Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Hacked and Security Updates Will Not Install


  • Please log in to reply
5 replies to this topic

#1 fmckee5

fmckee5

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 May 2014 - 07:00 AM

Latest ComboFix text file along with DDS and Attach text files.  Situation has stabilized but still concerned about ComboFix finding and deleating the same files which tells me there are still some problem files on my computer.

 

Fred

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:10 AM

Posted 25 May 2014 - 08:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 fmckee5

fmckee5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 26 May 2014 - 09:07 AM

Hi nasdaq,

 

A few updates could be installed but not all. Below are the screens you asked for.

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2014.05.20.01

 

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Fred McKee :: VOSTRO-430 [administrator]

 

5/25/2014 7:04:50 PM

mbam-log-2014-05-25 (19-04-50).txt

 

Scan type: Full scan (C:\|D:\|G:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 376774

Time elapsed: 1 hour(s), 42 minute(s), 11 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

***************************************************************************************************************************

# AdwCleaner v3.211 - Report created 26/05/2014 at 04:01:44

# Updated 26/05/2014 by Xplode

# Operating System : Windows 7 Professional Service Pack 1 (32 bits)

# Username : Fred McKee - VOSTRO-430

# Running from : C:\Users\Fred McKee\Desktop\adwcleaner_3.211.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\Users\Fred McKee\AppData\Roaming\registry mechanic

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\blbkdnmdcafmfhinpmnlhhddbepgkeaa

Key Deleted : HKCU\Software\AppDataLow\Software

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v9.0.8112.16455

 

 

-\\ Google Chrome v32.0.1700.107

 

[ File : C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [7498 octets] - [25/05/2014 18:42:40]

AdwCleaner[R1].txt - [897 octets] - [25/05/2014 18:53:25]

AdwCleaner[R2].txt - [1224 octets] - [26/05/2014 04:01:23]

AdwCleaner[S0].txt - [7789 octets] - [25/05/2014 18:43:07]

AdwCleaner[S1].txt - [957 octets] - [25/05/2014 18:53:59]

AdwCleaner[S2].txt - [1152 octets] - [26/05/2014 04:01:44]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1212 octets] ##########

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-05-2014 01

Ran by Fred McKee (administrator) on VOSTRO-430 on 25-05-2014 12:41:24

Running from C:\Users\Fred McKee\Downloads

Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

 

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(iolo technologies, LLC) C:\Program Files\iolo\System Mechanic\ioloGovernor.exe

(IObit) C:\Program Files\IObit\Smart Defrag 3\SmartDefrag.exe

(SlimWare Utilities, Inc.) C:\Program Files\DriverUpdate\DriverUpdate.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

(Western Digital Technologies, Inc.) C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe

(Affinegy, Inc.) C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe

(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe

(IObit) C:\Program Files\IObit\Advanced SystemCare 7\ASCTray.exe

(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

(Belkin International, Inc.) C:\Program Files\Belkin\Belkin USB Print and Storage Center\Connect.exe

(Affinegy, Inc.) C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe

(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe

 

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7514656 2009-05-23] (Realtek Semiconductor)

HKLM\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)

HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [623880 2008-11-18] (Intuit Inc. All rights reserved.)

HKLM\...\Run: [WD Quick View] => C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe [5562736 2014-05-09] (Western Digital Technologies, Inc.)

HKLM\...\Run: [InstaLAN] => C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe [1485208 2010-07-28] (Affinegy, Inc.)

HKU\S-1-5-21-2222901898-1791171490-1954972134-1000\...\Run: [Advanced SystemCare 7] => C:\Program Files\IObit\Advanced SystemCare 7\ASCTray.exe [2295584 2014-04-21] (IObit)

HKU\S-1-5-21-2222901898-1791171490-1954972134-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-12-14] (Google Inc.)

HKU\S-1-5-21-2222901898-1791171490-1954972134-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5625624 2014-01-06] (SUPERAntiSpyware)

HKU\S-1-5-21-2222901898-1791171490-1954972134-1000\...\Policies\Explorer: [NoInstrumentation] 1

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x7AA863723A75CF01

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

URLSearchHook: HKCU - IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\8.9\iobitappsToolbarIE.dll (Spigot, Inc.)

SearchScopes: HKCU - {D307A922-EA36-4C36-9196-C0541B79AB1B} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=902615&p={searchTerms}

BHO: IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\8.9\iobitappsToolbarIE.dll (Spigot, Inc.)

BHO: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)

BHO: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)

BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO: Advanced SystemCare Browser Protection - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll (IObit)

BHO: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKLM - IObit Apps Toolbar - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - C:\Program Files\IObit Apps Toolbar\IE\8.9\iobitappsToolbarIE.dll (Spigot, Inc.)

Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455}

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.13.0.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)

Handler: inbox - No CLSID Value -

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll (Microsoft Corporation)

ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

 

FireFox:

========

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF HKLM\...\Firefox\Extensions: [url_advisor@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\url_advisor@kaspersky.com

FF Extension: 卡巴斯基網址顧問 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\url_advisor@kaspersky.com [2014-02-05]

FF HKLM\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\virtual_keyboard@kaspersky.com

FF Extension: 虛擬鍵盤 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-02-05]

FF HKLM\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\content_blocker@kaspersky.com

FF Extension: 惡意網站攔截器 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\content_blocker@kaspersky.com [2014-02-05]

FF HKLM\...\Firefox\Extensions: [anti_banner@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\anti_banner@kaspersky.com

FF Extension: Chặn quảng cáo - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\anti_banner@kaspersky.com [2014-02-05]

FF HKLM\...\Firefox\Extensions: [online_banking@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\online_banking@kaspersky.com

FF Extension: Safe Money - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\online_banking@kaspersky.com [2014-02-05]

 

Chrome:

=======

CHR HomePage: hxxp://search.yahoo.com/?type=902615&fr=spigot-yhp-ch

CHR StartupUrls: "hxxp://search.yahoo.com/?type=902615&fr=spigot-yhp-ch", "hxxp://www.google.com/"

CHR DefaultNewTabURL:

CHR Extension: (Docs) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-02-19]

CHR Extension: (Google Drive) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-19]

CHR Extension: (Advanced SystemCare Surfing Protection) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbmegnmpleoagolcnjnejdacakedpcgd [2014-05-19]

CHR Extension: (YouTube) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-12-14]

CHR Extension: (Google Search) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-12-14]

CHR Extension: (Kaspersky URL Advisor) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj [2014-02-19]

CHR Extension: (ZenSearch) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\eapmfjbemiffkmggedbiibolghfomomg [2014-04-23]

CHR Extension: (Safe Money) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\hakdifolhalapjijoafobooafbilfakh [2014-02-19]

CHR Extension: (Dangerous Websites Blocker) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\hghkgaeecgjhjkannahfamoehjmkjail [2014-02-19]

CHR Extension: (Virtual Keyboard) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh [2014-02-19]

CHR Extension: (Google Wallet) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-21]

CHR Extension: (Gmail) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-12-14]

CHR Extension: (Anti-Banner) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman [2014-02-19]

CHR HKLM\...\Chrome\Extension: [blbkdnmdcafmfhinpmnlhhddbepgkeaa] - https://chrome.google.com/webstore/detail/blbkdnmdcafmfhinpmnlhhddbepgkeaa [2014-02-19]

CHR HKLM\...\Chrome\Extension: [dchlnpcodkpfdpacogkljefecpegganj] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ChromeExt\urladvisor.crx [2013-10-08]

CHR HKLM\...\Chrome\Extension: [hakdifolhalapjijoafobooafbilfakh] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ChromeExt\online_banking_chrome.crx [2013-10-08]

CHR HKLM\...\Chrome\Extension: [hghkgaeecgjhjkannahfamoehjmkjail] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ChromeExt\content_blocker_chrome.crx [2013-10-08]

CHR HKLM\...\Chrome\Extension: [jagncdcchgajhfhijbbhecadmaiegcmh] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ChromeExt\virtkbd.crx [2013-10-08]

CHR HKLM\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ChromeExt\ab.crx [2013-10-08]

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

 

========================== Services (Whitelisted) =================

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)

R2 AdvancedSystemCareService7; C:\Program Files\IObit\Advanced SystemCare 7\ASCService.exe [881952 2014-01-14] (IObit)

R2 AffinegyService; C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe [569752 2010-07-28] (Affinegy, Inc.)

S4 Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [807800 2014-03-17] (Spigot, Inc.)

R2 avp; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe [214512 2013-10-08] (Kaspersky Lab ZAO)

R2 Belkin Local Backup Service; C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [152064 2010-02-17] ()

R2 Belkin Network USB Helper; C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [49152 2010-02-09] ()

R2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [4492776 2014-04-30] (iolo technologies, LLC)

S4 LiveUpdateSvc; C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe [2152736 2014-05-04] (IObit)

R2 PCToolsSSDMonitorSvc; C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe [794272 2012-08-21] (PC Tools)

R2 WDBackup; C:\Program Files\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2014-05-09] (Western Digital Technologies, Inc.)

R2 WDDriveService; C:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe [295800 2014-05-09] (Western Digital Technologies, Inc.)

 

==================== Drivers (Whitelisted) ====================

 

R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [26248 2013-09-15] (EldoS Corporation)

S3 GenericMount; C:\Windows\System32\DRIVERS\GenericMount.sys [57840 2010-02-12] (Symantec Corporation)

R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [135776 2014-02-05] (Kaspersky Lab ZAO)

S4 klflt; C:\Windows\System32\DRIVERS\klflt.sys [94304 2014-03-24] (Kaspersky Lab ZAO)

R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [576608 2014-03-24] (Kaspersky Lab ZAO)

R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [25696 2013-10-08] (Kaspersky Lab ZAO)

R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [25184 2014-02-18] (Kaspersky Lab ZAO)

R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [25696 2013-10-08] (Kaspersky Lab ZAO)

R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [14432 2013-04-12] (Kaspersky Lab ZAO)

R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [45024 2013-05-14] (Kaspersky Lab ZAO)

R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [144992 2014-02-05] (Kaspersky Lab ZAO)

R2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2013-09-15] (Raxco Software, Inc.)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [18624 2013-12-24] (IObit)

S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2014-05-25] ()

R3 sxuptp; C:\Windows\System32\DRIVERS\sxuptp.sys [247320 2009-06-22] (silex technology, Inc.)

S3 catchme; \??\C:\Users\FREDMC~1\AppData\Local\Temp\catchme.sys [X]

U2 V2iMount;

U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-13] (Microsoft Corporation)

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2014-05-25 12:41 - 2014-05-25 12:41 - 00016274 _____ () C:\Users\Fred McKee\Downloads\FRST.txt

2014-05-25 12:41 - 2014-05-25 12:41 - 00000000 ____D () C:\FRST

2014-05-25 12:34 - 2014-05-25 12:34 - 01056256 _____ (Farbar) C:\Users\Fred McKee\Downloads\FRST.exe

2014-05-25 10:36 - 2014-05-25 10:36 - 00001365 _____ () C:\Windows\IE9_main.log

2014-05-25 09:34 - 2014-05-25 09:34 - 00000000 ____D () C:\SUPERDelete

2014-05-25 09:28 - 2014-05-25 09:28 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com

2014-05-25 09:28 - 2014-05-25 09:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware

2014-05-25 09:28 - 2014-05-25 09:28 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware

2014-05-25 09:27 - 2014-05-25 09:28 - 19270208 _____ (SUPERAntiSpyware) C:\Users\Fred McKee\Downloads\SUPERAntiSpyware (5).exe

2014-05-25 09:04 - 2014-05-25 09:04 - 00000000 ____D () C:\Users\Fred McKee\AppData\Roaming\SUPERAntiSpyware.com

2014-05-25 09:03 - 2014-05-25 09:03 - 19270208 _____ (SUPERAntiSpyware) C:\Users\Fred McKee\Downloads\SUPERAntiSpyware (4).exe

2014-05-24 22:27 - 2014-05-25 12:30 - 00000616 _____ () C:\Windows\setupact.log

2014-05-24 22:27 - 2014-05-25 09:51 - 00050272 _____ () C:\Windows\PFRO.log

2014-05-24 22:27 - 2014-05-24 22:27 - 00000000 _____ () C:\Windows\setuperr.log

2014-05-22 13:56 - 2014-05-22 13:56 - 00000000 _____ () C:\END

2014-05-22 13:55 - 2014-05-22 13:55 - 00808568 _____ () C:\Users\Fred McKee\Downloads\ChromeSetup (1).exe

2014-05-22 13:54 - 2014-05-22 13:54 - 00808568 _____ () C:\Users\Fred McKee\Downloads\ChromeSetup.exe

2014-05-22 07:52 - 2014-05-21 17:12 - 00012540 _____ () C:\Users\Fred McKee\Desktop\ComboFix.txt

2014-05-21 20:58 - 2014-05-21 20:58 - 00002646 _____ () C:\Users\Fred McKee\Documents\attach.7z

2014-05-21 20:53 - 2014-05-21 20:18 - 00009767 _____ () C:\Users\Fred McKee\Documents\attach.txt

2014-05-21 20:48 - 2014-05-21 20:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip

2014-05-21 20:48 - 2014-05-21 20:48 - 00000000 ____D () C:\Program Files\7-Zip

2014-05-21 20:44 - 2014-05-21 20:44 - 01110476 _____ () C:\Users\Fred McKee\Downloads\7z920.exe

2014-05-21 20:22 - 2014-05-21 20:22 - 00015270 _____ () C:\Users\Fred McKee\Documents\DDS.txt

2014-05-21 20:18 - 2014-05-21 20:18 - 00015270 _____ () C:\Users\Fred McKee\Desktop\dds.txt

2014-05-21 20:18 - 2014-05-21 20:18 - 00009767 _____ () C:\Users\Fred McKee\Desktop\attach.txt

2014-05-21 20:17 - 2014-05-21 20:17 - 00688992 ____R (Swearware) C:\Users\Fred McKee\Downloads\dds.com

2014-05-21 18:11 - 2014-05-24 13:29 - 00000516 _____ () C:\Users\Fred McKee\Desktop\Bleeping Computer Technical Support Forums.website

2014-05-21 17:12 - 2014-05-21 17:12 - 00012540 _____ () C:\ComboFix.txt

2014-05-20 15:01 - 2014-05-20 15:01 - 00248906 _____ () C:\Users\Fred McKee\Downloads\Windows6.1-KB2800095-x86.msu

2014-05-20 10:40 - 2014-05-20 10:40 - 00000000 ___SD () C:\Windows\system32\CompatTel

2014-05-19 23:10 - 2014-05-19 23:10 - 00000000 ____D () C:\Users\Fred McKee\New folder

2014-05-19 22:24 - 2014-05-19 22:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belkin

2014-05-19 22:24 - 2014-05-19 22:24 - 00000000 ____D () C:\ProgramData\Affinegy

2014-05-19 21:43 - 2014-05-25 10:40 - 00008192 _____ () C:\Windows\system32\WDPABKP.dat

2014-05-19 07:34 - 2014-05-19 07:34 - 00017920 _____ () C:\Users\Fred McKee\Documents\Inv001856BRAF.xls

2014-05-15 16:59 - 2014-05-21 18:17 - 00017920 _____ () C:\Users\Fred McKee\Documents\Inv001855WCRAH.xls

2014-05-15 14:20 - 2014-05-15 14:20 - 00017920 _____ () C:\Users\Fred McKee\Documents\Inv001854EJT.xls

2014-05-15 13:16 - 2014-05-16 11:53 - 00000000 ____D () C:\Users\Fred McKee\AppData\Roaming\Systweak

2014-05-14 15:18 - 2014-05-14 16:30 - 00017920 _____ () C:\Users\Fred McKee\Documents\Quo001887WCRAH.xls

2014-05-14 07:53 - 2014-05-09 03:06 - 00369664 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2014-05-14 07:53 - 2014-05-09 03:04 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2014-05-14 07:53 - 2014-04-11 22:15 - 00136640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys

2014-05-14 07:53 - 2014-04-11 22:15 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys

2014-05-14 07:53 - 2014-04-11 22:12 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll

2014-05-14 07:53 - 2014-04-11 22:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll

2014-05-14 07:53 - 2014-04-11 22:12 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll

2014-05-14 07:53 - 2014-04-11 22:11 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2014-05-14 07:53 - 2014-04-11 22:11 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe

2014-05-14 07:53 - 2014-03-24 22:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll

2014-05-14 07:53 - 2014-03-04 05:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe

2014-05-14 07:53 - 2014-03-04 05:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe

2014-05-14 07:53 - 2014-03-04 05:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe

2014-05-14 07:53 - 2014-03-04 05:17 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll

2014-05-14 07:53 - 2014-03-04 05:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll

2014-05-13 22:07 - 2014-05-13 22:31 - 00000000 ____D () C:\found.003

2014-05-13 16:15 - 2014-05-14 15:26 - 00017920 _____ () C:\Users\Fred McKee\Documents\Quo001886WCRAH.xls

2014-05-07 10:26 - 2014-05-12 13:59 - 00018944 _____ () C:\Users\Fred McKee\Documents\Inv001853MACFC.xls

2014-05-06 21:20 - 2014-05-21 18:19 - 00017920 _____ () C:\Users\Fred McKee\Documents\Inv001852UWHC.xls

2014-05-06 18:45 - 2014-05-06 18:46 - 00017408 _____ () C:\Users\Fred McKee\Documents\Quo001885MACFC.xls

2014-05-06 13:51 - 2014-05-06 14:35 - 00017408 _____ () C:\Users\Fred McKee\Documents\Quo001884UWHC.xls

2014-05-02 16:19 - 2014-05-14 14:08 - 00017920 _____ () C:\Users\Fred McKee\Documents\Inv001851BRAF.xls

2014-05-02 04:25 - 2013-09-15 15:50 - 00026248 _____ (EldoS Corporation) C:\Windows\system32\Drivers\ElRawDsk.sys

2014-04-30 19:40 - 2014-04-30 19:40 - 00000220 _____ () C:\Users\Fred McKee\Desktop\ComboFix Guide.url

2014-04-30 14:16 - 2014-04-30 14:40 - 00000685 _____ () C:\Users\Fred McKee\Desktop\ How to use combofix - YouTube.website

2014-04-30 13:50 - 2014-05-02 08:00 - 00019456 _____ () C:\Users\Fred McKee\Documents\Inv001850UWHC.xls

2014-04-29 16:27 - 2014-04-29 16:34 - 00017408 _____ () C:\Users\Fred McKee\Documents\Quo001883DERC.xls

2014-04-29 14:09 - 2014-04-29 14:23 - 00017408 _____ () C:\Users\Fred McKee\Documents\Quo001882DERC.xls

2014-04-28 19:49 - 2014-04-29 10:20 - 00017920 _____ () C:\Users\Fred McKee\Documents\Quo001881UWHC.xls

2014-04-25 10:58 - 2014-05-19 21:35 - 05200426 ____R (Swearware) C:\Users\Fred McKee\Desktop\ComboFix.exe

2014-04-25 10:34 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe

2014-04-25 10:34 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe

2014-04-25 10:34 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe

2014-04-25 10:34 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe

2014-04-25 10:34 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe

2014-04-25 10:34 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe

2014-04-25 10:34 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe

2014-04-25 10:34 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe

2014-04-25 10:33 - 2014-05-21 17:12 - 00000000 ____D () C:\Qoobox

2014-04-25 10:33 - 2014-04-25 10:51 - 00000000 ____D () C:\Windows\erdnt

 

 

 

Fred



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:10 AM

Posted 26 May 2014 - 09:22 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CHR HomePage: hxxp://search.yahoo.com/?type=902615&fr=spigot-yhp-ch
CHR StartupUrls: "hxxp://search.yahoo.com/?type=902615&fr=spigot-yhp-ch", "hxxp://www.google.com/"
CHR Extension: (ZenSearch) - C:\Users\Fred McKee\AppData\Local\Google\Chrome\User Data\Default\Extensions\eapmfjbemiffkmggedbiibolghfomomg [2014-04-23]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S4 Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [807800 2014-03-17] (Spigot, Inc.)
U2 V2iMount;

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait.

Restart the computer to reset the registry.
The tool will create a log (Fixlog.txt) please post it to your reply.

====

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Let me know what problem persists.

#5 fmckee5

fmckee5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 26 May 2014 - 04:22 PM

nasdaq,

 

I can save the files into notepad and name fixlist.txt but not sure how to do the part where is is saved into the same folder as FRST.  When I try to put FRST into notepad it become a jumble of characters.

 

"Save the files as fixlist.txt in to the same folder as FRST Run FRST and click Fix only once and wait."

 

fred5



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:10 AM

Posted 27 May 2014 - 08:42 AM

FRST is running from your Downloads folder.
Running from C:\Users\Fred McKee\Downloads

Create a folder on your Desktop. Name it My_FRST
Move the FRST.EXE file in it.

If not already done create the fixlist.txt as suggested in post no. 4.

Move that Fixlist.txt into the MY_FRST folder.

Run the FRST.EXE in the newly created folder and run the tool, at the option menu select FIX

Post the resultant log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users