Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dramatic Increase in Data Usage and New Tabs in Chrome Created Automatically


  • This topic is locked This topic is locked
28 replies to this topic

#1 L1NGUS

L1NGUS

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 21 January 2014 - 01:02 PM

I use Comcast as my ISP. They provide a Data Meter so I can check on my data usage and not go over the 250GB monthly limit. I check it daily. Yesterday it was at 56 GB for the entire month. Today when I checked it, it was at 110 GB - it had doubled almost overnight.

 

This computer has recently shown a change in behavior. I use the Google Chrome browser and I have noticed that a new tab will suddenly be created without any input from me. The new tab is created but focus does not shift to it - I still remain in the current tab.  I have never viewed the new tab after it has been created. I just close it by clicking the little X, but I have noticed that the new tab contains things like the FBI scare warning about malware on my computer or the new tab is a web site containing  some kind of porn. This new tab is created randomly - I cannot recreate this occurrence on demand.

 

I have run full system scans of Malwarebytes and Microsoft Security Essentials and nothing was found.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.51.2
Run by Robert at 9:27:10 on 2014-01-21
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3006.1091 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.3.22.3\GoogleCrashHandler.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\vVX3000.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/a/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Speckie: {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\users\robert\appdata\roaming\speckie\bin32\Speckie32.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\users\robert\appdata\local\temp\E_S3F29.tmp" /EF "HKCU"
uRun: [Google Update] "c:\users\robert\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [jswtrayutil] "c:\program files\netgear\wna1100\jswtrayutil.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\users\robert\appdata\roaming\speckie\bin32\Speckie32.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{6942B822-8F1E-4FA4-890F-73B1E9A94B99} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\ploogcb8.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/?cid=topnav_xfinity
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\robert\appdata\local\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\users\robert\appdata\local\microsoft\internet explorer\downloaded program files\conflict.1\npsoe.dll
FF - plugin: c:\users\robert\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\robert\appdata\roaming\igg\web3d\1.0.0.37\NPIGGWeb3DUpdater.dll
FF - plugin: c:\users\robert\appdata\roaming\igg\web3d\1.0.0.37\NPJoyConnectShell.dll
FF - plugin: c:\users\robert\appdata\roaming\kalydo\kalydoplayer\npkalydo.dll
FF - plugin: c:\users\robert\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\robert\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\robert\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1207148.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2008-6-8 4608]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2013-12-22 21728]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2013-12-22 20384]
R1 MpKsl8cd0011f;MpKsl8cd0011f;c:\programdata\microsoft\microsoft antimalware\definition updates\{a2077db5-db99-4127-a951-0a7db25ecaad}\MpKsl8cd0011f.sys [2014-1-21 40392]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-8 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104768]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-18 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-18 399416]
R2 WSWNA1100;WSWNA1100;c:\program files\netgear\wna1100\WifiSvc.exe [2013-12-22 266240]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2013-12-22 1439744]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-4-21 83864]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\netgear\wna1100\jswpsapi.exe [2013-12-22 960992]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2011-3-14 10112]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-4-21 181912]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-01-21 14:06:18 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a2077db5-db99-4127-a951-0a7db25ecaad}\offreg.dll
2014-01-21 14:06:16 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a2077db5-db99-4127-a951-0a7db25ecaad}\MpKsl8cd0011f.sys
2014-01-21 14:02:45 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a2077db5-db99-4127-a951-0a7db25ecaad}\mpengine.dll
2014-01-20 17:43:01 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-01-16 03:02:50 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-12-22 23:39:56 21728 ----a-w- c:\windows\system32\drivers\SCMNdisP.sys
2013-12-22 23:39:56 20384 ----a-w- c:\windows\system32\drivers\jswpslwf.sys
2013-12-22 23:39:56 1439744 ----a-w- c:\windows\system32\drivers\athur.sys
2013-12-22 23:39:44 -------- d-----w- c:\program files\NETGEAR
.
==================== Find3M  ====================
.
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-01-16 02:59:10 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-16 02:59:10 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 04:09:07 9272200 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-11-29 04:12:05 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-11-14 22:50:50 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-11-14 22:42:41 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-11-14 22:42:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-14 22:35:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-30 02:13:01 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12:54 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-10-30 01:43:04 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43:06 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35:24 2050560 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH:  9:27:57.32 ===============

Attached Files


Edited by L1NGUS, 21 January 2014 - 02:33 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 26 January 2014 - 01:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/521575 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 L1NGUS

L1NGUS
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 26 January 2014 - 02:21 PM

I initially was concerned about an increase in data usage. We have many devices here at home and I have since determined what was causing the high data usage. That is no longer a concern.

 

I AM still concerned about suspicious activity in my browser. New tabs are being created automatically. The tabs happen randomly. Usually when the tab that is created, focus does not shift to it - it isn't opened so I can see it. I can read what the tab contains without opening it. These tabs contain porn links or other non-porn crap. I just click the little x and get rid of it. BUT, the last time this happened, a new tab was created AND opened. I saw a warning that said all my files were being encrypted. There was a lot of other scary information. I didn't wait to read it. I didn't click anywhere. I immediately opened the Windows Task Manager and used it to close the browser. My files were NOT encrypted. It scared the crap out of me.

 

I do not have my original Windows CD. 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.51.2
Run by Robert at 11:15:49 on 2014-01-26
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3006.1203 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.3.22.3\GoogleCrashHandler.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\vVX3000.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/a/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Speckie: {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\users\robert\appdata\roaming\speckie\bin32\Speckie32.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\users\robert\appdata\local\temp\E_S3F29.tmp" /EF "HKCU"
uRun: [Google Update] "c:\users\robert\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [jswtrayutil] "c:\program files\netgear\wna1100\jswtrayutil.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\users\robert\appdata\roaming\speckie\bin32\Speckie32.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{6942B822-8F1E-4FA4-890F-73B1E9A94B99} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\ploogcb8.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/?cid=topnav_xfinity
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\robert\appdata\local\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\users\robert\appdata\local\microsoft\internet explorer\downloaded program files\conflict.1\npsoe.dll
FF - plugin: c:\users\robert\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\robert\appdata\roaming\igg\web3d\1.0.0.37\NPIGGWeb3DUpdater.dll
FF - plugin: c:\users\robert\appdata\roaming\igg\web3d\1.0.0.37\NPJoyConnectShell.dll
FF - plugin: c:\users\robert\appdata\roaming\kalydo\kalydoplayer\npkalydo.dll
FF - plugin: c:\users\robert\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\robert\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\robert\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1207148.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2008-6-8 4608]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2013-12-22 21728]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2013-12-22 20384]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-8 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104768]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-18 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-18 399416]
R2 WSWNA1100;WSWNA1100;c:\program files\netgear\wna1100\WifiSvc.exe [2013-12-22 266240]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2013-12-22 1439744]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-4-21 83864]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\netgear\wna1100\jswpsapi.exe [2013-12-22 960992]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2011-3-14 10112]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-4-21 181912]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-01-26 17:43:16 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{92d12e4f-f8dc-4e9d-9582-fb63fb0402d8}\mpengine.dll
2014-01-26 14:03:03 7760024 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-01-23 14:04:53 719224 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{66a66840-4fba-4807-b920-431b9a32c0da}\gapaengine.dll
2014-01-16 03:02:50 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M  ====================
.
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-01-16 02:59:10 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-16 02:59:10 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 04:09:07 9272200 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-11-29 04:12:05 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-11-14 22:50:50 1806848 ----a-w- c:\windows\system32\jscript9.dll
2013-11-14 22:42:41 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-11-14 22:42:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-14 22:35:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-30 02:13:01 1304064 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12:54 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2013-10-30 01:43:04 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43:06 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35:24 2050560 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:16:36.51 ===============

Edited by L1NGUS, 26 January 2014 - 03:34 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:25 PM

Posted 26 January 2014 - 09:51 PM


Hello L1NGUS,

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 L1NGUS

L1NGUS
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 26 January 2014 - 10:52 PM

Hey Gringo,

 

The problem I reported of new browser tabs being created occurs randomly. I never know when it will happen next. I cannot recreate it myself on demand. What specifically happens is a new tab will be created after I have clicked a link or right-clicked a link. This new tab will be created but not always opened so I can see it. I just notice a new tab has been created and I didn't create it. In the tab at the top of the browser I can see that the tab description. One time it said something about an FBI warning. I usually just click the little x in the top right corner of the tab and close it. This has happened randomly for several days. Even more rare, I have noticed an entire new Chrome browser window will be opened in pop-under style - I don't even notice it has been opened until I close my current browsing session. But mainly it is the creation of new tabs that I have experienced. The last occurrence, not only was a new tab created, but it was opened so that I could see it. It had some scary warning about the FBI and another popup window on top of that that said all the files on my computer were being encrypted. There was lots more stuff on the screen but I immediately opened the Windows Task Manager and used the End Task command to shut down the browser. Needless to say, my files were NOT encrypted - but it certainly scared the bleep out of me. That's when I contacted the forum here at Bleeping Computer last Tuesday. I have not experienced any new tabs being created since then but I am certain my system has been compromised. I am unable to recreate this unauthorised opening tabs business (not that I really want to), and I am uncertain as to how useful my reports of how things are running will be.

 

I will shut up now. Here are the logs you requested:

 

# AdwCleaner v3.017 - Report created 26/01/2014 at 19:02:44
# Updated 12/01/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Robert - ROBERT-PC
# Running from : C:\Users\Robert\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files\myfree codec
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16526
 
 
-\\ Mozilla Firefox v26.0 (en-US)
 
[ File : C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default\prefs.js ]
 
 
[ File : C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\rspb8rff.default\prefs.js ]
 
 
-\\ Google Chrome v32.0.1700.76
 
[ File : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1436 octets] - [26/01/2014 19:01:09]
AdwCleaner[S0].txt - [1367 octets] - [26/01/2014 19:02:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1427 octets] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows Vista ™ Home Premium x86
Ran by Robert on Sun 01/26/2014 at 19:10:15.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\caphyon
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Successfully deleted the following from C:\Users\Robert\AppData\Roaming\mozilla\firefox\profiles\ploogcb8.default\prefs.js
 
user_pref("google.toolbar.button_option.cached.gtbSearchBlogs", "<toolbarbutton xmlns=\"hxxp://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul\" id=\"gtbSearchBlogs\" t
user_pref("google.toolbar.button_option.cached.gtbSearchPhotos", "<toolbarbutton xmlns=\"hxxp://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul\" id=\"gtbSearchPhotos\"
user_pref("google.toolbar.button_option.cached.gtbSearchScholar", "<toolbarbutton xmlns=\"hxxp://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul\" id=\"gtbSearchScholar
user_pref("google.toolbar.button_option.cached.gtbstoolbar-google-com_CTK0Y7F4MTG6NKYH03WT-xml", "<toolbarbutton xmlns=\"hxxp://www.mozilla.org/keymaster/gatekeeper/there.is.o
user_pref("google.toolbar.button_option.cached.gtbstoolbar-google-com_J66T77NJDBMW4FEUU7FA-xml", "<toolbarbutton xmlns=\"hxxp://www.mozilla.org/keymaster/gatekeeper/there.is.o
user_pref("xkit.xfollowers", "//* VERSION 4.1 REV C **//\r\n//* INTERVAL 0 **//\r\n//* TITLE Delta Checker **//\r\n//* DEVELOPER STUDIOXENIX **//\r\n//* DESCRIPTION Check who 
user_pref("xkit.xkit_preferences", "//* VERSION 6.9 REV C **//\r\n//* TITLE XKit Control Panel **//\r\n//* INTERVAL 0 **//\r\n// XKit Preferences\r\n// Injects the preference 
user_pref("xkit.xkit_required", "//* VERSION 6.0 REV C **//\r\n// XKit Required\r\n// Required images and text.\r\n// © 2011 - 2012 STUDIOXENIX.com\r\n\r\n\r\n/*!\r\n * jQue
user_pref("xkit.xmutualfollowers", "//* VERSION 1.0 REV C **//\r\n//* INTERVAL 0 **//\r\n//* TITLE Mutual Checker **//\r\n//* DEVELOPER STUDIOXENIX **//\r\n//* DESCRIPTION Che
user_pref("xkit.xnews_9IsPoweYV9_message", "Thanks for trying XKit 6 Preview Release.<br/>\r\nIf you have any suggestions or problems, please feel free to send me <a href=\"ht
Emptied folder: C:\Users\Robert\AppData\Roaming\mozilla\firefox\profiles\ploogcb8.default\minidumps [1 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/26/2014 at 19:13:07.22
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:25 PM

Posted 27 January 2014 - 12:45 AM


Hello L1NGUS

In the Navy did you ever go to Roosevelt roads naval base?

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 L1NGUS

L1NGUS
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 27 January 2014 - 01:38 AM

Roosevelt Roads? No sir. I served aboard the USS Chicago (CG-11) and all the ports and bases I visited were Pacific ocean locations.

 

I ran Combofix as you instructed (with my anti-virus program disabled) and did not interfere with the program.

The Combofix window said:

 

Preparing log report.

Do not run any programs until Combofix has completed

 

_

 

And then nothing happened. I waited for 30 minutes. The program appeared to have stalled and no log report was produced.

I restarted my computer and ran Combofix again with the same results: the program appeared to have stalled and no log report was produced.


Edited by L1NGUS, 27 January 2014 - 03:30 AM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:25 PM

Posted 27 January 2014 - 01:15 PM


Hello L1NGUS,

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 L1NGUS

L1NGUS
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 27 January 2014 - 02:00 PM

Hi Gringo,

 

No luck. I did as you asked. Twice. In Safe Mode. I even tried running Combofix as Administrator. The program continues to stall out at the same point:

 

Preparing log report.

Do not run any programs until Combofix has completed

 

_

 

To be as forthcoming about the process as possible, here are some things I noticed while running Combofix:

 

During all scans (Safe Mode or Normal Mode), at the end, when a report is supposedly being prepared, all the icons on my desktop will disappear and then reappear. Immediately following that a notification bubble from my System Tray reports that I have multiple problems with my security - which I will assume is because I have Real-time Protection disabled for Microsoft Security Essentials. From then on Combofix appears to stall. The computer does not restart or produce a log report. It's as if focus has been stolen by the SysTray notification.

 

I received 2 popup warnings from Combofix during the Safe Mode scans: the first that Microsoft Security Essentials was active, even though it was disabled (and showed it as disabled in the SysTray) and the second popup notice repeated that warning with an additional warning that I was proceeding at my own risk.

 

Also, during the Safe Mode scans, I noticed that Combofix reported: Access Denied. Administrator permissions are needed to use the selected options. Use an Administrators command prompt to complete these tasks. This happened right at the very beginning of the process before any stages had begun and once during the scan after the 39th stage, I believe.

 

On the off chance I have a bad copy, I downloaded another copy of Combofix and tried running it again with the same results as previously reported: the program stalls out.


Edited by L1NGUS, 27 January 2014 - 04:50 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:25 PM

Posted 27 January 2014 - 05:05 PM


Hello L1NGUS

one more try and if it does not work we will move on

I would like you to try this to see if combofix will run

combofix
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
ComboFix /nombr
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 L1NGUS

L1NGUS
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 27 January 2014 - 05:34 PM

Gringo, I did as instructed but the results were the same: Combofix stalls out and no log report is created.



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:25 PM

Posted 27 January 2014 - 08:09 PM





Hello L1NGUS

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • •Internet access
    •Windows Update
    •Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.


--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo






When you are complete please send me both reports

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 L1NGUS

L1NGUS
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 27 January 2014 - 08:56 PM

Yo Gringo,

 

The Malwarebytes Anti-Rootkit program completed its scan and reported it had found no malware. No report was created.

 

 

RogueKiller ran and produced 2 reports, neither of which is called RKreport[2].txt.

 

I have RKreport[0]_S_01272014_174036:

 

RogueKiller V8.8.3 [Jan 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Robert [Admin rights]
Mode : Scan -- Date : 01/27/2014 17:40:36
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36B76E66)
[Inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36B76E66)
[Inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36B76E66)
 
¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) Hitachi HDT725032VLA SCSI Disk Device +++++
--- User ---
[MBR] 65502e255f3bf2ff91b95dc3053a37a1
[BSP] e4f1a3792e18a93ded96ab613143948a : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21053440 | Size: 294964 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )
 
Finished : << RKreport[0]_S_01272014_174036.txt >>
 
 
 
And RKreport[0]_D_01272014_174047:
 
RogueKiller V8.8.3 [Jan 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Robert [Admin rights]
Mode : Remove -- Date : 01/27/2014 17:40:47
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36B76E66)
[Inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36B76E66)
[Inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36B76E66)
 
¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) Hitachi HDT725032VLA SCSI Disk Device +++++
--- User ---
[MBR] 65502e255f3bf2ff91b95dc3053a37a1
[BSP] e4f1a3792e18a93ded96ab613143948a : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21053440 | Size: 294964 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )
 
Finished : << RKreport[0]_D_01272014_174047.txt >>
RKreport[0]_S_01272014_174036.txt
 
 
I have Internet access and both Windows Update and Windows Firewall are functioning normally.
 
 

Edited by L1NGUS, 27 January 2014 - 08:58 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:25 PM

Posted 27 January 2014 - 09:05 PM


Hello L1NGUS,



Please download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 L1NGUS

L1NGUS
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:25 AM

Posted 27 January 2014 - 09:14 PM

Hey Gringo!

 

Ran FRST.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-01-2014 02
Ran by Robert (administrator) on ROBERT-PC on 27-01-2014 18:07:52
Running from C:\Users\Robert\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) ===================
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Andrea Electronics Corporation) C:\Windows\System32\AERTSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS32.exe
(Secunia) C:\Program Files\Secunia\PSI\psia.exe
() C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.22.3\GoogleCrashHandler.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Macrovision Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Gteko Ltd.) C:\Program Files\DellSupport\DSAgnt.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Avanquest Software ) C:\Program Files\Digital Line Detect\DLG.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Secunia) C:\Program Files\Secunia\PSI\psi_tray.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [ArcSoft Connection Service] - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [ISUSPM Startup] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [ISUSScheduler] - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [LifeCam] - C:\Program Files\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [RoxWatchTray] - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [221184 2006-11-05] (Sonic Solutions)
HKLM\...\Run: [Windows Mobile Device Center] - C:\Windows\WindowsMobile\wmdc.exe [648072 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [VX3000] - C:\Windows\vVX3000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4907008 2008-01-17] (Realtek Semiconductor)
HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [2296600 2013-07-31] (Logitech, Inc.)
HKLM\...\Run: [jswtrayutil] - "C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe"
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKCU\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [460784 2007-03-15] (Gteko Ltd.)
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKCU\...\Run: [WinPatrol] - C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - ComcastSearch URL = http://search.comcast.net/?q={searchTerms}&cat=Web&con=ie7
SearchScopes: HKCU - ComcastSearch URL = 
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Speckie - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\Robert\AppData\Roaming\Speckie\bin32\Speckie32.dll (Versoworks Pty Ltd)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {01113300-3E00-11D2-8470-0060089874ED} http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
FireFox:
========
FF ProfilePath: C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default
FF DefaultSearchEngine: Google
FF Homepage: hxxp://xfinity.comcast.net/?cid=topnav_xfinity
FF Keyword.URL: hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF NetworkProxy: "ftp", ":0"
FF NetworkProxy: "http", ":0"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", ":0"
FF NetworkProxy: "ssl", ":0"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw_1207148.dll (Adobe Systems, Inc.)
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf - C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf - C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin: @unity3d.com/UnityPlayer - C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin: @videolan.org/vlc,version=2.0.4 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.0 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @virtools.com/3DviaPlayer - C:\Program Files\Virtools\3D Life Player\npvirtools.dll (Virtools SA)
FF Plugin HKCU: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf - C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin HKCU: @eximion.com/KalydoPlayer3.08.01 - C:\Users\Robert\AppData\Roaming\Kalydo\KalydoPlayer\npkalydo.dll (Eximion B.V.)
FF Plugin HKCU: @g2.com/iggweb3dupdater - C:\Users\Robert\AppData\Roaming\IGG\Web3D\1.0.0.37\NPIGGWeb3DUpdater.dll (IGG)
FF Plugin HKCU: @g2.com/joyconnectshell - C:\Users\Robert\AppData\Roaming\IGG\Web3D\1.0.0.37\NPJoyConnectShell.dll (IGG)
FF Plugin HKCU: @soe.sony.com/installer,version=1.0.3 - C:\Users\Robert\AppData\Local\Microsoft\Internet Explorer\Downloaded Program Files\CONFLICT.1\npsoe.dll ()
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Robert\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Robert\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\Robert\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Robert\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Robert\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Robert\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin ProgramFiles/Appdata: C:\Users\Robert\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Robert\AppData\Roaming\mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin ProgramFiles/Appdata: C:\Users\Robert\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\comcast.xml
FF Extension: United States English Spellchecker - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default\Extensions\en-US@dictionaries.addons.mozilla.org [2013-03-23]
FF Extension: DownloadHelper - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2013-09-02]
FF Extension: Add-on Compatibility Reporter - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default\Extensions\compatibility@addons.mozilla.org.xpi [2011-10-16]
FF Extension: Google Similar Images - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default\Extensions\nishan.naseer.googimagesearch@gmail.com.xpi [2012-12-31]
FF Extension: Search By Image (by Google) - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default\Extensions\{ce7e73df-6a44-4028-8079-5927a588c948}.xpi [2012-11-07]
FF Extension: Adblock Plus - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ploogcb8.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-11-02]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
 
Chrome: 
=======
CHR HomePage: hxxp://xfinity.comcast.net/?cid=mtmh01092012
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\32.0.1700.102\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\32.0.1700.102\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\32.0.1700.102\pdf.dll ()
CHR Plugin: (Screen Capture Plugin) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce\3.4.5_0\plugins/screen_capture.dll No File
CHR Plugin: (Microsoft® Windows Media Player Firefox Plugin) - C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll (Microsoft Corporation)
CHR Plugin: (Pando Web Installer) - C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll (Pando Networks)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll No File
CHR Plugin: (Java™ Platform SE 7 U25) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (PDF-XChange Viewer) - C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
CHR Plugin: (VLC Web Plugin) - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (3DVIA Player) - C:\Program Files\Virtools\3D Life Player\npvirtools.dll (Virtools SA)
CHR Plugin: (Nexon Game Controller) - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
CHR Plugin: (Unity Player) - C:\Users\Robert\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Plugin: (Google Update) - C:\Users\Robert\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (SOE Web Installer) - C:\Users\Robert\AppData\Local\Microsoft\Internet Explorer\Downloaded Program Files\CONFLICT.1\npsoe.dll ()
CHR Plugin: (IGG Web3D Updater NP Plugin for Mozilla) - C:\Users\Robert\AppData\Roaming\IGG\Web3D\1.0.0.37\NPIGGWeb3DUpdater.dll (IGG)
CHR Plugin: (JoyConnect NP Plugin for Mozilla) - C:\Users\Robert\AppData\Roaming\IGG\Web3D\1.0.0.37\NPJoyConnectShell.dll (IGG)
CHR Plugin: (Kalydo Player Plugin for Mozilla) - C:\Users\Robert\AppData\Roaming\Kalydo\KalydoPlayer\npkalydo.dll (Eximion B.V.)
CHR Plugin: (Google Talk Plugin) - C:\Users\Robert\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
CHR Plugin: (Google Talk Plugin Video Accelerator) - C:\Users\Robert\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
CHR Plugin: (Google Talk Plugin Video Renderer) - C:\Users\Robert\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.16) - C:\Windows\system32\npDeployJava1.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Angry Birds) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2011-12-23]
CHR Extension: (YouTube) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-23]
CHR Extension: (Adblock Plus) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-07-26]
CHR Extension: (Google Search) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-23]
CHR Extension: (VTchromizer) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\efbjojhplkelaegfbieplglfidafgoka [2013-12-12]
CHR Extension: (Google Calendar) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2013-03-25]
CHR Extension: (XKit) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpfgeeomkfdefkckijiabdbogjkdaecd [2013-10-24]
CHR Extension: (Pixlr Editor) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmaknaampgiegkcjlimdiidlhopknpk [2013-03-11]
CHR Extension: (Google Wallet) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Gmail) - C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-23]
 
========================== Services (Whitelisted) =================
 
R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 AERTFilters; C:\Windows\system32\AERTSrv.exe [77824 2007-12-05] (Andrea Electronics Corporation)
S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [70656 2007-03-19] ()
S3 jswpsapi; C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe [960992 2010-03-22] (Atheros Communications, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)
R2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-04-18] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-04-18] (Secunia)
R2 WSWNA1100; C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe [266240 2010-08-04] ()
 
==================== Drivers (Whitelisted) ====================
 
R3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.)
R0 amacpi; C:\Windows\System32\DRIVERS\null.sys [4608 2008-01-18] (Microsoft Corporation)
R3 athur; C:\Windows\System32\DRIVERS\athur.sys [1439744 2010-10-10] (Atheros Communications, Inc.)
S3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.Sys [30360 2011-09-01] (Logitech, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
R1 MpKsl7cea256d; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7CC79370-68C5-445F-9EE2-8590FF8A35A8}\MpKsl7cea256d.sys [40392 2014-01-27] (Microsoft Corporation)
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
R0 SCMNdisP; C:\Windows\System32\DRIVERS\scmndisp.sys [21728 2007-01-19] (Windows ® Codename Longhorn DDK provider)
S3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [186592 2008-07-11] (Jungo)
S3 xnacc; C:\Windows\System32\DRIVERS\xnacc.sys [521216 2008-01-18] (Microsoft Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-18] (Microsoft Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
R3 catchme; \??\C:\Users\Robert\AppData\Local\Temp\catchmepgwn.sys [x]
S3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 PTQHBUS; system32\DRIVERS\PTQHBUS.sys [x]
S3 PTQHMDM; system32\DRIVERS\PTQHMDM.sys [x]
S3 PTQHVSP; system32\DRIVERS\PTQHVSP.sys [x]
S3 SASENUM; \??\C:\Users\Robert\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS [x]
S3 ZSMC302; System32\Drivers\usbvm302.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-27 18:07 - 2014-01-27 18:08 - 00021430 _____ C:\Users\Robert\Desktop\FRST.txt
2014-01-27 18:07 - 2014-01-27 18:07 - 00000000 ____D C:\FRST
2014-01-27 18:06 - 2014-01-27 18:06 - 01622528 _____ (Farbar) C:\Users\Robert\Desktop\FRST.exe
2014-01-27 17:40 - 2014-01-27 17:40 - 00003061 _____ C:\Users\Robert\Desktop\RKreport[0]_D_01272014_174047.txt
2014-01-27 17:40 - 2014-01-27 17:40 - 00002996 _____ C:\Users\Robert\Desktop\RKreport[0]_S_01272014_174036.txt
2014-01-27 17:37 - 2014-01-27 17:42 - 00000000 ____D C:\Users\Robert\Desktop\RK_Quarantine
2014-01-27 17:25 - 2014-01-27 17:36 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-27 17:25 - 2014-01-27 17:25 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-01-27 17:24 - 2014-01-27 17:24 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-27 17:22 - 2014-01-27 17:24 - 00000000 ____D C:\Users\Robert\Desktop\New Folder
2014-01-27 17:21 - 2014-01-27 17:21 - 03792384 _____ C:\Users\Robert\Desktop\RogueKiller.exe
2014-01-27 17:13 - 2014-01-27 17:16 - 09192602 _____ (Gougelet Pierre-e                                           ) C:\Users\Robert\Downloads\XnConvert-win.exe
2014-01-27 14:16 - 2014-01-27 14:29 - 00000000 ____D C:\ComboFix
2014-01-27 13:00 - 2014-01-27 13:00 - 05175619 ____R (Swearware) C:\Users\Robert\Desktop\ComboFix.exe
2014-01-26 22:02 - 2014-01-26 22:02 - 00000000 ____D C:\Qoobox
2014-01-26 22:02 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2014-01-26 22:02 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2014-01-26 22:02 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-01-26 22:02 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-01-26 22:02 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-01-26 22:02 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2014-01-26 22:02 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2014-01-26 22:02 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2014-01-26 19:13 - 2014-01-26 19:13 - 00002747 _____ C:\Users\Robert\Desktop\JRT.txt
2014-01-26 19:01 - 2014-01-26 19:03 - 00000000 ____D C:\AdwCleaner
2014-01-26 18:58 - 2014-01-26 18:59 - 01037068 _____ (Thisisu) C:\Users\Robert\Desktop\JRT.exe
2014-01-26 18:58 - 2014-01-26 18:58 - 01236282 _____ C:\Users\Robert\Desktop\AdwCleaner.exe
2014-01-15 19:03 - 2014-01-15 19:02 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-01-15 19:02 - 2014-01-15 19:02 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-01-15 19:02 - 2014-01-15 19:02 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-01-15 19:02 - 2014-01-15 19:02 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-01-15 19:02 - 2014-01-15 19:02 - 00000000 ____D C:\Program Files\Java
 
==================== One Month Modified Files and Folders =======
 
2014-01-27 18:08 - 2014-01-27 18:07 - 00021430 _____ C:\Users\Robert\Desktop\FRST.txt
2014-01-27 18:07 - 2014-01-27 18:07 - 00000000 ____D C:\FRST
2014-01-27 18:06 - 2014-01-27 18:06 - 01622528 _____ (Farbar) C:\Users\Robert\Desktop\FRST.exe
2014-01-27 17:55 - 2010-12-22 16:32 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2916917513-2910104396-1903512758-1000UA.job
2014-01-27 17:42 - 2014-01-27 17:37 - 00000000 ____D C:\Users\Robert\Desktop\RK_Quarantine
2014-01-27 17:42 - 2010-06-04 11:08 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-27 17:40 - 2014-01-27 17:40 - 00003061 _____ C:\Users\Robert\Desktop\RKreport[0]_D_01272014_174047.txt
2014-01-27 17:40 - 2014-01-27 17:40 - 00002996 _____ C:\Users\Robert\Desktop\RKreport[0]_S_01272014_174036.txt
2014-01-27 17:36 - 2014-01-27 17:25 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-27 17:25 - 2014-01-27 17:25 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-01-27 17:24 - 2014-01-27 17:24 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-27 17:24 - 2014-01-27 17:22 - 00000000 ____D C:\Users\Robert\Desktop\New Folder
2014-01-27 17:24 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-27 17:24 - 2006-11-02 04:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-27 17:21 - 2014-01-27 17:21 - 03792384 _____ C:\Users\Robert\Desktop\RogueKiller.exe
2014-01-27 17:17 - 2013-01-05 15:41 - 00001594 _____ C:\Users\Robert\Desktop\XnConvert.lnk
2014-01-27 17:17 - 2013-01-05 15:41 - 00000000 ____D C:\Program Files\XnConvert
2014-01-27 17:16 - 2014-01-27 17:13 - 09192602 _____ (Gougelet Pierre-e                                           ) C:\Users\Robert\Downloads\XnConvert-win.exe
2014-01-27 17:09 - 2012-11-07 19:14 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-27 16:11 - 2007-12-09 00:24 - 01440787 _____ C:\Windows\WindowsUpdate.log
2014-01-27 14:29 - 2014-01-27 14:16 - 00000000 ____D C:\ComboFix
2014-01-27 14:27 - 2006-11-02 02:23 - 00000215 _____ C:\Windows\system.ini
2014-01-27 13:25 - 2010-06-04 11:07 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-27 13:24 - 2013-10-06 10:14 - 00058152 _____ C:\Windows\PFRO.log
2014-01-27 13:24 - 2006-11-02 05:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-27 13:23 - 2007-12-09 00:35 - 00000012 _____ C:\Windows\bthservsdp.dat
2014-01-27 13:23 - 2006-11-02 05:01 - 00032598 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-27 13:00 - 2014-01-27 13:00 - 05175619 ____R (Swearware) C:\Users\Robert\Desktop\ComboFix.exe
2014-01-27 12:31 - 2013-07-10 14:08 - 00001933 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2014-01-27 08:55 - 2010-12-22 16:32 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2916917513-2910104396-1903512758-1000Core.job
2014-01-26 22:02 - 2014-01-26 22:02 - 00000000 ____D C:\Qoobox
2014-01-26 22:01 - 2013-06-04 12:23 - 00000000 ____D C:\Windows\erdnt
2014-01-26 19:21 - 2006-11-02 02:33 - 00772866 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-26 19:13 - 2014-01-26 19:13 - 00002747 _____ C:\Users\Robert\Desktop\JRT.txt
2014-01-26 19:03 - 2014-01-26 19:01 - 00000000 ____D C:\AdwCleaner
2014-01-26 18:59 - 2014-01-26 18:58 - 01037068 _____ (Thisisu) C:\Users\Robert\Desktop\JRT.exe
2014-01-26 18:58 - 2014-01-26 18:58 - 01236282 _____ C:\Users\Robert\Desktop\AdwCleaner.exe
2014-01-25 13:55 - 2010-12-10 23:33 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Mozilla
2014-01-25 11:31 - 2011-09-15 20:48 - 00000000 ____D C:\Users\Robert\AppData\Roaming\vlc
2014-01-18 23:32 - 2009-10-14 15:08 - 00231584 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-01-15 19:02 - 2014-01-15 19:03 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-01-15 19:02 - 2014-01-15 19:02 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-01-15 19:02 - 2014-01-15 19:02 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-01-15 19:02 - 2014-01-15 19:02 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-01-15 19:02 - 2014-01-15 19:02 - 00000000 ____D C:\Program Files\Java
2014-01-15 18:59 - 2012-03-30 12:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-01-15 18:59 - 2011-05-20 20:36 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-01-15 18:51 - 2011-07-02 12:35 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2014-01-14 16:06 - 2013-07-09 17:29 - 00000000 ____D C:\Windows\system32\MRT
2014-01-14 16:01 - 2006-11-02 02:24 - 83425928 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-01-09 13:02 - 2008-12-21 16:35 - 00000000 ____D C:\Users\Robert\dwhelper
 
Files to move or delete:
====================
C:\Users\Robert\AppData\Roaming\desktop.ini
C:\Users\Robert\jagex_cl_runescape_LIVE.dat
C:\Users\Robert\random.dat
 
 
Some content of TEMP:
====================
C:\Users\Robert\AppData\Local\temp\ntdll_dump.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-01-27 13:32
 
==================== End Of Log ============================
 
FRST program window is still open on my computer. Do I close it or click Fix or?

Edited by L1NGUS, 27 January 2014 - 09:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users