ini
    2014-01-05 12:55 - 2014-01-05 12:55 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Malwarebytes
    2014-01-05 12:54 - 2014-01-05 12:54 - 00000000 ____D C:\ProgramData\Malwarebytes
    2014-01-05 12:53 - 2014-01-05 12:54 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2014-01-05 12:53 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2014-01-05 12:52 - 2014-01-05 12:52 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\sheila\Downloads\mbam-setup-1.75.0.1300.exe
    2014-01-05 12:12 - 2014-01-05 12:12 - 00001266 _____ C:\Users\sheila\Desktop\Revo Uninstaller.lnk
    2013-12-20 19:33 - 2014-01-05 12:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-12-15 09:28 - 2013-12-15 09:28 - 00004030 _____ C:\Windows\System32\Tasks\LaunchApp

    ==================== One Month Modified Files and Folders =======

    2014-01-10 09:12 - 2009-07-13 23:10 - 01727949 _____ C:\Windows\WindowsUpdate.log
    2014-01-10 09:11 - 2012-06-10 19:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2014-01-10 09:09 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-01-10 09:09 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-01-10 09:05 - 2009-07-13 23:13 - 00739786 _____ C:\Windows\System32\PerfStringBackup.INI
    2014-01-10 09:01 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2014-01-10 09:00 - 2009-07-13 22:51 - 00128906 _____ C:\Windows\setupact.log
    2014-01-09 09:22 - 2014-01-09 09:22 - 00000000 ____D C:\FRST
    2014-01-06 14:56 - 2010-09-01 18:43 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Skype
    2014-01-05 18:28 - 2014-01-05 18:28 - 00016213 _____ C:\Users\sheila\Desktop\dds.txt
    2014-01-05 18:28 - 2014-01-05 18:28 - 00007952 _____ C:\Users\sheila\Desktop\attach.txt
    2014-01-05 18:25 - 2014-01-05 18:25 - 00688992 ____R (Swearware) C:\Users\sheila\Downloads\dds.com
    2014-01-05 18:20 - 2014-01-05 18:18 - 00012630 _____ C:\Users\sheila\Downloads\hijackthis.log
    2014-01-05 18:17 - 2014-01-05 18:17 - 00388608 _____ (Trend Micro Inc.) C:\Users\sheila\Downloads\HijackThis.exe
    2014-01-05 17:44 - 2014-01-05 17:44 - 00000000 ____D C:\Users\sheila\AppData\Roaming\vlc
    2014-01-05 17:42 - 2013-11-28 08:11 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
    2014-01-05 15:56 - 2010-08-10 23:33 - 00152072 _____ C:\Windows\PFRO.log
    2014-01-05 15:50 - 2013-11-28 08:11 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2014-01-05 15:49 - 2014-01-05 15:49 - 00002584 _____ C:\Windows\wininit.ini
    2014-01-05 15:21 - 2010-08-19 17:35 - 00000000 ____D C:\users\sheila
    2014-01-05 12:55 - 2014-01-05 12:55 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Malwarebytes
    2014-01-05 12:54 - 2014-01-05 12:54 - 00000000 ____D C:\ProgramData\Malwarebytes
    2014-01-05 12:54 - 2014-01-05 12:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2014-01-05 12:52 - 2014-01-05 12:52 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\sheila\Downloads\mbam-setup-1.75.0.1300.exe
    2014-01-05 12:20 - 2013-12-20 19:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2014-01-05 12:19 - 2013-11-16 18:47 - 00000000 ____D C:\ProgramData\DivX
    2014-01-05 12:15 - 2013-11-16 18:48 - 00000000 ____D C:\Program Files (x86)\DivX
    2014-01-05 12:14 - 2013-11-16 18:49 - 00000000 ____D C:\Program Files\DivX
    2014-01-05 12:12 - 2014-01-05 12:12 - 00001266 _____ C:\Users\sheila\Desktop\Revo Uninstaller.lnk
    2014-01-04 10:31 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\sysprep
    2013-12-22 12:52 - 2009-07-13 23:08 - 00032560 _____ C:\Windows\Tasks\SCHEDLGU.TXT
    2013-12-21 16:15 - 2012-07-09 23:00 - 00000000 ___RD C:\Program Files (x86)\Skype
    2013-12-21 16:15 - 2010-08-10 21:50 - 00000000 ____D C:\ProgramData\Skype
    2013-12-21 06:17 - 2013-11-16 18:44 - 00000000 ____D C:\Users\sheila\AppData\Roaming\Real
    2013-12-21 05:38 - 2012-10-01 15:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-12-18 20:29 - 2013-08-14 18:59 - 00084720 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
    2013-12-18 20:29 - 2013-08-14 18:57 - 00131576 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
    2013-12-18 20:29 - 2013-08-14 18:57 - 00108440 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
    2013-12-15 09:28 - 2013-12-15 09:28 - 00004030 _____ C:\Windows\System32\Tasks\LaunchApp
    2013-12-12 21:11 - 2012-06-10 19:21 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-12-12 21:11 - 2012-06-10 19:21 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2013-12-12 21:11 - 2011-05-15 18:42 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-12-12 06:36 - 2012-12-11 19:26 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2013-12-12 06:36 - 2009-07-14 01:44 - 00000000 ___RD C:\Users\Public\Recorded TV
    2013-12-12 06:36 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration

    Some content of TEMP:
    ====================
    C:\Users\sheila\AppData\Local\Temp\avgnt.exe


    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points  =========================

    Restore point made on: 2013-11-21 19:44:27
    Restore point made on: 2013-11-28 07:36:08
    Restore point made on: 2013-11-28 07:40:18
    Restore point made on: 2013-11-28 07:44:34
    Restore point made on: 2013-11-28 07:48:37
    Restore point made on: 2013-11-28 07:49:41
    Restore point made on: 2013-11-28 07:51:56
    Restore point made on: 2013-11-28 07:54:48
    Restore point made on: 2013-11-28 07:57:19
    Restore point made on: 2013-11-28 07:59:52
    Restore point made on: 2013-11-28 08:09:07
    Restore point made on: 2013-12-13 20:50:31
    Restore point made on: 2014-01-05 12:12:58
    Restore point made on: 2014-01-05 12:19:59
    Restore point made on: 2014-01-05 12:24:25
    Restore point made on: 2014-01-05 12:27:07
    Restore point made on: 2014-01-05 12:30:59
    Restore point made on: 2014-01-05 12:35:50
    Restore point made on: 2014-01-05 12:39:18
    Restore point made on: 2014-01-05 12:43:57
    Restore point made on: 2014-01-05 13:59:46
    Restore point made on: 2014-01-05 21:32:17

    ==================== Memory info ===========================

    Percentage of memory in use: 19%
    Total physical RAM: 3032.36 MB
    Available physical RAM: 2448.45 MB
    Total Pagefile: 3030.51 MB
    Available Pagefile: 2498.55 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Drives ================================

    Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:238.96 GB) NTFS
    Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.09 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive e: (1000335524) (CDROM) (Total:6.18 GB) (Free:0 GB) UDF
    Drive g: () (Removable) (Total:1.83 GB) (Free:1.71 GB) FAT
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 298 GB) (Disk ID: DCE8681E)
    Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
    Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=283 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (Size: 2 GB) (Disk ID: 00000000)
    Partition 1: (Not Active) - (Size=2 GB) - (Type=06)


    LastRegBack: 2013-06-12 12:56

    ==================== End Of Log ============================



    #10 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:53 AM

    Posted 10 January 2014 - 02:02 PM

    Hello, Zorbis.
     
    Looking better.  We'll do a couple of final scans.  If these look good, we'll update a few programs that have security holes and wrap up.
     
    Step 1
     
    Please download Malwarebytes Anti-Malware and save it to your desktop.
     
    MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
  • Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
     
     
     
    Step 2
     
    Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.
  •  
     
     
    Step 3
     
    I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png
  •  
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #11 Zorbis

    Zorbis
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:11:53 PM

    Posted 10 January 2014 - 05:10 PM

    Malwarebytes Anti-Malware (Trial) 1.75.0.1300
    www.malwarebytes.org

    Database version: v2014.01.10.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    sheila :: SHEILA-PC [administrator]

    Protection: Disabled

    1/10/2014 9:18:50 AM
    mbam-log-2014-01-10 (09-18-50).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 214896
    Time elapsed: 8 minute(s), 58 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKCU\Software\Conduit\FF (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
    HKCU\Software\Conduit\ValueApps (PUP.Optional.ValueApps.A) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     

     

     

     

     

     

     

    # AdwCleaner v3.016 - Report created 10/01/2014 at 09:33:36
    # Updated 23/12/2013 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : sheila - SHEILA-PC
    # Running from : C:\Users\sheila\Downloads\AdwCleaner.exe
    # Option : Scan

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    File Found : C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\searchplugins\Askcom.xml
    File Found : C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\searchplugins\bingp.xml
    File Found : C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\searchplugins\MyStart Search.xml
    File Found : C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\searchplugins\Web Search.xml
    File Found : C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\user.js
    File Found : C:\Windows\System32\Tasks\LaunchApp
    Folder Found : C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\Extensions\{ecf9d4ae-b571-42c2-9745-74fdb8b0d27a}
    Folder Found C:\ProgramData\Ask
    Folder Found C:\Users\sheila\AppData\Local\PackageAware
    Folder Found C:\Users\sheila\AppData\Local\Temp\AirInstaller
    Folder Found C:\Users\sheila\AppData\Local\Temp\AskSearch
    Folder Found C:\Users\sheila\AppData\LocalLow\Conduit
    Folder Found C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\CT3316074
    Folder Found C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\Smartbar
    Folder Found C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\ValueApps
    Folder Found C:\Users\sheila\AppData\Roaming\registry mechanic

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Found : HKCU\Software\AppDataLow\Software\SmartBar
    Key Found : HKCU\Software\Conduit
    Key Found : HKCU\Software\IM
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2AD2D8CA-D24D-40D2-A8FC-46952409BA9A}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2AD2D8CA-D24D-40D2-A8FC-46952409BA9A}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
    Key Found : HKCU\Software\simplytech
    Key Found : HKCU\Software\SoftwareUpdater
    Key Found : HKCU\Software\YahooPartnerToolbar
    Key Found : HKCU\Software\Zugo
    Key Found : [x64] HKCU\Software\Conduit
    Key Found : [x64] HKCU\Software\IM
    Key Found : [x64] HKCU\Software\simplytech
    Key Found : [x64] HKCU\Software\SoftwareUpdater
    Key Found : [x64] HKCU\Software\YahooPartnerToolbar
    Key Found : [x64] HKCU\Software\Zugo
    Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3316074
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\App24x7Help_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\App24x7Help_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\I Want This_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\I Want This_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftwareUpdater_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftwareUpdater_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetimsetup_rasapi32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetimsetup_rasmancs
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
    Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{3B181CF2-878B-4758-8FBD-59D8AC5AB12D}
    Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{490A5A0F-1471-47FF-8BB5-719F1F5238AD}
    Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    ***** [ Browsers ] *****

    -\\ Internet Explorer v9.0.8112.16421

    Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs] - hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385417784538&tguid=75087-8679-1385417784538-998B11CFF293A5FB456938F52BBD022C

    -\\ Mozilla Firefox v26.0 (en-US)

    [ File : C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\wdyew167.default\prefs.js ]

    Line Found : user_pref("CT3316074.FF19Solved", "true");
    Line Found : user_pref("CT3316074.FirstTime", "true");
    Line Found : user_pref("CT3316074.FirstTimeFF3", "true");
    Line Found : user_pref("CT3316074.UserID", "UN28461369103101322");
    Line Found : user_pref("CT3316074.browser.search.defaultthis.engineName", "true");
    Line Found : user_pref("CT3316074.fullUserID", "UN28461369103101322.IN.20131121065846");
    Line Found : user_pref("CT3316074.installDate", "21/11/2013 06:58:49");
    Line Found : user_pref("CT3316074.installSessionId", "{3EB8EE8E-303F-4FC3-8266-885ADC0E9FC5}");
    Line Found : user_pref("CT3316074.installSp", "TRUE");
    Line Found : user_pref("CT3316074.installerVersion", "1.8.1.4");
    Line Found : user_pref("CT3316074.isCheckedStartAsHidden", true);
    Line Found : user_pref("CT3316074.keyword", "true");
    Line Found : user_pref("CT3316074.lastVersion", "10.23.0.822");
    Line Found : user_pref("CT3316074.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
    Line Found : user_pref("CT3316074.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"\",\"EB_MAIN_FRAME_TITLE\":\"\"}");
    Line Found : user_pref("CT3316074.originalHomepage", "hxxp://www.msn.com/?pc=UP97&ocid=UP97DHP|hxxps://webmail.east.cox.net/do/mail/folder/view|hxxp://att.yahoo.com/");
    Line Found : user_pref("CT3316074.originalSearchAddressUrl", "hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q=");
    Line Found : user_pref("CT3316074.originalSearchEngine", "Google");
    Line Found : user_pref("CT3316074.originalSearchEngineName", "");
    Line Found : user_pref("CT3316074.searchRevert", "false");
    Line Found : user_pref("CT3316074.searchUninstallUserMode", "2");
    Line Found : user_pref("CT3316074.searchUserMode", "2");
    Line Found : user_pref("CT3316074.settingsINI", true);
    Line Found : user_pref("CT3316074.smartbar.CTID", "CT3316074");
    Line Found : user_pref("CT3316074.smartbar.Uninstall", "0");
    Line Found : user_pref("CT3316074.smartbar.homepage", "true");
    Line Found : user_pref("CT3316074.smartbar.toolbarName", "SweetPacks A14 ");
    Line Found : user_pref("CT3316074.toolbarInstallDate", "21-11-2013 06:58:46");
    Line Found : user_pref("CT3316074.versionFromInstaller", "10.22.5.10");
    Line Found : user_pref("CT3316074.xpeMode", "0");
    Line Found : user_pref("CT3316074_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1389367765237,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
    Line Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3316074&octid=CT3316074&SearchSource=61&CUI=UN28461369103101322&UM=2&UP=SPAD6D7367-D36A-4291-AC8D-4DF49571EE84");
    Line Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q=");
    Line Found : user_pref("browser.search.defaultthis.engineName", "SweetPacks A14 Customized Web Search");
    Line Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3316074&CUI=UN28461369103101322&UM=2&SearchSource=3&q={searchTerms}");
    Line Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3316074&SearchSource=2&CUI=UN28461369103101322&UM=2&q=");
    Line Found : user_pref("plugin.state.npconduitfirefoxplugin", 2);
    Line Found : user_pref("smartbar.addressBarOwnerCTID", "CT3316074");
    Line Found : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3316074&CUI=UN28461369103101322&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3316074&octid=CT3316074&SearchSource[...]
    Line Found : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3316074&SearchSource=2&CUI=UN28461369103101322&UM=2&q=");
    Line Found : user_pref("smartbar.defaultSearchOwnerCTID", "CT3316074");
    Line Found : user_pref("smartbar.homePageOwnerCTID", "CT3316074");
    Line Found : user_pref("smartbar.machineId", "PVCYNPTRD4MB3BD7W/QAFRCJPDORAWBRLUFL0BC2HMYGBQRYMVPBYICJYPPHDIFPACX6UN9DOCY8MVP2DTGA4W");
    Line Found : user_pref("valueApps.CT3316074.mam_gk_currentVersion", "312E31322E302E35");
    Line Found : user_pref("valueApps.CT3316074.mam_gk_currentVersion.storedInFile", false);
    Line Found : user_pref("valueApps.CT3316074.mam_gk_migrated_from_ls", "31");
    Line Found : user_pref("valueApps.CT3316074.mam_gk_migrated_from_ls.storedInFile", false);
    Line Found : user_pref("wtb8679.homepage", "hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385417784538&tguid=75087-8679-1385417784538-998B11CFF293A5FB456938F52BBD022C");
    Line Found : user_pref("wtb8679.newtab", "hxxp://search.certified-toolbar.com?si=75087&st=home&tid=8679&ver=5.1&ts=1385417784538&tguid=75087-8679-1385417784538-998B11CFF293A5FB456938F52BBD022C");

    *************************

    AdwCleaner[R0].txt - [10826 octets] - [10/01/2014 09:33:36]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [10887 octets] ##########
     

     

     

     

     

    ESET scan

    C:\FRST\Quarantine\rpcss.dll    Win64/Patched.H trojan
     



    #12 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:53 AM

    Posted 10 January 2014 - 05:38 PM

    Hello, Zorbis.
     
     
    Step 1
     
     
    Please run adwCleaner again.  This time, click the question mark in the upper left and check the box to /DisableAskDetection.  Then click Clean and let it clean.  Please post the resulting log.
     
     
     
    Step 2
     
    Next, we need to remove old Java versions.
    Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
  • Java™ 6 Update 20 (64-bit)
  • Reboot your computer once all Java components are removed.
  •  
     
     
     
    Step 3
     
     
    Your version of OpenOffice is outdated and has security holes.  Please launch any OpenOffice program and there should be an option under Help to check for updates.  Let it update to either 4.0.1 or 3.4.1 to ensure you have the latest security updates.
     
     
     
    Step 4
     
     
    Please launch Computer, go to C:\ and delete the folder named FRST from your hard drive.
     
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #13 Zorbis

    Zorbis
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:11:53 PM

    Posted 10 January 2014 - 05:46 PM

    I don't see that option or the question mark in AdwCleaner. Should I do a scan/clean anyway?


    Edited by Zorbis, 10 January 2014 - 05:47 PM.


    #14 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:53 AM

    Posted 10 January 2014 - 08:05 PM

    Ah sorry, you'll need to scan first before you can select that option or clean.

     

    -etavares



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #15 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:53 AM

    Posted 14 January 2014 - 05:04 PM

    Still there?



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users