Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tlvmedia.com - LOTS of popups!


  • This topic is locked This topic is locked
14 replies to this topic

#1 etexmomof2

etexmomof2

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 06 October 2014 - 03:46 PM

Today I fell for the update the media player scam and have been infected with tons and tons of extra tabs opening in Firefox.  I appreciate your help!!

 

DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17280
Run by Sulphur Springs at 15:40:59 on 2014-10-06
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.1166 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\PCPitstop\Info Center\InfoCenter.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\PCTRunner\MyOSProtect.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: ArcadeParlor Games: {39AD0726-986D-40F9-972B-E3BFA24B7745} -
BHO: Better Experience: {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} -
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [Info Center] c:\program files\pcpitstop\info center\InfoCenter.exe
mRun: [ospd_us_201] <no file>
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
LSP: c:\windows\system32\MyOSProtect.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{633AEBE8-2266-43A0-B446-D69E8AB79336} : NameServer = 5.135.12.56,199.203.35.78
TCP: Interfaces\{633AEBE8-2266-43A0-B446-D69E8AB79336} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sulphur springs\appdata\roaming\mozilla\firefox\profiles\zaqipbq6.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\globalupdate\update\1.3.25.0\npGoogleUpdate4.dll
FF - plugin: c:\users\sulphur springs\appdata\local\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_152.dll
.
---- FIREFOX POLICIES ----
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);user_pref('extensions.blocklist.enabled', false);user_pref('security.mixed_content.block_active_content', false);
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2014-7-21 86632]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2013-11-25 5120]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2014-7-21 361000]
R3 MyOSProtect;MyOSProtect;c:\program files\pctrunner\MyOSProtect.exe [2014-9-1 1317096]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2014-7-21 43368]
S3 globalUpdate;globalUpdate Update Service (globalUpdate);c:\program files\globalupdate\update\GoogleUpdate.exe [2014-10-6 68608]
S3 globalUpdatem;globalUpdate Update Service (globalUpdatem);c:\program files\globalupdate\update\GoogleUpdate.exe [2014-10-6 68608]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-9-15 108032]
S3 InternetUpdater;Internet Updater;c:\programdata\internetupdater\InternetUpdaterService.exe [2013-12-5 40448]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 95920]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
S3 ProtectMonitor;Protect Monitor;C:\monitorsvc.exe [2014-9-2 34244]
S3 RDMSOService;RDMSOService;c:\windows\system32\RDMSOService.exe [2013-11-4 128448]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-11-25 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-10-31 1343400]
S3 XCSecurity;X-Charge Security;c:\programdata\cam commerce solutions\x-charge\application\XCSecurityService.exe [2013-11-4 2084352]
S3 XCService;X-Charge Server;c:\programdata\cam commerce solutions\x-charge\application\XCService.exe [2013-11-4 461824]
.
=============== Created Last 30 ================
.
2014-10-06 19:55:26    --------    dc----w-    c:\users\sulphur springs\appdata\local\CrashDumps
2014-10-06 19:13:22    --------    dc----w-    c:\program files\Mozilla Maintenance Service
2014-10-06 15:06:43    --------    dc----w-    c:\windows\system32\appmgmt
2014-10-06 15:00:44    --------    dc----w-    c:\users\sulphur springs\appdata\local\globalUpdate
2014-10-06 15:00:44    --------    dc----w-    c:\program files\globalUpdate
2014-10-06 15:00:21    --------    dc----w-    c:\program files\predm
2014-10-06 14:59:10    --------    dc----w-    c:\users\sulphur springs\appdata\local\com
2014-10-06 14:58:25    --------    dc----w-    c:\programdata\2308189059
2014-10-06 14:57:48    20480    -c--a-w-    c:\windows\system32\drivers\pcwatch.sys
2014-10-06 14:57:03    304776    -c--a-w-    c:\windows\system32\MyOSProtect.dll
2014-10-06 14:55:20    4834816    -c----w-    c:\windows\score.exe
2014-10-06 14:54:59    --------    dc----w-    c:\program files\Optimizer Pro
2014-10-06 14:54:18    --------    dc----w-    c:\users\sulphur springs\appdata\local\Programs
2014-10-06 14:54:04    --------    dc----w-    c:\program files\PCTRunner
2014-10-06 14:15:44    908840    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{dfaba59c-5336-4ae8-a83e-f1ee68260049}\gapaengine.dll
2014-10-06 14:10:06    519680    ----a-w-    c:\windows\system32\qdvd.dll
2014-10-06 14:09:57    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-10-06 14:05:34    8806800    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{90d10bef-20ee-4c4a-83f4-509af24392ab}\mpengine.dll
2014-09-22 18:32:03    8806800    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-09-15 21:49:36    2285056    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2014-09-15 17:54:04    793600    ----a-w-    c:\windows\system32\TSWorkspace.dll
2014-09-15 17:53:55    550912    ----a-w-    c:\windows\system32\kerberos.dll
2014-09-15 17:53:54    1059840    ----a-w-    c:\windows\system32\lsasrv.dll
2014-09-15 17:53:21    1987584    ----a-w-    c:\windows\system32\d3d10warp.dll
2014-09-15 17:49:10    445952    ----a-w-    c:\windows\system32\aepdu.dll
2014-09-15 17:49:09    302592    ----a-w-    c:\windows\system32\aeinv.dll
2014-09-08 18:04:37    305152    ----a-w-    c:\windows\system32\gdi32.dll
2014-09-08 18:04:37    2352640    ----a-w-    c:\windows\system32\win32k.sys
.
==================== Find3M  ====================
.
2014-10-06 19:05:33    71344    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-06 19:05:33    701104    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-09-22 06:41:56    231568    -c----w-    c:\windows\system32\MpSigStub.exe
2014-09-02 19:55:28    487483    -c--a-w-    C:\monitor.exe
2014-09-02 19:55:26    34244    -c--a-w-    C:\monitorsvc.exe
2014-09-02 18:16:10    634880    -c--a-w-    C:\DirectControl.exe
2014-08-25 21:37:37    92672    ----a-w-    c:\windows\system32\wudriver.dll
2014-08-25 21:34:14    654336    ----a-w-    c:\windows\system32\rpcrt4.dll
2014-08-25 21:33:51    730048    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2014-08-25 21:33:51    219072    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2014-08-25 21:33:51    107520    ----a-w-    c:\windows\system32\cdd.dll
2014-08-25 21:32:19    337408    ----a-w-    c:\windows\system32\msihnd.dll
2014-08-25 21:32:19    2363392    ----a-w-    c:\windows\system32\msi.dll
2014-08-25 21:32:19    1805824    ----a-w-    c:\windows\system32\authui.dll
2014-08-25 21:32:19    101824    ----a-w-    c:\windows\system32\consent.exe
2014-08-25 21:31:51    99480    ----a-w-    c:\windows\system32\infocardapi.dll
2014-08-25 21:31:51    8856    ----a-w-    c:\windows\system32\icardres.dll
2014-08-25 21:31:51    35480    ----a-w-    c:\windows\system32\TsWpfWrp.exe
2014-08-25 21:31:50    619672    ----a-w-    c:\windows\system32\icardagt.exe
2014-08-25 17:29:34    33792    ----a-w-    c:\windows\system32\wuapp.exe
2014-08-25 17:29:34    179656    ----a-w-    c:\windows\system32\wuwebv.dll
2014-08-25 17:29:26    2425856    ----a-w-    c:\windows\system32\wucltux.dll
2014-07-25 07:35:46    875688    -c--a-w-    c:\windows\system32\msvcr120_clr0400.dll
2014-07-17 23:05:08    95920    -c--a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-07-17 23:05:08    231800    -c--a-w-    c:\windows\system32\drivers\MpFilter.sys
2014-07-14 20:53:43    646144    ----a-w-    c:\windows\system32\osk.exe
2014-07-14 20:53:28    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-07-14 20:53:23    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2014-07-14 20:50:57    65536    ----a-w-    c:\windows\system32\TSpkg.dll
2014-07-14 20:50:57    259584    ----a-w-    c:\windows\system32\msv1_0.dll
2014-07-14 20:50:57    247808    ----a-w-    c:\windows\system32\schannel.dll
2014-07-14 20:50:57    220160    ----a-w-    c:\windows\system32\ncrypt.dll
2014-07-14 20:50:57    17408    ----a-w-    c:\windows\system32\credssp.dll
2014-07-14 20:50:57    172032    ----a-w-    c:\windows\system32\wdigest.dll
.
============= FINISH: 15:43:15.23 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:31 AM

Posted 11 October 2014 - 07:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:31 AM

Posted 18 October 2014 - 09:09 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:31 AM

Posted 20 October 2014 - 10:45 AM

This topic has been re-opened at the request of the person who originally posted.

#5 etexmomof2

etexmomof2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 October 2014 - 11:46 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/20/2014
Scan Time: 11:21:55 AM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.20.04
Rootkit Database: v2014.10.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Sulphur Springs

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 278345
Time Elapsed: 10 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Still getting popups and lots of underlined words when using firefox.  I'll post the additional logs



#6 etexmomof2

etexmomof2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 October 2014 - 11:47 AM

# AdwCleaner v4.000 - Report created 20/10/2014 at 10:00:00
# DB v2014-10-19.11
# Updated 12/10/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : Sulphur Springs - SULPHUR
# Running from : C:\Users\Sulphur Springs\Downloads\adwcleaner_4.000.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : pcwatch

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\globalUpdate
Folder Deleted : C:\Users\Sulphur Springs\AppData\Local\globalUpdate
Folder Deleted : C:\Program Files\Optimizer Pro
Folder Deleted : C:\Users\Sulphur Springs\Documents\Optimizer Pro
Folder Deleted : C:\Program Files\predm
Folder Deleted : C:\ProgramData\Updater
File Deleted : C:\END
File Deleted : C:\Windows\system32\MyOSProtect.dll
File Deleted : C:\Users\Sulphur Springs\AppData\Roaming\Mozilla\Firefox\Profiles\zaqipbq6.default\user.js

***** [ Scheduled Tasks ] *****

Task Deleted : LaunchSignup

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.superfish.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7697BC38-D0FA-454B-AC75-968B4CCABFCE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\GlobalUpdate
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\SocialBit
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\GlobalUpdate
Key Deleted : HKLM\SOFTWARE\Tutorials
Key Deleted : HKLM\SOFTWARE\XTRM Group Ltd.
Key Deleted : HKLM\SOFTWARE\PCDRunner

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280


-\\ Mozilla Firefox v32.0.3 (x86 en-US)


*************************

AdwCleaner[R0].txt - [3316 octets] - [20/10/2014 09:54:13]
AdwCleaner[S0].txt - [3142 octets] - [20/10/2014 10:00:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3202 octets] ##########
 



#7 etexmomof2

etexmomof2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 October 2014 - 11:52 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-10-2014
Ran by Sulphur Springs (administrator) on SULPHUR on 20-10-2014 10:06:19
Running from C:\Users\Sulphur Springs\Downloads
Loaded Profile: Sulphur Springs (Available profiles: Sulphur Springs)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(PC Pitstop LLC) C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Windows\Samsung\PanelMgr\SSMMgr.exe
(PC Pitstop LLC) C:\Program Files\PCPitstop\Info Center\InfoCenter.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [Samsung PanelMgr] => C:\Windows\Samsung\PanelMgr\SSMMgr.exe [614400 2009-09-11] ()
HKLM\...\Run: [Info Center] => C:\Program Files\PCPitstop\Info Center\InfoCenter.exe [28792 2013-12-26] (PC Pitstop LLC)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-12-16] (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x633F10426FE1CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKCU - {20E9D1E2-95AA-444C-B392-2AE1828F5E17} URL = http://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20131044,19890,0,8,0
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{633AEBE8-2266-43A0-B446-D69E8AB79336}: [NameServer] 5.135.12.56,199.203.35.78

FireFox:
========
FF ProfilePath: C:\Users\Sulphur Springs\AppData\Roaming\Mozilla\Firefox\Profiles\zaqipbq6.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\Sulphur Springs\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Extension: Better Experience - C:\Users\Sulphur Springs\AppData\Roaming\Mozilla\Firefox\Profiles\zaqipbq6.default\Extensions\support@betterxperience.com [2014-02-10]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 PCPitstop Scheduling; C:\Program Files\PCPitstop\PCPitstopScheduleService.exe [86632 2014-04-28] (PC Pitstop LLC)
S3 RDMSOService; C:\Windows\System32\RDMSOService.exe [128448 2010-10-01] (RDM Corporation)
S3 XCSecurity; C:\ProgramData\CAM Commerce Solutions\X-Charge\Application\XCSecurityService.exe [2084352 2013-10-17] () [File not signed]
S3 XCService; C:\ProgramData\CAM Commerce Solutions\X-Charge\Application\XCService.exe [461824 2013-10-17] () [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [38400 2009-03-02] (Samsung Electronics Co., Ltd.) [File not signed]
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-10-20] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-10-01] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2009-03-02] (Samsung Electronics) [File not signed]

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys D0B388DA1D111A34366E04EB4A5DD156
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D320BF87125326F996D4904FE24300FC
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 46387FB17B086D16DEA267D5BE23A2F2
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys 37C0FDC2B0C7B285910695194BF39826
C:\Windows\system32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys 85449EEBE8F8EBD6481EFBF0F352B4EB
C:\Windows\system32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\system32\Drivers\DgiVecp.sys 7F19DBA1A467B838CCB23124A2C55568
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys 3583A5A8CC2E682BFFBD4630D0FEC08B
C:\Windows\system32\DRIVERS\evbdx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\system32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\system32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Fs_Rec.sys 7DAE5EBCC80E45D3253F4923DC424D05
C:\Windows\System32\DRIVERS\fvevol.sys E306A24D9694C724FA2491278BF50FDB
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\System32\drivers\gfiark.sys FE4D369172AC1CC19C876BDB5BDC31A3
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys 5CD5F9A5444E6CDCB0AC89BD62D8B76E
C:\Windows\System32\DRIVERS\igdkmd32.sys 9467514EA189475A6E7FDC5D7BDE9D3F
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys EB34CE31FABD4DC4343FD2AD16D2CAF9
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 4120DA10AA42A9996F4575DB9E3E6E6E
C:\Windows\System32\Drivers\ksecpkg.sys D3964885F0A11ACF51DA3AAA776973B2
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mbam.sys D2DED3C333A5D9CB3F4C244B0F0DD877
C:\Windows\system32\drivers\MBAMSwissArmy.sys 8E2E9CCD873ABF180F48BCAEEEBE347D
C:\Windows\system32\drivers\mwac.sys 7A6526C8BD114DB7CA8930AB22D52A0B
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\system32\drivers\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\MpFilter.sys 6460D4A5C981567E74A7AC1349DE10F5
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys 21F4B24ACFC79A483515BD986DD9043F
C:\Windows\System32\DRIVERS\mrxsmb.sys 5D16C921E3671636C0EBA3BBAAC5FD25
C:\Windows\System32\DRIVERS\mrxsmb10.sys 6D17A4791ACA19328C685D256349FEFC
C:\Windows\System32\DRIVERS\mrxsmb20.sys B81F204D146000BE76651A50670A5E9E
C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\system32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 8C9C922D71F1CD4DEF73F186416B7896
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\system32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\NisDrvWFP.sys 6A83B8AF342E61DEE353BAA81F67B7DA
C:\Windows\system32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Ntfs.sys C8DFF8D07755A66C7A4A738930F0FEAC
C:\Windows\system32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys B3E25EE28883877076E0E1FF877D02E0
C:\Windows\system32\drivers\nvstor.sys 4380E59A170D88C4F1022EFF6719A8A4
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys 3F34A1B4C5F6475F320C275E63AFCE9B
C:\Windows\System32\DRIVERS\parvdm.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\system32\Drivers\RDPWD.sys F031683E6D1FEA157ABB2FF260B51E61
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\system32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\drivers\smwdm.sys C80B84E4843B33DA56A806E1A1275BA0
C:\Windows\system32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys E4C2764065D66EA1D2D3EBC28FE99C46
C:\Windows\System32\DRIVERS\srv2.sys 03F0545BD8D4C77FA0AE1CEEDFCC71AB
C:\Windows\System32\DRIVERS\srvnet.sys BE6BD660CAA6F291AE06A718A4FA8ABC
C:\Windows\system32\Drivers\SSPORT.sys EF3458337D7341A05169CEFC73709264
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys 5579DD18546999F5D0EC39D018726C6B
C:\Windows\System32\DRIVERS\tcpip.sys 5579DD18546999F5D0EC39D018726C6B
C:\Windows\System32\drivers\tcpipreg.sys 3EEBD3BD93DA46A26E89893C7AB2FF3B
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 2C2C5AFE7EE4F620D69C23C0617651A8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys B37B08F2E5EEB1A37E448E09BACE1101
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys 0803FBA9FE829D61AE26EC0BCC910C46
C:\Windows\system32\drivers\usbcir.sys 2352AB5F9F8F097BF9D41D5A4718A041
C:\Windows\System32\DRIVERS\usbehci.sys D40855F89B69305140BBD7E9A3BA2DA6
C:\Windows\System32\DRIVERS\usbhub.sys EDF2DF71C4F1E13A6AC75F5224DE655A
C:\Windows\system32\drivers\usbohci.sys 9828C8D14CC2676421778F0DE638CF97
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS F991AB9CC6B908DB552166768176896A
C:\Windows\System32\DRIVERS\usbuhci.sys 800AABFD625EEFF899F7E5496BDE37AB
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\viac7.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\drivers\vwifibus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys 25944D2CC49E0A6C581D02A74B7D6645
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
C:\Windows\System32\DRIVERS\WUDFRd.sys 867C301E8B790040AE9CF6486E8041DF

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-20 10:06 - 2014-10-20 10:07 - 00022368 ____C () C:\Users\Sulphur Springs\Downloads\FRST.txt
2014-10-20 10:05 - 2014-10-20 10:06 - 00000000 ___DC () C:\FRST
2014-10-20 10:05 - 2014-10-20 10:05 - 01102848 ____C (Farbar) C:\Users\Sulphur Springs\Downloads\FRST.exe
2014-10-20 10:02 - 2014-10-20 10:02 - 00003282 ____C () C:\Users\Sulphur Springs\Desktop\AdwCleaner[S0].txt
2014-10-20 09:54 - 2014-10-20 10:00 - 00000000 ___DC () C:\AdwCleaner
2014-10-20 09:53 - 2014-10-20 09:53 - 01976320 ____C () C:\Users\Sulphur Springs\Downloads\adwcleaner_4.000.exe
2014-10-20 09:27 - 2014-10-20 10:01 - 00114904 ____C (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-20 09:27 - 2014-10-20 09:27 - 00001060 ____C () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-20 09:27 - 2014-10-20 09:27 - 00000000 ___DC () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-20 09:27 - 2014-10-01 11:11 - 00075480 ____C (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-20 09:27 - 2014-10-01 11:11 - 00051928 ____C (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-20 09:27 - 2014-10-01 11:11 - 00023256 ____C (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-20 09:26 - 2014-10-20 09:27 - 00000000 ___DC () C:\Program Files\Malwarebytes Anti-Malware
2014-10-20 09:26 - 2014-10-20 09:26 - 00000000 ___DC () C:\ProgramData\Malwarebytes
2014-10-20 09:25 - 2014-10-20 09:26 - 19828376 ____C (Malwarebytes Corporation ) C:\Users\Sulphur Springs\Downloads\mbam-setup-2.0.3.1025.exe
2014-10-06 15:43 - 2014-10-06 15:43 - 00011810 ____C () C:\Users\Sulphur Springs\Desktop\dds.txt
2014-10-06 15:43 - 2014-10-06 15:43 - 00006606 ____C () C:\Users\Sulphur Springs\Desktop\attach.txt
2014-10-06 15:40 - 2014-10-06 15:40 - 00688992 ___RC (Swearware) C:\Users\Sulphur Springs\Downloads\dds.com
2014-10-06 14:55 - 2014-10-06 14:55 - 00000000 ___DC () C:\Users\Sulphur Springs\AppData\Local\CrashDumps
2014-10-06 14:13 - 2014-10-06 14:13 - 00001117 ____C () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-10-06 14:13 - 2014-10-06 14:13 - 00001105 ____C () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-10-06 14:13 - 2014-10-06 14:13 - 00000000 ___DC () C:\Program Files\Mozilla Maintenance Service
2014-10-06 10:06 - 2014-10-06 10:06 - 00000000 ___DC () C:\Windows\system32\appmgmt
2014-10-06 10:01 - 2014-10-20 10:01 - 00001376 ____C () C:\Windows\Tasks\YDFYD.job
2014-10-06 10:01 - 2014-10-20 10:01 - 00001376 ____C () C:\Windows\Tasks\HTKBY.job
2014-10-06 09:59 - 2014-10-06 09:59 - 00000000 ___DC () C:\Users\Sulphur Springs\AppData\Local\com
2014-10-06 09:58 - 2014-10-06 10:04 - 00000000 __HDC () C:\Users\Public\Temp
2014-10-06 09:10 - 2014-10-06 13:42 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-06 09:09 - 2014-10-06 13:42 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-22 14:56 - 2014-09-22 17:37 - 00000486 ____C () C:\ResultFile.txt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-20 10:06 - 2013-10-29 19:31 - 01330869 ____C () C:\Windows\WindowsUpdate.log
2014-10-20 10:01 - 2013-10-31 11:25 - 00122344 ____C () C:\Windows\PFRO.log
2014-10-20 10:01 - 2009-07-13 23:53 - 00000006 ___HC () C:\Windows\Tasks\SA.DAT
2014-10-20 10:01 - 2009-07-13 23:39 - 00027467 ____C () C:\Windows\setupact.log
2014-10-20 09:53 - 2009-07-13 23:34 - 00026336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-20 09:53 - 2009-07-13 23:34 - 00026336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-20 09:51 - 2009-07-13 21:37 - 00000000 ___DC () C:\Windows\Microsoft.NET
2014-10-20 09:47 - 2013-11-04 15:16 - 00000830 ____C () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-20 09:45 - 2009-07-13 21:37 - 00000000 ___DC () C:\Windows\Web
2014-10-20 08:58 - 2014-07-21 11:21 - 00000000 ___DC () C:\ProgramData\PCPitstop
2014-10-06 14:13 - 2013-12-30 11:18 - 00000000 ___DC () C:\Program Files\Mozilla Firefox
2014-10-06 14:05 - 2013-11-04 15:16 - 00701104 ____C (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-06 14:05 - 2013-11-04 15:16 - 00071344 ____C (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-06 14:05 - 2013-11-04 15:03 - 00000000 ___DC () C:\Users\Sulphur Springs\AppData\Local\Adobe
2014-10-06 12:34 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-10-06 09:58 - 2009-07-13 21:37 - 00000000 __RDC () C:\Users\Public
2014-09-22 17:38 - 2013-10-31 12:42 - 00000000 ___DC () C:\Program Files\Diamond Dental Software
2014-09-22 15:20 - 2013-11-04 15:05 - 00002441 ____C () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-22 15:20 - 2013-11-04 15:05 - 00000000 ___DC () C:\Program Files\Common Files\Adobe
2014-09-22 01:41 - 2013-10-29 20:29 - 00231568 ____C (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

Some content of TEMP:
====================
C:\Users\Sulphur Springs\AppData\Local\Temp\Quarantine.exe
C:\Users\Sulphur Springs\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {3d2de609-4102-11e3-b772-8c17c9345895}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {3d2de60b-4102-11e3-b772-8c17c9345895}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {3d2de609-4102-11e3-b772-8c17c9345895}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {3d2de60b-4102-11e3-b772-8c17c9345895}
device                  ramdisk=[C:]\Recovery\3d2de60b-4102-11e3-b772-8c17c9345895\Winre.wim,{3d2de60c-4102-11e3-b772-8c17c9345895}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\3d2de60b-4102-11e3-b772-8c17c9345895\Winre.wim,{3d2de60c-4102-11e3-b772-8c17c9345895}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {3d2de609-4102-11e3-b772-8c17c9345895}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

Windows Legacy OS Loader
------------------------
identifier              {ntldr}
device                  partition=C:
path                    \ntldr
description             Earlier Version of Windows

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {3d2de60c-4102-11e3-b772-8c17c9345895}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\3d2de60b-4102-11e3-b772-8c17c9345895\boot.sdi



LastRegBack: 2014-10-06 12:27

==================== End Of Log ============================


Attached File  Addition_20-10-2014_10-09-28.txt   19.14KB   1 downloads



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:31 AM

Posted 20 October 2014 - 12:46 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
Task: {3C99EC7A-1989-4CBB-A62E-BE29FD807C4B} - System32\Tasks\HTKBY => C:\Users\Sulphur Springs\AppData\Roaming\HTKBY.exe <==== ATTENTION
Task: {D1F48648-47A7-420F-AC14-01AEF0FBDC6D} - System32\Tasks\YDFYD => C:\Users\Sulphur Springs\AppData\Roaming\YDFYD.exe <==== ATTENTION
Task: C:\Windows\Tasks\HTKBY.job => C:\Users\Sulphur Springs\AppData\Roaming\HTKBY.exe <==== ATTENTION
Task: C:\Windows\Tasks\YDFYD.job => C:\Users\Sulphur Springs\AppData\Roaming\YDFYD.exe <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pcwatch.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pcwatch.sys => ""="Driver" <==== ATTENTION
C:\Users\Sulphur Springs\AppData\Roaming\HTKBY.exe
C:\Users\Sulphur Springs\AppData\Roaming\YDFYD.exe
C:\Windows\Tasks\HTKBY.job
C:\Windows\Tasks\YDFYD.job

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#9 etexmomof2

etexmomof2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 October 2014 - 01:36 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-10-2014
Ran by Sulphur Springs at 2014-10-20 13:35:09 Run:1
Running from C:\Users\Sulphur Springs\Downloads
Loaded Profile: Sulphur Springs (Available profiles: Sulphur Springs)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
Task: {3C99EC7A-1989-4CBB-A62E-BE29FD807C4B} - System32\Tasks\HTKBY => C:\Users\Sulphur Springs\AppData\Roaming\HTKBY.exe <==== ATTENTION
Task: {D1F48648-47A7-420F-AC14-01AEF0FBDC6D} - System32\Tasks\YDFYD => C:\Users\Sulphur Springs\AppData\Roaming\YDFYD.exe <==== ATTENTION
Task: C:\Windows\Tasks\HTKBY.job => C:\Users\Sulphur Springs\AppData\Roaming\HTKBY.exe <==== ATTENTION
Task: C:\Windows\Tasks\YDFYD.job => C:\Users\Sulphur Springs\AppData\Roaming\YDFYD.exe <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pcwatch.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pcwatch.sys => ""="Driver" <==== ATTENTION
C:\Users\Sulphur Springs\AppData\Roaming\HTKBY.exe
C:\Users\Sulphur Springs\AppData\Roaming\YDFYD.exe
C:\Windows\Tasks\HTKBY.job
C:\Windows\Tasks\YDFYD.job

End
*****************

"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKCU\SOFTWARE\Policies\Google" => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3C99EC7A-1989-4CBB-A62E-BE29FD807C4B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C99EC7A-1989-4CBB-A62E-BE29FD807C4B}" => Key deleted successfully.
C:\Windows\System32\Tasks\HTKBY => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HTKBY" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D1F48648-47A7-420F-AC14-01AEF0FBDC6D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D1F48648-47A7-420F-AC14-01AEF0FBDC6D}" => Key deleted successfully.
C:\Windows\System32\Tasks\YDFYD => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\YDFYD" => Key deleted successfully.
C:\Windows\Tasks\HTKBY.job => Moved successfully.
C:\Windows\Tasks\YDFYD.job => Moved successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\pcwatch.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\pcwatch.sys" => Key deleted successfully.
"C:\Users\Sulphur Springs\AppData\Roaming\HTKBY.exe" => File/Directory not found.
"C:\Users\Sulphur Springs\AppData\Roaming\YDFYD.exe" => File/Directory not found.
"C:\Windows\Tasks\HTKBY.job" => File/Directory not found.
"C:\Windows\Tasks\YDFYD.job" => File/Directory not found.

==== End of Fixlog ====



#10 etexmomof2

etexmomof2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 October 2014 - 01:52 PM

I am running the Security Check as Administrator but it continues to stick on Preforming Health Check.  How long should that particular program take? 



#11 etexmomof2

etexmomof2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 October 2014 - 02:05 PM

Nevermind, I finally got it going.   Here is the log:

 

 

 

 

 Results of screen317's Security Check version 0.99.89  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player     15.0.0.152  
 Adobe Reader XI  
 Mozilla Firefox 32.0.3 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````



#12 etexmomof2

etexmomof2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 October 2014 - 02:30 PM

Popups have stopped, but there is a "floating" bar that says dynamic pricer and has different advertisements for similar things that are on the website I'm looking at.  Also, an advertisement on some pages that says: Your App



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:31 AM

Posted 21 October 2014 - 08:58 AM


but there is a "floating" bar that says dynamic pricer and has different advertisements for similar things that are on the website

In what browser(s) is this an issue?

Please run the Farbar tool and post a fresh FRST log.

p.s.
Do not include the MD5 LIST.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:31 AM

Posted 27 October 2014 - 08:39 AM

Are you still with me?

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:31 AM

Posted 02 November 2014 - 08:40 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users