Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help create a fixlist from my frst.txt


  • This topic is locked This topic is locked
97 replies to this topic

#1 dabbs00

dabbs00

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 September 2014 - 02:56 PM

trying to remove some nasty bugs and needs some help.Attached File  FRST.txt   51.66KB   16 downloads



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 06 September 2014 - 03:36 PM

Hello  dabbs00 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

 

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
 

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

 

  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

 

---------------------------------------------------------------------------------------------------------------------------

 

 I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

 

Regards


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 06 September 2014 - 03:46 PM

Not the addition.txt

Addition.txt is produced only the first time FRST is run. FRST saves its logs in this location:

C:\FRST\Logs\

See if Addition.txt is saved there. If yes, please attach it.

If not, run FRST again, when the console opens check Addition.txt box only, and click scan. It should produce the Addition.txt.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 dabbs00

dabbs00
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 September 2014 - 04:37 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-09-2014
Ran by owner at 2014-09-06 13:58:40
Running from C:\Users\owner\Desktop
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Enabled - Out of date) {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Webroot AntiVirus with Spy Sweeper (Disabled - Up to date) {3A033352-45FD-579C-DF47-2D2DA7A56A3D}
AS: Avira Desktop (Enabled - Out of date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Webroot AntiVirus with Spy Sweeper (Disabled - Up to date) {8162D2B6-63C7-5812-E5F7-165FDC222080}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.0.2.12610 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 2.0.2.12610 - Adobe Systems Inc.) Hidden
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Photoshop 7.0 (HKLM-x32\...\Adobe Photoshop 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
Ask Toolbar (HKLM-x32\...\{86D4B82A-ABED-442A-BE86-96357B70F4FE}) (Version: 1.15.23.0 - Ask.com) <==== ATTENTION
Ask Toolbar Updater (HKCU\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.5.36191 - Ask.com) <==== ATTENTION
AT&T U-verse Setup (HKLM-x32\...\ATT) (Version:  - )
Audacity 1.3.12 (Unicode) (HKLM-x32\...\Audacity 1.3 Beta (Unicode)_is1) (Version:  - Audacity Team)
Avira (HKLM-x32\...\{c5039061-0c7c-4f6c-96e5-348a19bd22ec}) (Version: 1.1.20.29573 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.20.29573 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.6.570 - Avira)
Control Center for KODAK Webcams (HKLM-x32\...\Control Center for KODAK Webcams) (Version:  - )
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition update for Microsoft Office 2010 (KB982726) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}) (Version:  - Microsoft)
DivX Setup (HKLM-x32\...\DivX Setup.divx.com) (Version: 2.2.1.2 - DivX, LLC)
DVD Photo Slideshow Professional 8.07 (HKLM-x32\...\DVD Photo Slideshow Professional_is1) (Version:  - dvd-photo-slideshow.com)
eMachines Games (HKLM-x32\...\WildTangent emachines Master Uninstall) (Version: 1.0.0.71 - WildTangent)
eMachines Recovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3005 - Acer Incorporated)
eMachines Registration (HKLM-x32\...\eMachines Registration) (Version: 1.02.3006 - Acer Incorporated)
eMachines Updater (HKLM-x32\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.01.3017 - Acer Incorporated)
Epson Event Manager (HKLM-x32\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 2.30.00 - SEIKO EPSON Corporation)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.00.000 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - )
EPSON WorkForce 610 Series Printer Uninstall (HKLM\...\EPSON WorkForce 610 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4h - SEIKO EPSON CORPORATION)
EpsonNet Setup (HKLM-x32\...\{FFFAE01B-466F-4C07-9821-A94FD753BDDA}) (Version: 3.1a - SEIKO EPSON CORPORATION)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3002 - Acer Incorporated)
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
Java 7 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.450 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LAME v3.98.3 for Audacity (HKLM-x32\...\LAME for Audacity_is1) (Version:  - )
League of Legends (HKLM-x32\...\{92606477-9366-4D3B-8AE3-6BE4B29727AB}) (Version: 1.3 - Riot Games)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
MapsGalaxy Internet Explorer Toolbar (HKLM-x32\...\MapsGalaxy_39bar Uninstall Internet Explorer) (Version:  - Mindspark Interactive Network) <==== ATTENTION
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office 2010 Service Pack 1 (SP1) (x32 Version:  - Microsoft) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6425.1000 - Microsoft Corporation)
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.1.10329.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{67E03279-F703-408F-B4BF-46B5FC8D70CD}) (Version: 9.7.0621 - Microsoft Corporation)
Mozilla Firefox 31.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (x32 Version: 1.0.0.0 - Webroot Software, Inc.) Hidden
Nero 9 Essentials (HKLM-x32\...\{f8ed8c7d-6d12-4eb1-9fb9-80e48c357a12}) (Version:  - Nero AG)
Nero ControlCenter (x32 Version: 9.0.0.1 - Nero AG) Hidden
Nero DiscSpeed (x32 Version: 5.4.7.201 - Nero AG) Hidden
Nero DiscSpeed Help (x32 Version: 5.4.4.100 - Nero AG) Hidden
Nero DriveSpeed (x32 Version: 4.4.7.201 - Nero AG) Hidden
Nero DriveSpeed Help (x32 Version: 4.4.4.100 - Nero AG) Hidden
Nero Express Help (x32 Version: 9.4.9.100 - Nero AG) Hidden
Nero InfoTool (x32 Version: 6.4.7.201 - Nero AG) Hidden
Nero InfoTool Help (x32 Version: 6.4.4.100 - Nero AG) Hidden
Nero Installer (x32 Version: 4.4.8.1 - Nero AG) Hidden
Nero Online Upgrade (x32 Version: 1.3.0.0 - Nero AG) Hidden
Nero StartSmart (x32 Version: 9.4.11.209 - Nero AG) Hidden
Nero StartSmart Help (x32 Version: 9.4.11.208 - Nero AG) Hidden
Nero StartSmart OEM (x32 Version: 9.4.10.100 - Nero AG) Hidden
NeroExpress (x32 Version: 9.4.10.505 - Nero AG) Hidden
neroxml (x32 Version: 1.0.0 - Nero AG) Hidden
NETGEAR WG311v3 PCI Adapter (x32 Version: 1.00 - NETGEAR) Hidden
Norton Online Backup (HKLM-x32\...\{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}) (Version: 1.2.0.36 - Symantec)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.7 - NVIDIA Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5898 - Realtek Semiconductor Corp.)
Skype Toolbars (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 5.5.7896 - Skype Technologies S.A.)
Skype™ 5.3 (HKLM-x32\...\{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}) (Version: 5.3.120 - Skype Technologies S.A.)
Spy Sweeper Core (x32 Version: 4.4.0.85 - Webroot Software) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
VC80CRTRedist - 8.0.50727.4053 (x32 Version: 1.1.0 - DivX, Inc) Hidden
Webroot AntiVirus with Spy Sweeper (HKLM-x32\...\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1) (Version: 6.1 - Webroot Software, Inc.)
Welcome Center (HKLM-x32\...\eMachines Welcome Center) (Version: 1.00.3008 - Acer Incorporated)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3555.0308 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2010-05-13 15:54 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {334C4A90-0F19-4E01-BFE9-F5F3AEE0F8DA} - System32\Tasks\{3CE16EC2-218E-4C38-AE63-4606B7EBB779} => Iexplore.exe http://ui.skype.com/ui/0/5.8.0.156/en/abandoninstall?page=tsMain
Task: {530C2ECA-4A01-4058-AF9F-1F4E2A946028} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-19] (Adobe Systems Incorporated)
Task: {DC496121-C127-4004-98AE-F59BEB6EC626} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
Task: {DF807750-FFEB-4868-8AF1-40DAB7579B5F} - System32\Tasks\wrSpySweeper_L7AC2990617F44E599CBAECE62E0E8E0C => C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-11-06] (Webroot Software, Inc.)
Task: {E89D82FB-7D51-4CA5-9BB4-09D7367C71AF} - System32\Tasks\{94BB91CD-6EA4-496C-8036-0B5B3335A55E} => C:\Program Files (x86)\Skype\\Phone\Skype.exe [2011-06-15] (Skype Technologies S.A.)
Task: {FD4FE36C-DC68-4E2D-AF83-9002F696FEBD} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe [2013-03-31] () <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\wrSpySweeper_L7AC2990617F44E599CBAECE62E0E8E0C.job => C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe

==================== Loaded Modules (whitelisted) =============


==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:A31FAD21

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\17988473.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\48373246.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\52408625.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\96033237.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\17988473.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\48373246.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\52408625.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\96033237.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WebrootSpySweeperService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRConsumerService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: ACDaemon => 2
MSCONFIG\Services: bckwfs => 2
MSCONFIG\Services: nvsvc => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk => C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^dcomcnfg.lnk => C:\Windows\pss\dcomcnfg.lnk.Startup
MSCONFIG\startupfolder: C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Epson all-in-one Registration.lnk => C:\Windows\pss\Epson all-in-one Registration.lnk.Startup
MSCONFIG\startupfolder: C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupreg: 3428284410 => C:\Users\owner\AppData\Roaming\msgwtywk.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: ApnUpdater => "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
MSCONFIG\startupreg: ArcSoft Connection Service => "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
MSCONFIG\startupreg: dcomcnfg => "C:\Users\owner\AppData\Roaming\Microsoft\Windows\IEUpdate\dcomcnfg.exe"
MSCONFIG\startupreg: DivX Download Manager => "C:\Program Files (x86)\DivX\DivX Plus Web Player\DDmService.exe" start
MSCONFIG\startupreg: DivXUpdate => "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
MSCONFIG\startupreg: EEventManager => "C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe"
MSCONFIG\startupreg: FUFAXSTM => "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
MSCONFIG\startupreg: Ibitkuka => "C:\Users\owner\AppData\Roaming\Ubeh\gogii.exe"
MSCONFIG\startupreg: Ihidciza => "C:\Users\owner\AppData\Roaming\Oqty\diykx.exe"
MSCONFIG\startupreg: MapsGalaxy EPM Support => "C:\PROGRA~2\MAPSGA~2\bar\1.bin\39medint.exe" T8EPMSUP.DLL,S
MSCONFIG\startupreg: msnmsgr => "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
MSCONFIG\startupreg: NvCplDaemon => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
MSCONFIG\startupreg: Pando Media Booster => "C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe"
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: ylihmyw => "rundll32" "C:\Users\owner\AppData\Local\ylihmyw.dll",ylihmyw

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/05/2014 09:28:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: regsvr32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bca28
Faulting module name: SYMSRV.DLL, version: 6.9.3.113, time stamp: 0x52f7ec72
Exception code: 0xc0000005
Fault offset: 0x00001039
Faulting process id: 0x4e0
Faulting application start time: 0xregsvr32.exe0
Faulting application path: regsvr32.exe1
Faulting module path: regsvr32.exe2
Report Id: regsvr32.exe3

Error: (09/05/2014 08:16:05 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (09/05/2014 08:16:05 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (09/05/2014 08:16:05 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (09/05/2014 08:16:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: regsvr32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bca28
Faulting module name: SYMSRV.DLL, version: 6.9.3.113, time stamp: 0x52f7ec72
Exception code: 0xc0000005
Fault offset: 0x00001039
Faulting process id: 0xbdc
Faulting application start time: 0xregsvr32.exe0
Faulting application path: regsvr32.exe1
Faulting module path: regsvr32.exe2
Report Id: regsvr32.exe3

Error: (09/05/2014 07:50:37 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7600.16450 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 508

Start Time: 01cfc96be3ed2940

Termination Time: 296

Application Path: C:\Windows\Explorer.EXE

Report Id: c5b05371-355f-11e4-a8f3-4487fc779c74


System errors:
=============
Error: (09/06/2014 01:58:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:58:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:58:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:54:50 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:54:50 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:54:50 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:54:07 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:54:07 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:54:07 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (09/06/2014 01:52:43 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe

Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe

Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe

Error: (09/06/2014 00:37:13 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksCal.exe

Error: (09/05/2014 09:28:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: regsvr32.exe6.1.7600.163854a5bca28SYMSRV.DLL6.9.3.11352f7ec72c0000005000010394e001cfc97a426a94e0C:\Windows\SysWOW64\regsvr32.exeC:\Users\owner\AppData\Local\Ohics\SYMSRV.DLL87eb6580-356d-11e4-ad9e-4487fc779c74

Error: (09/05/2014 08:16:05 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (09/05/2014 08:16:05 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (09/05/2014 08:16:05 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (09/05/2014 08:16:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: regsvr32.exe6.1.7600.163854a5bca28SYMSRV.DLL6.9.3.11352f7ec72c000000500001039bdc01cfc97012f25fe0C:\Windows\SysWOW64\regsvr32.exeC:\Users\owner\AppData\Local\Ohics\SYMSRV.DLL5bff4d10-3563-11e4-b1ef-4487fc779c74

Error: (09/05/2014 07:50:37 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Explorer.EXE6.1.7600.1645050801cfc96be3ed2940296C:\Windows\Explorer.EXEc5b05371-355f-11e4-a8f3-4487fc779c74


CodeIntegrity Errors:
===================================
  Date: 2013-01-11 18:04:21.752
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\1f2397.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-01-11 18:04:21.705
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\1f2397.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Celeron® CPU 450 @ 2.20GHz
Percentage of memory in use: 18%
Total physical RAM: 2815.23 MB
Available physical RAM: 2297.48 MB
Total Pagefile: 5628.61 MB
Available Pagefile: 5143.14 MB
Total Virtual: 8192 MB
Available Virtual: 8191.79 MB

==================== Drives ================================

Drive c: (eMachines) (Fixed) (Total:452.66 GB) (Free:383.43 GB) NTFS
Drive j: () (Removable) (Total:1.86 GB) (Free:0.86 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 319E62BB)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=452.7 GB) - (Type=07 NTFS)

========================================================
Disk: 6 (Size: 1.9 GB) (Disk ID: 3BE078B6)
Partition 1: (Not Active) - (Size=1.9 GB) - (Type=06)

==================== End Of Log ============================



#5 dabbs00

dabbs00
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 September 2014 - 05:40 PM

It looks like I also so have Cryptot bit Virus all my pictures are not showing and there is the files are there asking for money



#6 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 06 September 2014 - 06:51 PM

It looks like I also so have Cryptot bit Virus all my pictures are not showing and there is the files are there asking for money

 

Yes.Look here.

 

-------------------------------------

 

Please uninstall the following via Start->(or Computer)->Control Panel->(Programs)->Programs and Features if it still exists:
Please uninstall the following applications:

 

MapsGalaxy Internet Explorer Toolbar
Ask Toolbar
Ask Toolbar Updater
Pando Media Booster
C:\Program Files (x86)\Ask.com
C:\Program Files\McAfee Security Scan

 

--------------------------------------------------------------------------------------------------------

 

Step 1:

 

Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

 

Step 2:

 

 FRST Fixlist :


Please download the attached fixlist txt.gif and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Regards

Attached Files


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 dabbs00

dabbs00
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 September 2014 - 09:43 PM

could not remove ask toolbar or mapsgalaxy.  I got errors when i Tried to uninstall



#8 dabbs00

dabbs00
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 September 2014 - 10:00 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-09-2014
Ran by owner at 2014-09-06 21:56:23 Run:1
Running from C:\Users\owner\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\...\Run: [Apple Computer, Inc.] => "C:\Users\owner\AppData\Roaming\udahejts\wtgfehtd.exe"
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\...\Run: [Zvxsxr] => C:\Users\owner\AppData\Roaming\Identities\Zvxsxr.exe
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\...\Run: [Mozilla] => "C:\Users\owner\AppData\Roaming\ujbhdstt\wtgfehtd.exe"
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\...\Run: [DpiSwdev] => "C:\Users\owner\AppData\Local\Temp\autodagt.exe" <===== ATTENTION
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\...\Run: [Ohics] => "regsvr32.exe" C:\Users\owner\AppData\Local\Ohics\SYMSRV.DLL <===== ATTENTION
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\...\MountPoints2: J - J:\LaunchU3.exe -a
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\...\MountPoints2: {c55ea025-f5ca-11df-8e78-4487fc779c74} - J:\LaunchU3.exe -a
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=8032077A-12C4-4173-BE3D-661E85361766&apn_sauid=A2174414-69AE-4AEB-9BD6-76D6E6D3AEA5
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
FF ProfilePath: C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\zf5hwfrw.default-1385419075600
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Extension: LivingPlay TextLinks - C:\Users\owner\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com [2011-06-09]
CHR HKLM-x32\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Users\owner\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx []
CHR HKLM-x32\...\Chrome\Extension: [fnjbmmemklcjgepojigaapkoodmkgbae] - C:\Program Files (x86)\DivX\DivX Plus Web Player\google_chrome\wpa\wpa.crx [2010-12-08]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2011-07-01]
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\google_chrome\html5video\html5video.crx [2010-12-08]
2014-09-05 20:54 - 2014-09-05 20:54 - 00008174 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML
2014-09-05 20:54 - 2014-09-05 20:54 - 00004132 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-09-05 20:54 - 2014-09-05 20:54 - 00000254 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
2014-09-05 20:52 - 2014-09-05 20:52 - 00008174 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.HTML
2014-09-05 20:52 - 2014-09-05 20:52 - 00008174 _____ () C:\Users\owner\DECRYPT_INSTRUCTION.HTML
2014-09-05 20:52 - 2014-09-05 20:52 - 00004132 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT
2014-09-05 20:52 - 2014-09-05 20:52 - 00004132 _____ () C:\Users\owner\DECRYPT_INSTRUCTION.TXT
2014-09-05 20:52 - 2014-09-05 20:52 - 00000254 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL
2014-09-05 20:52 - 2014-09-05 20:52 - 00000254 _____ () C:\Users\owner\DECRYPT_INSTRUCTION.URL
2014-09-05 19:52 - 2014-09-05 19:52 - 00008174 _____ () C:\Users\owner\Downloads\DECRYPT_INSTRUCTION.HTML
2014-09-05 19:52 - 2014-09-05 19:52 - 00004132 _____ () C:\Users\owner\Downloads\DECRYPT_INSTRUCTION.TXT
2014-09-05 19:52 - 2014-09-05 19:52 - 00000254 _____ () C:\Users\owner\Downloads\DECRYPT_INSTRUCTION.URL
C:\Users\owner\AppData\Local\ylihmyw.dll",ylihmyw
C:\Users\owner\AppData\Roaming\Oqty\diykx.exe
C:\Users\owner\AppData\Roaming\Ubeh\gogii.exe
 C:\Users\owner\AppData\Roaming\msgwtywk.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\PROGRA~2\MAPSGA~2\bar\1.bin\39medint.exe" T8EPMSUP.DLL,S
C:\ProgramData\UrutzEyezo
C:\Program Files (x86)\Ask.com
C:\Program Files (x86)\Mozilla Maintenance Service
C:\Users\owner\AppData\Roaming\Dumiky
C:\ProgramData\1VjM2R.dat
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
C:\Program Files\McAfee Security Scan
C:\ProgramData\McAfee Security Scan
C:\Users\owner\AppData\Local\Ohics
C:\Users\owner\AppData\Roaming\Epyp
2014-09-05 22:38 - 2009-07-13 19:20 - 00000000 __SHD () C:\Users\owner\AppData\Roaming\ujbhdstt
2014-09-05 22:38 - 2009-07-13 19:20 - 00000000 __SHD () C:\Users\owner\AppData\Roaming\udahejts
2014-09-01 16:41 - 2013-02-02 18:14 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Oqty
2014-09-01 16:41 - 2012-11-26 09:01 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Ubeh
C:\Users\owner\AppData\Local\Google\Desktop\Install
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
C:\Users\owner\dps-dvd-menu-template-package-1.exe
C:\Users\owner\dps_install.exe
C:\Users\owner\SkypeSetup.exe
AlternateDataStreams: C:\ProgramData\TEMP:A31FAD21
Task: {DC496121-C127-4004-98AE-F59BEB6EC626} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
Task: {DF807750-FFEB-4868-8AF1-40DAB7579B5F} - System32\Tasks\wrSpySweeper_L7AC2990617F44E599CBAECE62E0E8E0C => C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-11-06] (Webroot Software, Inc.)
Task: {FD4FE36C-DC68-4E2D-AF83-9002F696FEBD} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe [2013-03-31] () <==== ATTENTION
Task: C:\Windows\Tasks\wrSpySweeper_L7AC2990617F44E599CBAECE62E0E8E0C.job => C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe
end
Reboot:
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Apple Computer, Inc. => value deleted successfully.
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Zvxsxr => value deleted successfully.
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Mozilla => value deleted successfully.
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\Software\Microsoft\Windows\CurrentVersion\Run\\DpiSwdev => value deleted successfully.
HKU\S-1-5-21-2932386486-746028893-2682692500-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Ohics => value deleted successfully.
"HKU\S-1-5-21-2932386486-746028893-2682692500-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-2932386486-746028893-2682692500-1001" => Key not found.
"HKU\S-1-5-21-2932386486-746028893-2682692500-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c55ea025-f5ca-11df-8e78-4487fc779c74}" => Key deleted successfully.
"HKCR\CLSID\{c55ea025-f5ca-11df-8e78-4487fc779c74}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}" => Key deleted successfully.
"HKCR\CLSID\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
"HKCR\PROTOCOLS\Handler\skype-ie-addon-data" => Key deleted successfully.
"HKCR\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}" => Key not found.
 => Should not be moved.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.
C:\Users\owner\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo" => Key deleted successfully.
"C:\Users\owner\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx" => File/Directory not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fnjbmmemklcjgepojigaapkoodmkgbae" => Key deleted successfully.
C:\Program Files (x86)\DivX\DivX Plus Web Player\google_chrome\wpa\wpa.crx => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl" => Key deleted successfully.
C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\nneajnkjbffgblleaoojgaacokifdkhm" => Key deleted successfully.
C:\Program Files (x86)\DivX\DivX Plus Web Player\google_chrome\html5video\html5video.crx => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Public\Documents\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\owner\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\owner\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\owner\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\owner\Downloads\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\owner\Downloads\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\owner\Downloads\DECRYPT_INSTRUCTION.URL => Moved successfully.
"C:\Users\owner\AppData\Local\ylihmyw.dll,ylihmyw" => File/Directory not found.
"C:\Users\owner\AppData\Roaming\Oqty\diykx.exe" => File/Directory not found.
"C:\Users\owner\AppData\Roaming\Ubeh\gogii.exe" => File/Directory not found.
"C:\Users\owner\AppData\Roaming\msgwtywk.exe" => File/Directory not found.
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe" => File/Directory not found.
"C:\PROGRA~2\MAPSGA~2\bar\1.bin\39medint.exe T8EPMSUP.DLL,S" => File/Directory not found.
C:\ProgramData\UrutzEyezo => Moved successfully.
"C:\Program Files (x86)\Ask.com" => File/Directory not found.
C:\Program Files (x86)\Mozilla Maintenance Service => Moved successfully.
C:\Users\owner\AppData\Roaming\Dumiky => Moved successfully.
C:\ProgramData\1VjM2R.dat => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus => Moved successfully.
"C:\Program Files\McAfee Security Scan" => File/Directory not found.
C:\ProgramData\McAfee Security Scan => Moved successfully.
C:\Users\owner\AppData\Local\Ohics => Moved successfully.
C:\Users\owner\AppData\Roaming\Epyp => Moved successfully.
C:\Users\owner\AppData\Roaming\ujbhdstt => Moved successfully.
C:\Users\owner\AppData\Roaming\udahejts => Moved successfully.
C:\Users\owner\AppData\Roaming\Oqty => Moved successfully.
C:\Users\owner\AppData\Roaming\Ubeh => Moved successfully.
C:\Users\owner\AppData\Local\Google\Desktop\Install => Moved successfully.

The operation completed successfully.
C:\Users\owner\dps-dvd-menu-template-package-1.exe => Moved successfully.
C:\Users\owner\dps_install.exe => Moved successfully.
C:\Users\owner\SkypeSetup.exe => Moved successfully.
C:\ProgramData\TEMP => ":A31FAD21" ADS removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DC496121-C127-4004-98AE-F59BEB6EC626}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DC496121-C127-4004-98AE-F59BEB6EC626}" => Key deleted successfully.
C:\Windows\System32\Tasks\SpyHunter4Startup => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpyHunter4Startup" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF807750-FFEB-4868-8AF1-40DAB7579B5F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF807750-FFEB-4868-8AF1-40DAB7579B5F}" => Key deleted successfully.
C:\Windows\System32\Tasks\wrSpySweeper_L7AC2990617F44E599CBAECE62E0E8E0C => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\wrSpySweeper_L7AC2990617F44E599CBAECE62E0E8E0C" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD4FE36C-DC68-4E2D-AF83-9002F696FEBD}" => Key not found.
C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar" => Key not found.
C:\Windows\Tasks\wrSpySweeper_L7AC2990617F44E599CBAECE62E0E8E0C.job => Moved successfully.


The system needed a reboot.

==== End of Fixlog ====



#9 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 07 September 2014 - 02:15 AM

Hi dabbs00,

 

 

Please do the following:

Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

cfRC_screen_2.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

 

Regards.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 dabbs00

dabbs00
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 07 September 2014 - 04:30 PM

Attached File  ComboFix.txt   16.75KB   6 downloads



#11 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 07 September 2014 - 05:32 PM

Hi dabbs00,

 

Multiple Anti-virus Programs

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your .

Use one antivirus. Please uninstall others.

 

Avira

Webroot AntiVirus with Spy Sweeper

HitmanPro

 

-------------------------------------------------------

 

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\windows\unvise32.exe
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

 

------------------------------------------------------

 

Step 1:

Please Download TDSSkiller
Launch it.
Click on change parameters-Select TDLFS file system
Click on "Scan".
Please post the LOG report(log file should be in your C drive)
 
Do not change the default options on scan results.

 

Step 2:

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

    Double click the mbar.zip file to open it, then 'Extract all files'.
    Double click the mbar folder to open it, then double click mbar.exe to start the tool.

    Check for Updates, then Scan your system for malware
  • If malware is found, do NOT press the Cleanup button yet. Click EXIT.

We'd like to see the log first. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt .

Please post the contents of that log in your next reply.

 

Regards


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 dabbs00

dabbs00
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 07 September 2014 - 08:06 PM

Attached File  TDSSKiller.3.0.0.40_07.09.2014_19.40.18_log.txt   181.21KB   3 downloads

Attached File  mbar-log-2014-09-07 (19-46-24).txt   2.03KB   4 downloads



#13 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 08 September 2014 - 03:52 AM

Virustotal of results ?

 

------------

 

Please download and run RogueKiller 64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Edited by olgun52, 08 September 2014 - 03:55 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 dabbs00

dabbs00
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 08 September 2014 - 04:23 PM

Attached File  RKreport_SCN_09082014_161255.log   6.73KB   6 downloads



#15 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 09 September 2014 - 05:32 AM

Hello again dabbs00,

 

Virustotal of results, did you do the scan?
Avira, Webroot AntiVirus with Spy Sweeper, HitmanPro ---> Which did you prefer and others did remove ?

 

---------------------------------------------------------------------------------------------------------------------------------

 

Step1:

Run Eset Online Scan

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as Administrator command.

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option "Scan Archives" and Remove found threats is ticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Step2:

 

Post a fresh FRST logfile. --->  FRST.txt and Addition.txt

 

Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users