Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads running in background, please help


  • This topic is locked This topic is locked
6 replies to this topic

#1 Samtheguy

Samtheguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 01 June 2014 - 05:11 PM

Hi guys, I'm having issues with my laptop (Windows 7, 64-bit). Multiple ads keep playing in the background eating up my cpu and network. It started yesterday, laptop got restarted by itself and since then these audio ads in the background started playing. Antivirus scans dint help, and going through your forums I found that its a malware issue. So if someone could please help me as you've done for numerous others, it would be greatly appreciated. I've already run DDS and FRST64 and here's the log for both.

 

dds.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.55.2
Run by Sandeep at 15:01:36 on 2014-06-01
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6092.3722 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
E:\Program files\Winamp\winampa.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_13_0_0_214_ActiveX.exe
svchost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uDefault_Page_URL = hxxp://www.dell.com
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Funmoods Helper Object: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Funmoods Toolbar: {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} -
TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\Sandeep\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [GoogleChromeAutoLaunch_BC959F38ACD9B86E6C0408CC61E3108B] "C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\chrome.exe" --no-startup-window
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [WinampAgent] "E:\Program files\Winamp\winampa.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [vmware-tray.exe] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Sandeep\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Windows\System32\RunDll32.exe
StartupFolder: C:\Users\Sandeep\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001051-0002-0051-ABCDEFFEDCBC} - <orphaned>
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
LSP: %windir%\system32\vsocklib.dll
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{8950F924-46B9-447E-8371-BA2979566178} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\34963736F60333439363 : NameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\34963736F60333439363 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\34963736F63323732373 : NameServer = 192.168.0.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\34963736F63323732373 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\34963736F64443832303 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\352796E696D4F6D625F657475627 : NameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\352796E696D4F6D625F657475627 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\5436374716479636 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\5687374716479636 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\D656469616C696E6B6 : NameServer = 192.168.0.1
TCP: Interfaces\{AD1D1B2B-7436-456D-A962-ECE5724BCAFF}\D656469616C696E6B6 : DHCPNameServer = 192.168.0.1 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sandeep\AppData\Roaming\Mozilla\Firefox\Profiles\69i3kzaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3317187&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP95230A31-9087-4158-9891-684BAF199C7B&SSPV=
FF - prefs.js: browser.search.selectedEngine - Conduit Search
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Users\Sandeep\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Sandeep\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Users\Sandeep\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Sandeep\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Sandeep\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2012-7-26 21616]
R0 vsock;vSockets Driver;C:\Windows\System32\drivers\vsock.sys [2013-9-23 70256]
R2 acedrv11;acedrv11;C:\Windows\System32\drivers\acedrv11.sys [2010-2-24 191616]
R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-10-19 661504]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-3-30 923984]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2011-3-30 1001808]
R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-10-20 135440]
R2 c2cautoupdatesvc;Skype Click to Call Updater;C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-4-11 1390720]
R2 c2cpnrsvc;Skype Click to Call PNR Service;C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-4-11 1764992]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-7-26 13336]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe [2010-8-11 3417480]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2012-12-16 3463080]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\System32\drivers\TurboB.sys [2010-11-29 16120]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-7-26 2656280]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-8-1 917656]
R2 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2012-8-15 15680000]
R3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\Accelern.sys [2012-7-25 27760]
R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-10-19 195072]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-3-8 51712]
R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-3-8 274944]
R3 iBtFltCoex;iBtFltCoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2011-3-22 59904]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-7-25 317440]
R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-5-17 25496]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2012-7-25 77936]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2012-7-25 337512]
R3 tihub3;TI USB3 Hub Service;C:\Windows\System32\drivers\tihub3.sys [2012-7-25 136000]
R3 tixhci;TI XHCI Service;C:\Windows\System32\drivers\tixhci.sys [2012-7-25 406336]
S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-7-25 98208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-10-19 195072]
S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2011-3-30 1321296]
S3 btmaudio;Intel Bluetooth Audio Service;C:\Windows\System32\drivers\btmaud.sys [2011-3-8 46592]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]
S3 HtcVCom32;HTC Diagnostic Port;C:\Windows\System32\drivers\HtcVComV64.sys [2010-3-8 121800]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2012-7-25 158976]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-5-17 34200]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-11-1 340240]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 130008]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-28 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
.
=============== Created Last 30 ================
.
2014-05-31 22:22:47 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EE493622-1A5D-44E8-B024-793F674ADDE0}\offreg.dll
2014-05-31 18:45:44 10702536 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EE493622-1A5D-44E8-B024-793F674ADDE0}\mpengine.dll
2014-05-30 16:27:26 10702536 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-27 06:58:04 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5F32A9E4-4383-46BA-96EA-E36A33E15AFC}\gapaengine.dll
.
==================== Find3M  ====================
.
2014-05-19 06:51:14 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-19 06:51:14 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-15 03:13:43 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
============= FINISH: 15:01:54.55 ===============
 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-06-2014 01
Ran by Sandeep (administrator) on SANDEEP-PC on 01-06-2014 15:02:48
Running from C:\Users\Sandeep\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(IBM) C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Nullsoft, Inc.) E:\Program files\Winamp\winampa.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(BitTorrent, Inc.) C:\Program Files (x86)\uTorrent\uTorrent.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_13_0_0_214_ActiveX.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [IntelPAN] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1935120 2011-11-01] (Intel® Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-12] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [413696 2008-03-28] (Apple Inc.)
HKLM-x32\...\Run: [WinampAgent] => E:\Program files\Winamp\winampa.exe [74752 2010-07-12] (Nullsoft, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [vmware-tray.exe] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [104088 2012-08-15] (VMware, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3485864735-946778623-403897016-1001\...\Run: [Google Update] => C:\Users\Sandeep\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-26] (Google Inc.)
HKU\S-1-5-21-3485864735-946778623-403897016-1001\...\Run: [GoogleChromeAutoLaunch_BC959F38ACD9B86E6C0408CC61E3108B] => C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\chrome.exe [860488 2014-05-13] (Google Inc.)
HKU\S-1-5-21-3485864735-946778623-403897016-1001\...\MountPoints2: {2b27899f-dfc8-11e2-8aa8-00dbdf2c4867} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3485864735-946778623-403897016-1001\...\MountPoints2: {88251176-f021-11e1-9955-88532ea07ff2} - F:\unlock.exe autoplay=true
Startup: C:\Users\Sandeep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk -> C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\Sandeep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3317187&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SP95230A31-9087-4158-9891-684BAF199C7B&q={searchTerms}&SSPV=
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3317187&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SP95230A31-9087-4158-9891-684BAF199C7B&q={searchTerms}&SSPV=
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www.claro-search.com/?q={searchTerms}&affID=116293&tt=3812_2&babsrc=SP_clro&mntrId=bac3555200000000000088532ea07fef
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Funmoods Helper Object - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\PROGRA~2\Funmoods\1.5.23.22\bh\escort.dll No File
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - Funmoods Toolbar - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Sandeep\AppData\Roaming\Mozilla\Firefox\Profiles\69i3kzaw.default
FF NewTab: about:newtab
FF Homepage: hxxp://search.conduit.com/?ctid=CT3317187&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP95230A31-9087-4158-9891-684BAF199C7B&SSPV=
FF SelectedSearchEngine: Conduit Search
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Sandeep\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Sandeep\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Sandeep\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Sandeep\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Sandeep\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Sandeep\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Sandeep\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF SearchPlugin: C:\Users\Sandeep\AppData\Roaming\Mozilla\Firefox\Profiles\69i3kzaw.default\searchplugins\conduit-search.xml
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-04-11]

Chrome:
=======
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\35.0.1916.114\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\35.0.1916.114\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\35.0.1916.114\gcswf32.dll No File
CHR Plugin: (Google Update) - C:\Users\Sandeep\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Sandeep\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-31]
CHR Extension: (AdBlock) - C:\Users\Sandeep\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-05-31]
CHR Extension: (Google Wallet) - C:\Users\Sandeep\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-31]
CHR HKLM\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Sandeep\AppData\Local\funmoods.crx [2012-08-12]
CHR HKCU\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Sandeep\AppData\Local\funmoods.crx [2012-08-12]
CHR HKCU\...\Chrome\Extension: [mmlkabjddkpgkgfhdhpimhcbonapngoh] - C:\Users\Sandeep\AppData\Local\CRE\mmlkabjddkpgkgfhdhpimhcbonapngoh.crx [2013-03-27]
CHR HKLM-x32\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Sandeep\AppData\Local\funmoods.crx [2012-08-12]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-04-11]
CHR HKLM-x32\...\Chrome\Extension: [mmlkabjddkpgkgfhdhpimhcbonapngoh] - C:\Users\Sandeep\AppData\Local\CRE\mmlkabjddkpgkgfhdhpimhcbonapngoh.crx [2013-03-27]
CHR StartMenuInternet: Google Chrome - C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390720 2014-04-11] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1764992 2014-04-11] (Microsoft Corporation)
R2 Lotus Notes Diagnostics; C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe [3417480 2010-08-11] (IBM)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-11-01] ()
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [15680000 2012-08-15] ()
S3 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [X]

==================== Drivers (Whitelisted) ====================

S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV64.sys [121800 2010-03-08] (QUALCOMM Incorporated)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [70256 2012-07-06] (VMware, Inc.)
S3 Andbus; system32\DRIVERS\lgandbus64.sys [X]
S3 AndDiag; system32\DRIVERS\lganddiag64.sys [X]
S3 AndGps; system32\DRIVERS\lgandgps64.sys [X]
S3 ANDModem; system32\DRIVERS\lgandmodem64.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-01 15:02 - 2014-06-01 15:03 - 00016006 _____ () C:\Users\Sandeep\Desktop\FRST.txt
2014-06-01 15:02 - 2014-06-01 15:02 - 00006623 _____ () C:\Users\Sandeep\Desktop\attach.txt
2014-06-01 15:02 - 2014-06-01 15:02 - 00000000 ____D () C:\FRST
2014-06-01 15:02 - 2014-06-01 15:01 - 00017527 _____ () C:\Users\Sandeep\Desktop\dds.txt
2014-06-01 13:02 - 2014-06-01 13:02 - 00000497 _____ () C:\Users\Sandeep\Desktop\bleep.txt
2014-06-01 12:35 - 2014-06-01 12:35 - 02067456 _____ (Farbar) C:\Users\Sandeep\Desktop\FRST64.exe
2014-06-01 12:03 - 2014-06-01 12:03 - 00688992 ____R (Swearware) C:\Users\Sandeep\Desktop\dds.com
2014-06-01 01:07 - 2014-06-01 01:07 - 27769568 _____ (Microsoft Corporation) C:\Users\Sandeep\Downloads\Windows-KB890830-x64-V5.12.exe
2014-05-31 17:53 - 2014-05-31 17:55 - 00001683 _____ () C:\freefallprotection.log
2014-05-31 15:17 - 2014-06-01 14:48 - 00000079 _____ () C:\Windows\system32\bctmxwb.eyw
2014-05-31 14:17 - 2014-05-31 14:17 - 00000064 _____ () C:\Windows\system32\yjnr.vfy
2014-05-31 14:17 - 2014-05-31 14:17 - 00000000 _____ () C:\Windows\system32\wfubc.fvh
2014-05-31 14:02 - 2014-05-31 14:02 - 00311784 ____S () C:\Windows\system32\cpovi.guy
2014-05-23 23:58 - 2014-05-23 23:58 - 00000000 ____D () C:\Users\Sandeep\Documents\Hin Playlist

==================== One Month Modified Files and Folders =======

2014-06-01 15:03 - 2014-06-01 15:02 - 00016006 _____ () C:\Users\Sandeep\Desktop\FRST.txt
2014-06-01 15:02 - 2014-06-01 15:02 - 00006623 _____ () C:\Users\Sandeep\Desktop\attach.txt
2014-06-01 15:02 - 2014-06-01 15:02 - 00000000 ____D () C:\FRST
2014-06-01 15:02 - 2012-07-26 16:13 - 00000000 ____D () C:\Users\Sandeep\AppData\Local\Temp
2014-06-01 15:01 - 2014-06-01 15:02 - 00017527 _____ () C:\Users\Sandeep\Desktop\dds.txt
2014-06-01 15:01 - 2012-07-29 01:12 - 00000000 ____D () C:\Users\Sandeep\AppData\Roaming\uTorrent
2014-06-01 14:56 - 2012-07-26 23:51 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3485864735-946778623-403897016-1001UA.job
2014-06-01 14:48 - 2014-05-31 15:17 - 00000079 _____ () C:\Windows\system32\bctmxwb.eyw
2014-06-01 14:31 - 2012-07-26 15:48 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-01 13:50 - 2012-10-13 10:45 - 00000936 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3485864735-946778623-403897016-1001UA.job
2014-06-01 13:02 - 2014-06-01 13:02 - 00000497 _____ () C:\Users\Sandeep\Desktop\bleep.txt
2014-06-01 12:35 - 2014-06-01 12:35 - 02067456 _____ (Farbar) C:\Users\Sandeep\Desktop\FRST64.exe
2014-06-01 12:03 - 2014-06-01 12:03 - 00688992 ____R (Swearware) C:\Users\Sandeep\Desktop\dds.com
2014-06-01 10:50 - 2012-10-13 10:45 - 00000914 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3485864735-946778623-403897016-1001Core.job
2014-06-01 09:08 - 2012-07-26 15:46 - 01544162 _____ () C:\Windows\WindowsUpdate.log
2014-06-01 01:07 - 2014-06-01 01:07 - 27769568 _____ (Microsoft Corporation) C:\Users\Sandeep\Downloads\Windows-KB890830-x64-V5.12.exe
2014-05-31 23:58 - 2009-07-13 22:13 - 00814926 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-31 23:56 - 2012-07-26 23:51 - 00000864 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3485864735-946778623-403897016-1001Core.job
2014-05-31 23:56 - 2009-07-13 21:51 - 00069850 _____ () C:\Windows\setupact.log
2014-05-31 17:56 - 2012-07-26 16:00 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-05-31 17:55 - 2014-05-31 17:53 - 00001683 _____ () C:\freefallprotection.log
2014-05-31 15:28 - 2009-07-13 21:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-31 15:28 - 2009-07-13 21:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-31 15:22 - 2012-08-11 22:59 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-05-31 15:22 - 2012-08-11 22:59 - 00000000 ____D () C:\ProgramData\Skype
2014-05-31 15:21 - 2012-09-26 19:38 - 00000000 ____D () C:\ProgramData\VMware
2014-05-31 15:20 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-31 14:17 - 2014-05-31 14:17 - 00000064 _____ () C:\Windows\system32\yjnr.vfy
2014-05-31 14:17 - 2014-05-31 14:17 - 00000000 _____ () C:\Windows\system32\wfubc.fvh
2014-05-31 14:17 - 2010-11-20 20:47 - 00019496 _____ () C:\Windows\PFRO.log
2014-05-31 14:02 - 2014-05-31 14:02 - 00311784 ____S () C:\Windows\system32\cpovi.guy
2014-05-31 14:02 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-05-31 13:39 - 2012-07-28 02:13 - 00000000 ____D () C:\Users\Sandeep\Downloads\Books
2014-05-23 23:58 - 2014-05-23 23:58 - 00000000 ____D () C:\Users\Sandeep\Documents\Hin Playlist
2014-05-23 21:56 - 2013-12-03 21:14 - 00000000 ____D () C:\Users\Sandeep\Documents\gifs
2014-05-22 00:33 - 2013-07-10 21:34 - 00000000 ____D () C:\Users\Sandeep\AppData\Roaming\Mozilla
2014-05-18 23:51 - 2012-07-26 23:51 - 00003890 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3485864735-946778623-403897016-1001UA
2014-05-18 23:51 - 2012-07-26 23:51 - 00003494 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3485864735-946778623-403897016-1001Core
2014-05-18 23:51 - 2012-07-26 15:48 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-05-18 23:51 - 2012-07-26 15:48 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-05-18 23:51 - 2012-07-26 15:48 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-05-04 17:12 - 2013-01-02 10:07 - 93223848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

Files to move or delete:
====================
C:\ProgramData\uninstaller.exe
C:\Users\Sandeep\.mongorc.js

Some content of TEMP:
====================
C:\Users\Sandeep\AppData\Local\Temp\6_Offer_20.exe
C:\Users\Sandeep\AppData\Local\Temp\AVG-Safeguard.exe
C:\Users\Sandeep\AppData\Local\Temp\BackupSetup.exe
C:\Users\Sandeep\AppData\Local\Temp\DownloadManager.exe
C:\Users\Sandeep\AppData\Local\Temp\jline_.dll
C:\Users\Sandeep\AppData\Local\Temp\jre-7u10-windows-i586-iftw.exe
C:\Users\Sandeep\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Sandeep\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Sandeep\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Sandeep\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Sandeep\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Sandeep\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Sandeep\AppData\Local\Temp\MyClaroTB.exe
C:\Users\Sandeep\AppData\Local\Temp\nscF01.exe
C:\Users\Sandeep\AppData\Local\Temp\nsdF323.exe
C:\Users\Sandeep\AppData\Local\Temp\nsh8C6B.exe
C:\Users\Sandeep\AppData\Local\Temp\nsiF0D1.exe
C:\Users\Sandeep\AppData\Local\Temp\nsk738D.exe
C:\Users\Sandeep\AppData\Local\Temp\nsm7E37.exe
C:\Users\Sandeep\AppData\Local\Temp\nss1098.exe
C:\Users\Sandeep\AppData\Local\Temp\nst1BBB.exe
C:\Users\Sandeep\AppData\Local\Temp\nsw2256.exe
C:\Users\Sandeep\AppData\Local\Temp\nsy18CD.exe
C:\Users\Sandeep\AppData\Local\Temp\nsy1F83.exe
C:\Users\Sandeep\AppData\Local\Temp\nsyEE22.exe
C:\Users\Sandeep\AppData\Local\Temp\oi_{510D6A58-7877-4301-9758-B96E2491772D}.exe
C:\Users\Sandeep\AppData\Local\Temp\RegClean10.exe
C:\Users\Sandeep\AppData\Local\Temp\SearchProtectINT.exe
C:\Users\Sandeep\AppData\Local\Temp\SendMsg.dll
C:\Users\Sandeep\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Sandeep\AppData\Local\Temp\SmartbarExeInstaller.exe
C:\Users\Sandeep\AppData\Local\Temp\SpOrder.dll
C:\Users\Sandeep\AppData\Local\Temp\SPStub.exe
C:\Users\Sandeep\AppData\Local\Temp\tbappb.dll
C:\Users\Sandeep\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Sandeep\AppData\Local\Temp\uttB953.tmp.exe
C:\Users\Sandeep\AppData\Local\Temp\vbmz.exe
C:\Users\Sandeep\AppData\Local\Temp\VisualBeeClientSilent-softonic.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 20:24] - [2010-11-20 20:24] - 0520192 ____A (Microsoft Corporation) 65C0A8B9CB878FFF84FF358326A363FD

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-05-29 18:14

==================== End Of Log ============================



BC AdBot (Login to Remove)

 


#2 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:41 PM

Posted 02 June 2014 - 02:55 PM

Hi Samtheguy and Welcome to BleepingComputer !

I am currently looking though your logs and will advice you on what to do in my next reply.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#3 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:41 PM

Posted 02 June 2014 - 03:35 PM

Hello Samtheguy

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:

  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

P2P Warning
Please note that as long as you're using any form of Peer-to-Peer networking ( in your case Utorrent) and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

If do you do decide (unwisely) to keep these programs, please refrain from using them until we have finished cleaning your system.

Step 1

We need to do a search with Farbar's Recovery Scan Tool

Double-click FRST icon to run the tool.

Type the following in the edit box after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Step 2

We need to re-run Farbar's Recovery Scan Tool

  • Double-click the downloaded icon to run the tool.

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:41 PM

Posted 04 June 2014 - 12:32 PM

This is a 48 hour status check. We need to continue our troubleshooting to make sure there are no more threats on your machine. If you don't have any free time please reply back to this thread and we will keep it open.

If you don't reply back within 24 hours, this thread may be closed for inactivity.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 Samtheguy

Samtheguy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 05 June 2014 - 02:05 AM

Seedy21,

 

Thanks! for your prompt replies.

 

I restored my system(OS) in Safemode to a previous state and fortunately the issue is gone now. I even waited for more than 24 hrs, to check if the symptoms come back but they din't. Everything is normal now.

 

But please advise a good antimalware I need to install to stay away from these kind of malware attacks in future.

And thanks for the P2P warning, I am uninstalling the s/w now and staying away from it!


Edited by Samtheguy, 05 June 2014 - 02:07 AM.


#6 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:41 PM

Posted 06 June 2014 - 01:43 PM

Hi SamTheGuy

Malware has been known to infect the System Restore points so I cant say if you are clean or not.

If you would like me to double check. Please re-run FRST and post both FRST.txt and Addional.txt in your next reply for me to review.

If your happy that everything is working fine, Please let me know and I will have this topic closed for you

Here is some examples of FREE Anti-virus. Please note this is for personal use only.

http://free.avg.com/gb-en/homepage
http://www.avast.com/free-antivirus-download
http://www.bitdefender.co.uk/solutions/free.html

Finally if you are after some data on how they perform you can view this PDF

http://www.av-comparatives.org/wp-content/uploads/2014/04/avc_fdt_201403_en.pdf

Thank you.

 


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 09 June 2014 - 03:45 PM

Due to the lack of feedback/inactivity and the issue appears to be resolved, this Topic is closed. Should you need it reopened, please contact a Forum Moderator or member of the Malware Response Team. Include the address of this thread in your request. If you have a new issue, please start a New Topic. This applies only to the original poster. Everyone else please begin a New Topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users