Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Flashplayer Pro popup


  • This topic is locked This topic is locked
25 replies to this topic

#1 lukeoer

lukeoer

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 06 April 2014 - 06:40 AM

Hi,

 

Standard Flashplayer pro popup, the message is "WARNING! Your Flash Player may be out of date. Please update to continue".

 

The popup is incredibly frequent, it appears several times in a row on most pages visited, and is appearing on all devices attached to my wireless router (2 laptops and my android smartphone). It can be closed by clicking the x without redirecting.

 

I also can't visit reddit at all (on any of the devices), and google app store doesn't seem to be working. These issues appeared at the same time.

 

I have tried cleaning it up with Avira, Malwarebytes, ADWcleaner and a general cookie cleaning. Probably did more harm than good, although the situation hasn't changed at all.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.9.2
Run by rumblebox at 20:59:48 on 2014-04-06
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.16274.13708 [GMT 9.5:30]
.
AV: Avira Desktop *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\BisonCam\PID_0361\DeLay.exe
C:\Program Files\AuthenTec TrueSuite\KeepSafe\fvsvr.exe
C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Hotkey\Hotkey.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe
C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Hotkey\PowerBiosServer.exe
C:\Program Files\AuthenTec TrueSuite\TouchControl.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AuthenTec TrueSuite\BioMonitor.exe
C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com.au/
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files\AuthenTec TrueSuite\x86\IEBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Avira Systray] C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\Users\RUMBLE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Hotkey.lnk - C:\Program Files (x86)\Hotkey\Hotkey.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Send image to Bluetooth Device - C:\Program Files (x86)\Realtek\Realtek Bluetooth\btsendto_ie_ctx.htm
IE: Send page to Bluetooth Device - C:\Program Files (x86)\Realtek\Realtek Bluetooth\btsendto_ie.htm
TCP: NameServer = 68.168.98.196 8.8.8.8
TCP: Interfaces\{9723F8E0-E244-4214-B282-F7A5070744CA} : DHCPNameServer = 68.168.98.196 8.8.8.8
TCP: Interfaces\{9723F8E0-E244-4214-B282-F7A5070744CA}\36964797C6F6467656 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{9723F8E0-E244-4214-B282-F7A5070744CA}\9696333314448393072796D6162797 : DHCPNameServer = 10.1.1.1
TCP: Interfaces\{9723F8E0-E244-4214-B282-F7A5070744CA}\F40545553544E4542424145383 : DHCPNameServer = 10.1.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
AppInit_DLLs= C:\Windows\SysWOW64\nvinit.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files\AuthenTec TrueSuite\IEBHO.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [DeLay] C:\Program Files (x86)\BisonCam\PID_0361\DeLay.exe
x64-Run: [KeepSafe] "C:\Program Files\AuthenTec TrueSuite\KeepSafe\fvsvr.exe" /startup
x64-Run: [BtServer] "C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe"
x64-Run: [THXCfg64] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [SBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe"
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2013-8-3 14456]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-11-19 19224]
R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2013-1-6 30648]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2014-4-5 28600]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2014-4-5 440400]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2014-4-5 440400]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2014-4-5 108440]
R2 Avira.OE.ServiceHost;Avira Service Host;C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [2014-3-25 121424]
R2 BTDevManager;BTDevManager;C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTDevMgr.exe [2012-12-11 23552]
R2 FPLService;TrueSuiteService;C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-11-3 299848]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-12-11 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-2 628448]
R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2012-12-11 127320]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-12-11 162648]
R2 PowerBiosServer;PowerBiosServer;C:\Program Files (x86)\Hotkey\PowerBiosServer.exe [2012-5-22 35328]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-12-11 362840]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-11-19 331264]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-11-19 356632]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-11-19 789272]
R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\drivers\RtsBaStor.sys [2012-12-11 293992]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-12-11 685160]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtwlane.sys [2012-12-11 1077864]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 gfiark;gfiark;C:\Windows\System32\drivers\gfiark.sys [2013-8-3 41032]
S3 RtkBtFilter;Realtek Bluetooth Filter Driver;C:\Windows\System32\drivers\RtkBtfilter.sys [2012-12-11 621672]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S4 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [2014-4-5 1017424]
.
=============== Created Last 30 ================
.
2014-04-06 11:13:41 -------- d-----w- C:\AdwCleaner
2014-04-06 09:48:52 84720 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2014-04-05 11:05:50 -------- d-----w- C:\Users\rumblebox\AppData\Roaming\Avira
2014-04-05 11:00:23 28600 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2014-04-05 11:00:23 108440 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2014-04-05 09:10:08 -------- d-----w- C:\ProgramData\Package Cache
2014-04-05 09:07:47 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-04-05 09:07:38 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-04-05 09:07:38 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-04-05 09:07:38 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-04-05 09:07:38 -------- d-----w- C:\ProgramData\Malwarebytes
2014-04-05 09:07:38 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-03-11 09:57:33 -------- d-----w- C:\Users\rumblebox\AppData\Roaming\GameRanger
2014-03-10 18:26:10 -------- d-----w- C:\Users\rumblebox\AppData\Local\FalloutNV
.
==================== Find3M  ====================
.
2014-03-14 00:32:18 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2014-03-14 00:32:18 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2014-03-13 05:02:44 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2014-03-12 11:14:58 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 11:14:58 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 20:59:57.77 ===============
 

 

 

Attached Files


Edited by lukeoer, 06 April 2014 - 06:42 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:42 PM

Posted 07 April 2014 - 08:00 AM


Hello lukeoer,

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 lukeoer

lukeoer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 08 April 2014 - 04:55 AM

Thanks for the help
 
 
# AdwCleaner v3.023 - Report created 08/04/2014 at 19:15:22
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : rumblebox - RUMBLEBOX-PC
# Running from : C:\Users\rumblebox\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Google Chrome v33.0.1750.154
 
[ File : C:\Users\rumblebox\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1602 octets] - [06/04/2014 20:44:27]
AdwCleaner[R1].txt - [896 octets] - [07/04/2014 22:06:52]
AdwCleaner[R2].txt - [955 octets] - [08/04/2014 19:14:50]
AdwCleaner[S0].txt - [1652 octets] - [06/04/2014 20:44:55]
AdwCleaner[S1].txt - [877 octets] - [08/04/2014 19:15:22]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [936 octets] ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by rumblebox on Tue 08/04/2014 at 19:19:29.97
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\apn"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 08/04/2014 at 19:23:30.25
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:42 PM

Posted 08 April 2014 - 07:59 AM


Hello lukeoer

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 lukeoer

lukeoer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 08 April 2014 - 08:27 AM

OK. In terms of the computer, I am still getting popups and redirects of the same type, as is the other laptop on the network. My android phone remains unable to connect to google services with on wifi (works fine on 3g)

 

Combofix ran fine. Log is below.

 

ComboFix 14-04-08.01 - rumblebox 08/04/2014  22:50:22.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.16274.14167 [GMT 9.5:30]
Running from: c:\users\rumblebox\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\RUMBLE~1\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\users\rumblebox\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-08 to 2014-04-08  )))))))))))))))))))))))))))))))
.
.
2014-04-08 09:49 . 2014-04-08 09:49 -------- d-----w- c:\windows\ERUNT
2014-04-06 11:13 . 2014-04-08 09:45 -------- d-----w- C:\AdwCleaner
2014-04-06 09:48 . 2014-04-06 09:48 84720 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-04-05 11:05 . 2014-04-05 11:05 -------- d-----w- c:\users\rumblebox\AppData\Roaming\Avira
2014-04-05 11:00 . 2014-02-25 01:11 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2014-04-05 11:00 . 2014-02-25 01:11 131576 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-04-05 11:00 . 2014-02-25 01:11 108440 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-04-05 09:10 . 2014-04-05 09:10 -------- d-----w- c:\programdata\Package Cache
2014-04-05 09:07 . 2014-04-07 12:28 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-05 09:07 . 2014-04-05 09:07 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-04-05 09:07 . 2014-04-05 09:07 -------- d-----w- c:\programdata\Malwarebytes
2014-04-05 09:07 . 2014-04-02 23:21 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-05 09:07 . 2014-04-02 23:21 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-05 09:07 . 2014-04-02 23:20 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-11 09:57 . 2014-03-11 09:57 -------- d-----w- c:\users\rumblebox\AppData\Roaming\GameRanger
2014-03-10 18:26 . 2014-03-10 18:26 -------- d-----w- c:\users\rumblebox\AppData\Local\FalloutNV
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-14 00:32 . 2013-12-31 05:46 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2014-03-14 00:32 . 2013-03-17 05:25 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2014-03-13 05:02 . 2013-03-17 05:25 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2014-03-12 11:14 . 2013-07-10 23:20 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 11:14 . 2013-07-10 23:20 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2014-02-25 1821888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-03-26 291608]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" [2010-11-01 1374720]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-11-29 284440]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-03-25 173136]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-02-25 689744]
.
c:\users\rumblebox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hotkey.lnk - c:\program files (x86)\Hotkey\Hotkey.exe [2012-7-20 4729856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys;c:\windows\SYSNATIVE\drivers\gfiark.sys [x]
R3 RtkBtFilter;Realtek Bluetooth Filter Driver;c:\windows\system32\DRIVERS\RtkBtfilter.sys;c:\windows\SYSNATIVE\DRIVERS\RtkBtfilter.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys;c:\windows\SYSNATIVE\drivers\gfibto.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]
S2 BTDevManager;BTDevManager;c:\program files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe;c:\program files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [x]
S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 PowerBiosServer;PowerBiosServer;c:\program files (x86)\Hotkey\PowerBiosServer.exe;c:\program files (x86)\Hotkey\PowerBiosServer.exe [x]
S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsBaStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 08:58 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-10 11:14]
.
2014-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-12 08:26]
.
2014-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-12 08:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{BC6D10E6-AE59-4cef-83DB-FD4C9BC7B7F2}"
[HKEY_CLASSES_ROOT\CLSID\{BC6D10E6-AE59-4cef-83DB-FD4C9BC7B7F2}]
2011-10-21 03:00 4014408 ----a-w- c:\program files\AuthenTec TrueSuite\KeepSafe\fvns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{93BB455E-3D52-4fba-9733-E5103B30FC12}"
[HKEY_CLASSES_ROOT\CLSID\{93BB455E-3D52-4fba-9733-E5103B30FC12}]
2011-10-21 03:00 4014408 ----a-w- c:\program files\AuthenTec TrueSuite\KeepSafe\fvns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-29 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-29 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-29 439064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-12-12 13374568]
"DeLay"="c:\program files (x86)\BisonCam\PID_0361\DeLay.exe" [2008-12-05 53248]
"KeepSafe"="c:\program files\AuthenTec TrueSuite\KeepSafe\fvsvr.exe" [2011-10-21 38728]
"BtServer"="c:\program files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe" [2012-03-23 419840]
"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2010-09-14 25600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send image to Bluetooth Device - c:\program files (x86)\REALTEK\Realtek Bluetooth\btsendto_ie_ctx.htm
IE: Send page to Bluetooth Device - c:\program files (x86)\REALTEK\Realtek Bluetooth\btsendto_ie.htm
TCP: DhcpNameServer = 68.168.98.196 8.8.8.8
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SBRegRebootCleaner - c:\program files (x86)\Ad-Aware Antivirus\SBRC.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2014-04-08  22:54:33 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-08 13:24
.
Pre-Run: 47,972,884,480 bytes free
Post-Run: 48,352,440,320 bytes free
.
- - End Of File - - 72AAB1DC39DFC73F26B33AD76802CFAE


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:42 PM

Posted 08 April 2014 - 10:56 AM


Create and Run Batch File
  • Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
  • Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

    It should look like this: batfileicon.gif <--XP
    Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 lukeoer

lukeoer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 08 April 2014 - 06:11 PM

 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : rumblebox-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8723AE Wireless LAN 802.11n PCI-E NIC
   Physical Address. . . . . . . . . : 20-68-9D-0B-F1-A1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e592:bc5a:a85c:8d54%14(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, 9 April 2014 8:38:49 AM
   Lease Expires . . . . . . . . . . : Saturday, 12 April 2014 8:38:49 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 354445469
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-58-7C-97-00-90-F5-DB-AA-4A
   DNS Servers . . . . . . . . . . . : 68.168.98.196
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 00-90-F5-DB-AA-4A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{9723F8E0-E244-4214-B282-F7A5070744CA}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:cdc:cc5f:8568:4dd6(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::cdc:cc5f:8568:4dd6%15(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  68-168-98-196.dedicated.codero.net
Address:  68.168.98.196
 
Name:    google.com
Addresses:  173.234.241.50
 184.107.232.162
 37.59.45.163
 
Server:  68-168-98-196.dedicated.codero.net
Address:  68.168.98.196
 
Name:    yahoo.com
Addresses:  173.234.241.50
 184.107.232.162
 
 
Pinging google.com [123.2.3.56] with 32 bytes of data:
Reply from 123.2.3.56: bytes=32 time=96ms TTL=61
Reply from 123.2.3.56: bytes=32 time=109ms TTL=61
 
Ping statistics for 123.2.3.56:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 96ms, Maximum = 109ms, Average = 102ms
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=361ms TTL=47
Reply from 206.190.36.45: bytes=32 time=357ms TTL=47
 
Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 357ms, Maximum = 361ms, Average = 359ms
===========================================================================
Interface List
 14...20 68 9d 0b f1 a1 ......Realtek RTL8723AE Wireless LAN 802.11n PCI-E NIC
 13...00 90 f5 db aa 4a ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.100     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.100    281
    192.168.1.100  255.255.255.255         On-link     192.168.1.100    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.100    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.100    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.100    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 15     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 15     58 2001::/32                On-link
 15    306 2001:0:9d38:6abd:cdc:cc5f:8568:4dd6/128
                                    On-link
 14    281 fe80::/64                On-link
 15    306 fe80::/64                On-link
 15    306 fe80::cdc:cc5f:8568:4dd6/128
                                    On-link
 14    281 fe80::e592:bc5a:a85c:8d54/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    306 ff00::/8                 On-link
 14    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
 

Edited by lukeoer, 08 April 2014 - 06:13 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:42 PM

Posted 09 April 2014 - 07:47 AM

Hello


I would like you to set up the routers DNS to open DNS and see if that clears the problem

You can see how to do that here - https://store.opendns.com/setup/router/

Just choose the router and follow the steps


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 lukeoer

lukeoer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 10 April 2014 - 06:59 AM

Well, that actually seems to have worked. Nary a pop-up in the last 2 hours of browsing.

 

But what does that mean, how does a DNS server change prevent pop-ups/redirects?

 

I will keep testing and reply again tomorrow to confirm no more issues. 

 

Thanks very much for the help.



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:42 PM

Posted 10 April 2014 - 07:18 AM


Hello lukeoer


To get an idea to what DNS does read this - http://www.dummies.com/how-to/content/dns-what-it-is-and-what-it-does.html

A comprimized server or one that is under the bad guys control can send you where every they want for any website you want to visit.



At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 lukeoer

lukeoer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 10 April 2014 - 06:08 PM

I will do so when I get home. As an update, while I didn't get any pop-ups or redirects on my primary laptop last night, I did get the same problem on my android phone (again, while connected to wifi, it never happens on 3g).



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:42 PM

Posted 11 April 2014 - 07:44 AM

How about on any other devices?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 lukeoer

lukeoer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 11 April 2014 - 08:30 PM

Thanks for the ongoing help.

 

All 3 devices (2 laptops and android phone) re still getting the popup.

 

Unfortunately Avira was running when I ran combofix this time, but I didn't want to try and stop it halfway. It blocked a registry edit and something else. Do you want me to run it again?

 

This is the log of that attempt:

 

 

 

ComboFix 14-04-08.01 - rumblebox 12/04/2014  10:41:12.2.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.16274.13861 [GMT 9.5:30]
Running from: c:\users\rumblebox\Desktop\ComboFix.exe
Command switches used :: c:\users\rumblebox\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\RUMBLE~1\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\users\rumblebox\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-12 to 2014-04-12  )))))))))))))))))))))))))))))))
.
.
2014-04-12 01:19 . 2014-04-12 01:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-04-12 01:19 . 2014-04-12 01:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-08 09:49 . 2014-04-08 09:49 -------- d-----w- c:\windows\ERUNT
2014-04-06 11:13 . 2014-04-08 09:45 -------- d-----w- C:\AdwCleaner
2014-04-06 09:48 . 2014-04-06 09:48 84720 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-04-05 11:05 . 2014-04-05 11:05 -------- d-----w- c:\users\rumblebox\AppData\Roaming\Avira
2014-04-05 11:00 . 2014-02-25 01:11 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2014-04-05 11:00 . 2014-02-25 01:11 131576 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-04-05 11:00 . 2014-02-25 01:11 108440 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-04-05 09:10 . 2014-04-05 09:10 -------- d-----w- c:\programdata\Package Cache
2014-04-05 09:07 . 2014-04-07 12:28 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-05 09:07 . 2014-04-05 09:07 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-04-05 09:07 . 2014-04-05 09:07 -------- d-----w- c:\programdata\Malwarebytes
2014-04-05 09:07 . 2014-04-02 23:21 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-05 09:07 . 2014-04-02 23:21 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-05 09:07 . 2014-04-02 23:20 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-14 00:32 . 2013-12-31 05:46 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2014-03-14 00:32 . 2013-03-17 05:25 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2014-03-13 05:02 . 2013-03-17 05:25 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2014-03-12 11:14 . 2013-07-10 23:20 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 11:14 . 2013-07-10 23:20 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2014-02-25 1821888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-03-26 291608]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" [2010-11-01 1374720]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-11-29 284440]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-03-25 173136]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-02-25 689744]
.
c:\users\rumblebox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hotkey.lnk - c:\program files (x86)\Hotkey\Hotkey.exe [2012-7-20 4729856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys;c:\windows\SYSNATIVE\drivers\gfiark.sys [x]
R3 RtkBtFilter;Realtek Bluetooth Filter Driver;c:\windows\system32\DRIVERS\RtkBtfilter.sys;c:\windows\SYSNATIVE\DRIVERS\RtkBtfilter.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe;c:\program files (x86)\Avira\AntiVir Desktop\avwebg7.exe [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys;c:\windows\SYSNATIVE\drivers\gfibto.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]
S2 BTDevManager;BTDevManager;c:\program files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe;c:\program files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [x]
S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 PowerBiosServer;PowerBiosServer;c:\program files (x86)\Hotkey\PowerBiosServer.exe;c:\program files (x86)\Hotkey\PowerBiosServer.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsBaStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 08:58 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-10 11:14]
.
2014-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-12 08:26]
.
2014-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-12 08:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{BC6D10E6-AE59-4cef-83DB-FD4C9BC7B7F2}"
[HKEY_CLASSES_ROOT\CLSID\{BC6D10E6-AE59-4cef-83DB-FD4C9BC7B7F2}]
2011-10-21 03:00 4014408 ----a-w- c:\program files\AuthenTec TrueSuite\KeepSafe\fvns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{93BB455E-3D52-4fba-9733-E5103B30FC12}"
[HKEY_CLASSES_ROOT\CLSID\{93BB455E-3D52-4fba-9733-E5103B30FC12}]
2011-10-21 03:00 4014408 ----a-w- c:\program files\AuthenTec TrueSuite\KeepSafe\fvns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-29 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-29 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-29 439064]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-12-12 13374568]
"DeLay"="c:\program files (x86)\BisonCam\PID_0361\DeLay.exe" [2008-12-05 53248]
"KeepSafe"="c:\program files\AuthenTec TrueSuite\KeepSafe\fvsvr.exe" [2011-10-21 38728]
"BtServer"="c:\program files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe" [2012-03-23 419840]
"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2010-09-14 25600]
"SBRegRebootCleaner"="c:\program files (x86)\Ad-Aware Antivirus\SBRC.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send image to Bluetooth Device - c:\program files (x86)\REALTEK\Realtek Bluetooth\btsendto_ie_ctx.htm
IE: Send page to Bluetooth Device - c:\program files (x86)\REALTEK\Realtek Bluetooth\btsendto_ie.htm
TCP: DhcpNameServer = 68.168.98.196 8.8.8.8
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2014-04-12  10:57:32 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-12 01:27
ComboFix2.txt  2014-04-08 13:24
.
Pre-Run: 48,436,097,024 bytes free
Post-Run: 48,255,188,992 bytes free
.
- - End Of File - - 7BD5D8A8F27ED809A8981421D7A581E9

Edited by lukeoer, 11 April 2014 - 08:31 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:42 PM

Posted 12 April 2014 - 06:50 AM


After you have run these steps - you need to let me know how the computer is doing

Resetting Router
  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.



After you have done this then set the DNS back to open DNS
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 lukeoer

lukeoer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 12 April 2014 - 07:16 AM

Hi,

 

I already reset the modem when I changed to OpenDNS (I forgot the router password so I had to reset to access the properties). It fully reset and then I changed to a non-default password again.

 

Is it worth doing it again? The only thing I have done since is the ClearJavaCache Combofix thing.


Edited by lukeoer, 12 April 2014 - 07:16 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users