Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trovi "removed" by tools, but still haunting/redirecting Google Chrome


  • This topic is locked This topic is locked
41 replies to this topic

#1 getmeanadvil

getmeanadvil

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 07 October 2014 - 11:01 PM

     Not sure how, but picked-up what originally seemed to be the Trovi hijack virus (that name came up in the address bar when unwanted sites appeared), have tried several tools recommended on the net to remove it (AdwCleaner and Malwarebytes amongst others), but some part of it or another hijacking virus persists, constantly opening new windows with various ads, etc and slowing down the computer markedly. The problems seem to be concentrated in the search engine we use -- Google Chrome -- though the computer has slowed in all it's operations since this insidious bug got a foothold. Am nowhere near competent to ID and remove the information gleaned from HijackThis or other programs that require know-how, so I'm humbly admitting defeat and offering any kind soul with a clue my DDS.txt report below, as instructed.

 

     Help is, of course, much appreciated -- this thing seems alive in there, dodging and morphing as the various tools have tried to kill it. Thanks very much for any instruction you might be able to offer; my family is kind of at a loss now with our common machine becoming progressively more buggy and aggravating. You are kind souls.

 

                                                                                                                                                           Mike A. (user name: getmeanadvil) 

 

 

Attached Files

  • Attached File  dds.txt   21.65KB   3 downloads


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:03 PM

Posted 09 October 2014 - 05:36 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 09 October 2014 - 08:49 AM

Georgi -



#4 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 09 October 2014 - 09:38 AM

Georgi --
      Sorry for the previous, blank reply. Thanks very much for your help. My name is Mike, and I'll try to do everything as instructed. Following is the FRST.txt, and will attach the addition. Thanks again for your time and efforts:
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-10-2014 01
Ran by Mike (administrator) on MIKE-HP on 09-10-2014 09:29:50
Running from C:\Users\Mike\Downloads
Loaded Profile: Mike (Available profiles: Mike)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
() C:\Program Files (x86)\FastPlayer\FastPlayerUpdaterService.exe
( ) C:\Windows\System32\lxcgcoms.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Lexmark International, Inc.) C:\Program Files (x86)\Lexmark 2300 Series\lxcgmon.exe
(Microsoft Corporation) C:\Program Files\Zune\ZuneLauncher.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
(WDC) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
() C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
() C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Mike\Downloads\FRST64 (3).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [568888 2010-01-18] ()
HKLM\...\Run: [itype] => c:\Program Files\Microsoft IntelliType Pro\itype.exe [2306448 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [LXCGCATS] => rundll32 C:\Windows\system32\spool\DRIVERS\x64\3\LXCGtime.dll,RunDLLEntry                                                                                                                                (the data entry has 59 more characters).
HKLM\...\Run: [lxcgmon.exe] => C:\Program Files (x86)\Lexmark 2300 Series\lxcgmon.exe [205744 2007-04-29] (Lexmark International, Inc.)
HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [563736 2009-10-14] (PDF Complete Inc)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [Nuance PDF Reader-reminder] => C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe [333088 2010-07-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.)
HKLM-x32\...\Run: [PSUAMain] => C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe [37624 2014-07-24] (Panda Security, S.L.)
HKLM\...\Winlogon: [Userinit] C:\Windows\SysWOW64\userinit.exe,
HKU\S-1-5-21-678390975-4166821445-1828532969-1001\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\S-1-5-21-678390975-4166821445-1828532969-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-678390975-4166821445-1828532969-1001\...\Policies\Explorer: [NofolderOptions] 0
HKU\S-1-5-21-678390975-4166821445-1828532969-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-678390975-4166821445-1828532969-1001\...\MountPoints2: {7a8768d0-3893-11e4-ba60-806e6f6e6963} - E:\X650.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
URLSearchHook: HKCU - Default Value = {5e89d89e-4280-65b4-95ac-388697067b31}
URLSearchHook: HKCU - (No Name) - {5e89d89e-4280-65b4-95ac-388697067b31} - No File
StartMenuInternet: IEXPLORE.EXE - C:\program files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKLM - {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKLM - {33C525B2-9EEF-4B6E-A798-424251102CA7} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {35F1BBEB-5557-40DF-BAD0-7339F81257B8} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 - DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 - {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {33C525B2-9EEF-4B6E-A798-424251102CA7} URL = 
BHO: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} ->  No File
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{FB267442-5461-4F0C-8C2D-683E1BD16329}: [NameServer] 5.135.12.56,199.203.35.78
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin-x32: ZEON/PDF,version=2.0 -> C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll (Zeon Corporation)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\Mike\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @hulu.com/Hulu Desktop -> C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\npHDPlg.dll (Hulu LLC)
 
Chrome: 
=======
CHR Profile: C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-07]
CHR Extension: (Google Docs) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-07]
CHR Extension: (Google Drive) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-07]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-07]
CHR Extension: (YouTube) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-07]
CHR Extension: (Google Search) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-07]
CHR Extension: (Google Sheets) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-07]
CHR Extension: (Google Wallet) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-07]
CHR Extension: (Gmail) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-07]
CHR HKCU\...\Chrome\Extension: [bpfboklmeiefoedekjeigdcnfbpjeaii] - C:\Users\Mike\AppData\Local\CRE\bpfboklmeiefoedekjeigdcnfbpjeaii.crx []
CHR HKCU\...\Chrome\Extension: [lpfoghbhijkkhhhcmhkobldcjhdopdgl] - C:\Users\Mike\AppData\Local\CRE\lpfoghbhijkkhhhcmhkobldcjhdopdgl.crx []
CHR HKLM-x32\...\Chrome\Extension: [bpfboklmeiefoedekjeigdcnfbpjeaii] - C:\Users\Mike\AppData\Local\CRE\bpfboklmeiefoedekjeigdcnfbpjeaii.crx []
CHR HKLM-x32\...\Chrome\Extension: [lpfoghbhijkkhhhcmhkobldcjhdopdgl] - C:\Users\Mike\AppData\Local\CRE\lpfoghbhijkkhhhcmhkobldcjhdopdgl.crx []
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [365568 2011-04-19] (Advanced Micro Devices, Inc.) [File not signed]
R2 FastPlayerUpdaterService; C:\Program Files (x86)\FastPlayer\FastPlayerUpdaterService.exe [11776 2014-09-30] () [File not signed]
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-10-06] (SurfRight B.V.)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
S3 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-05-19] (Hewlett-Packard Company) [File not signed]
R2 lxcg_device; C:\Windows\system32\lxcgcoms.exe [566704 2007-04-29] ( )
R2 lxcg_device; C:\Windows\SysWOW64\lxcgcoms.exe [566704 2007-04-29] ( )
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R2 NanoServiceMain; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [141560 2014-07-24] (Panda Security, S.L.)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [61688 2014-07-23] (Panda Security, S.L.)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [635416 2009-10-14] (PDF Complete Inc)
R2 PSUAService; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [38136 2014-07-24] (Panda Security, S.L.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 WDDMService; C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [288256 2010-11-08] (WDC) [File not signed]
R2 WDFME; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [1060352 2010-11-08] () [File not signed]
R2 WDSC; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [485376 2010-11-08] () [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 CpqDfw; C:\Windows\System32\drivers\CpqDfw.sys [27456 2012-05-29] (Windows ® Codename Longhorn DDK provider)
S3 cqcpu; C:\Windows\System32\drivers\cqcpu.sys [24376 2010-04-27] ()
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32512 2014-10-09] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [96800 2014-06-04] (Panda Security, S.L.)
R1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [162336 2014-06-18] (Panda Security, S.L.)
R1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [112160 2014-06-04] (Panda Security, S.L.)
R1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [115232 2014-06-04] (Panda Security, S.L.)
R1 NNSNAHSL; C:\Windows\System32\DRIVERS\NNSNAHSL.sys [46336 2014-01-16] (Panda Security, S.L.)
R1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [95776 2014-06-04] (Panda Security, S.L.)
R1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [70176 2014-06-04] (Panda Security, S.L.)
R1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [125984 2014-06-04] (Panda Security, S.L.)
R1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [306720 2014-06-04] (Panda Security, S.L.)
R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [169504 2014-06-04] (Panda Security, S.L.)
R1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [115744 2014-06-04] (Panda Security, S.L.)
R1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [261152 2014-06-04] (Panda Security, S.L.)
R1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [109088 2014-06-04] (Panda Security, S.L.)
R2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [160800 2014-07-24] (Panda Security, S.L.)
R2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [120352 2014-07-24] (Panda Security, S.L.)
R1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [195616 2014-07-24] (Panda Security, S.L.)
R2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [122400 2014-07-24] (Panda Security, S.L.)
R2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [132128 2014-07-24] (Panda Security, S.L.)
R2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [106016 2014-07-24] (Panda Security, S.L.)
R3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [60400 2014-03-25] (Panda Security, S.L.)
S3 PSMNBUS; C:\Windows\System32\DRIVERS\PSMNBUS.sys [102784 2011-10-07] (DEVGURU Co., LTD.)
S3 PSMNMDM; C:\Windows\System32\DRIVERS\PSMNMDM.sys [183680 2011-10-07] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PSMNMDMVSP; C:\Windows\System32\DRIVERS\PSMNMDMVSP.sys [183808 2011-10-07] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PSMNMSMVSP; C:\Windows\System32\DRIVERS\PSMNMSMVSP.sys [183808 2011-10-07] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [16152 2014-08-02] ()
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2014-10-08] ()
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-09 09:29 - 2014-10-09 09:31 - 00020631 _____ () C:\Users\Mike\Downloads\FRST.txt
2014-10-09 09:29 - 2014-10-09 09:29 - 00000000 ____D () C:\FRST
2014-10-09 09:28 - 2014-10-09 09:28 - 02109952 _____ (Farbar) C:\Users\Mike\Downloads\FRST64 (3).exe
2014-10-09 09:19 - 2014-10-09 09:19 - 02109952 _____ (Farbar) C:\Users\Mike\Downloads\FRST64 (2).exe
2014-10-09 09:07 - 2014-10-09 09:07 - 00000056 _____ () C:\Windows\setupact.log
2014-10-09 09:07 - 2014-10-09 09:07 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-09 02:11 - 2014-10-09 02:11 - 01375089 _____ () C:\Users\Mike\Downloads\AdwCleaner.exe
2014-10-09 01:43 - 2014-10-09 01:44 - 01923216 _____ (Bandoo Media Inc) C:\Users\Mike\Downloads\iLividSetup-r157-n-bc.exe
2014-10-08 22:24 - 2014-03-25 09:15 - 00060400 _____ (Panda Security, S.L.) C:\Windows\system32\Drivers\PSKMAD.sys
2014-10-08 21:50 - 2014-10-08 21:50 - 02109952 _____ (Farbar) C:\Users\Mike\Downloads\FRST64 (1).exe
2014-10-08 21:42 - 2014-10-08 21:42 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\Mike\Downloads\rkill (3).exe
2014-10-08 21:41 - 2014-10-08 21:41 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\Mike\Downloads\rkill (2).exe
2014-10-08 21:39 - 2014-10-08 21:40 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\Mike\Downloads\rkill (1).exe
2014-10-08 21:39 - 2014-10-08 21:39 - 02109952 _____ (Farbar) C:\Users\Mike\Downloads\FRST64.exe
2014-10-08 19:04 - 2014-10-08 19:05 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Mike\Downloads\tdsskiller.exe
2014-10-08 10:45 - 2014-10-08 10:45 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-08 10:45 - 2014-10-08 10:45 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-08 10:44 - 2014-10-08 10:44 - 18482776 _____ () C:\Users\Mike\Downloads\RogueKillerX64.exe
2014-10-07 23:28 - 2014-10-07 23:28 - 00688992 ____R (Swearware) C:\Users\Mike\Downloads\dds (1).com
2014-10-07 23:23 - 2014-10-07 23:29 - 00022167 _____ () C:\Users\Mike\Desktop\dds.txt
2014-10-07 23:23 - 2014-10-07 23:29 - 00006822 _____ () C:\Users\Mike\Desktop\attach.txt
2014-10-07 23:20 - 2014-10-08 21:41 - 00002040 _____ () C:\Users\Mike\Desktop\Rkill.txt
2014-10-07 23:20 - 2014-10-07 23:20 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\Mike\Downloads\rkill.exe
2014-10-07 23:18 - 2014-10-07 23:19 - 00688992 ____R (Swearware) C:\Users\Mike\Downloads\dds.com
2014-10-07 20:58 - 2014-10-07 20:58 - 00388608 _____ (Trend Micro Inc.) C:\Users\Mike\Downloads\HijackThis (2).exe
2014-10-07 19:38 - 2014-10-07 19:38 - 00000000 ____D () C:\Windows\system32\log
2014-10-07 19:36 - 2014-10-07 19:36 - 00896584 _____ (Elex do Brasil Participações Ltda) C:\Users\Mike\Downloads\yet_another_cleaner_bbs.exe
2014-10-07 18:59 - 2014-10-07 18:59 - 01375089 _____ () C:\Users\Mike\Downloads\adwcleaner-3-311-multi-win.exe
2014-10-07 12:06 - 2014-10-07 12:06 - 00002217 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-07 12:06 - 2014-10-07 12:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-10-07 12:05 - 2014-10-09 09:10 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-07 12:05 - 2014-10-09 09:07 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-07 12:05 - 2014-10-07 12:05 - 00003890 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-07 12:05 - 2014-10-07 12:05 - 00003638 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-07 02:39 - 2014-10-07 02:39 - 00000632 _____ () C:\Users\Mike\Desktop\JRT.txt
2014-10-07 02:33 - 2014-10-07 02:33 - 01705141 _____ (Thisisu) C:\Users\Mike\Downloads\JRT (2).exe
2014-10-07 02:27 - 2014-10-07 02:27 - 00388608 _____ (Trend Micro Inc.) C:\Users\Mike\Downloads\HijackThis (1).exe
2014-10-07 02:24 - 2014-10-07 02:28 - 00011065 _____ () C:\Users\Mike\Downloads\hijackthis.log
2014-10-07 02:24 - 2014-10-07 02:24 - 00388608 _____ (Trend Micro Inc.) C:\Users\Mike\Downloads\HijackThis.exe
2014-10-07 02:17 - 2014-10-07 02:17 - 01375089 _____ () C:\Users\Mike\Downloads\adwcleaner_3.311 (2).exe
2014-10-07 01:50 - 2014-10-07 02:07 - 00290304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\subinacl.exe
2014-10-07 01:50 - 2014-10-07 01:50 - 00710880 _____ () C:\Users\Mike\Downloads\Adware-Removal-Tool-v3.8.exe
2014-10-07 01:50 - 2014-10-07 01:50 - 00000000 ____D () C:\Program Files\Adware-Removal-Tool
2014-10-07 01:48 - 2014-10-07 01:48 - 00753184 _____ () C:\Users\Mike\Downloads\Adware-Removal-Tool-v3.9.1.exe
2014-10-06 23:35 - 2014-10-06 23:35 - 00000000 ____D () C:\Users\Mike\AppData\Roaming\Panda Security
2014-10-06 23:35 - 2014-10-06 23:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Free Antivirus
2014-10-06 23:34 - 2014-10-06 23:35 - 00000000 ____D () C:\Program Files (x86)\Panda Security
2014-10-06 23:31 - 2014-10-06 23:35 - 00000000 ____D () C:\ProgramData\Panda Security
2014-10-06 23:30 - 2014-10-06 23:31 - 01329312 _____ () C:\Users\Mike\Downloads\PANDAFREEAV (1).exe
2014-10-06 23:30 - 2014-10-06 23:30 - 01329312 _____ () C:\Users\Mike\Downloads\PANDAFREEAV.exe
2014-10-06 22:50 - 2014-10-06 22:50 - 00006594 _____ () C:\Windows\system32\.crusader
2014-10-06 22:45 - 2014-10-06 22:45 - 00001895 _____ () C:\Users\Public\Desktop\HitmanPro.lnk
2014-10-06 22:45 - 2014-10-06 22:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-10-06 22:45 - 2014-10-06 22:45 - 00000000 ____D () C:\Program Files\HitmanPro
2014-10-06 22:43 - 2014-10-06 22:51 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-10-06 22:42 - 2014-10-06 22:43 - 11194928 _____ (SurfRight B.V.) C:\Users\Mike\Downloads\HitmanPro_x64.exe
2014-10-06 22:08 - 2014-10-06 22:08 - 01705141 _____ (Thisisu) C:\Users\Mike\Downloads\JRT (1).exe
2014-10-06 22:04 - 2014-10-06 22:05 - 01375089 _____ () C:\Users\Mike\Downloads\adwcleaner_3.311 (1).exe
2014-10-06 21:59 - 2014-10-06 21:59 - 01375089 _____ () C:\Users\Mike\Downloads\adwcleaner_3.311.exe
2014-10-06 20:28 - 2014-10-06 20:28 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_webinstrNew_01009.Wdf
2014-10-06 20:20 - 2014-10-06 20:40 - 00000000 ____D () C:\Users\Mike\AppData\Local\com
2014-10-06 20:19 - 2014-10-06 20:40 - 00000000 ____D () C:\Program Files (x86)\FastPlayer
2014-10-06 19:55 - 2014-10-06 19:56 - 38157960 _____ (Amazon.com) C:\Users\Mike\Downloads\KindleForPC-installer.exe
2014-10-01 07:16 - 2014-09-24 22:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 07:16 - 2014-09-24 21:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-30 23:46 - 2014-09-30 23:46 - 20072448 _____ () C:\Users\Mike\Downloads\Corpse_Mania1_strangle_head_bash.mpg
2014-09-30 23:45 - 2014-09-30 23:45 - 40044544 _____ () C:\Users\Mike\Downloads\A_Candle_for_the_Devil1_fall_body.mpg
2014-09-26 01:17 - 2014-09-26 01:18 - 04901352 _____ (Piriform Ltd) C:\Users\Mike\Downloads\ccsetup417 (1).exe
2014-09-24 07:50 - 2014-09-09 18:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-24 07:50 - 2014-09-09 17:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-09-13 08:44 - 2014-09-13 08:44 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-09-12 00:17 - 2014-09-12 00:17 - 31766208 _____ (Microsoft Corporation) C:\Users\Mike\Downloads\Windows-KB890830-x64-V5.16 (3).exe
2014-09-11 22:59 - 2014-10-08 22:24 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-11 22:57 - 2014-09-11 22:57 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-11 22:57 - 2014-09-11 22:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-11 22:57 - 2014-09-11 22:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-11 22:57 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-11 22:57 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-11 22:57 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-11 22:54 - 2014-09-11 22:54 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Mike\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-11 22:53 - 2014-09-11 22:53 - 01370467 _____ () C:\Users\Mike\Downloads\adwcleaner_3.309 (1).exe
2014-09-11 22:46 - 2014-09-11 22:46 - 00000000 ____D () C:\Windows\ERUNT
2014-09-11 22:45 - 2014-09-11 22:45 - 01016261 _____ (Thisisu) C:\Users\Mike\Downloads\JRT.exe
2014-09-11 22:22 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-09-11 22:21 - 2014-10-09 02:12 - 00000000 ____D () C:\AdwCleaner
2014-09-11 22:20 - 2014-09-11 22:20 - 01370467 _____ () C:\Users\Mike\Downloads\adwcleaner_3.309.exe
2014-09-11 21:50 - 2014-09-11 22:23 - 00000000 ____D () C:\b8c15aa8e65240f229
2014-09-11 21:49 - 2014-09-11 21:49 - 31766208 _____ (Microsoft Corporation) C:\Users\Mike\Downloads\Windows-KB890830-x64-V5.16 (2).exe
2014-09-11 21:30 - 2014-09-11 21:30 - 31766208 _____ (Microsoft Corporation) C:\Users\Mike\Downloads\Windows-KB890830-x64-V5.16 (1).exe
2014-09-10 15:44 - 2014-09-11 22:23 - 00000000 ____D () C:\Windows\system32\MpEngineStore
2014-09-10 15:42 - 2014-09-10 15:42 - 31766208 _____ (Microsoft Corporation) C:\Users\Mike\Downloads\Windows-KB890830-x64-V5.16.exe
2014-09-10 15:42 - 2014-09-10 15:42 - 00000000 ____D () C:\da7798bd975a4b43c3a703
2014-09-10 13:06 - 2014-08-19 14:05 - 00374968 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-10 13:06 - 2014-08-19 13:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-09-10 13:06 - 2014-08-18 19:01 - 23591424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-10 13:06 - 2014-08-18 18:29 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-10 13:06 - 2014-08-18 18:29 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-10 13:06 - 2014-08-18 18:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-09-10 13:06 - 2014-08-18 18:20 - 02793984 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-10 13:06 - 2014-08-18 18:19 - 05833728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-10 13:06 - 2014-08-18 18:15 - 00547328 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-10 13:06 - 2014-08-18 18:15 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-10 13:06 - 2014-08-18 18:14 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-10 13:06 - 2014-08-18 18:14 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-10 13:06 - 2014-08-18 18:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-09-10 13:06 - 2014-08-18 18:08 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-10 13:06 - 2014-08-18 18:08 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-10 13:06 - 2014-08-18 18:05 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-10 13:06 - 2014-08-18 18:03 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-10 13:06 - 2014-08-18 18:03 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-10 13:06 - 2014-08-18 18:03 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-10 13:06 - 2014-08-18 17:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-09-10 13:06 - 2014-08-18 17:56 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-10 13:06 - 2014-08-18 17:51 - 00446464 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-10 13:06 - 2014-08-18 17:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-09-10 13:06 - 2014-08-18 17:45 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-10 13:06 - 2014-08-18 17:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-09-10 13:06 - 2014-08-18 17:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-09-10 13:06 - 2014-08-18 17:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-09-10 13:06 - 2014-08-18 17:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-09-10 13:06 - 2014-08-18 17:40 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-10 13:06 - 2014-08-18 17:39 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-10 13:06 - 2014-08-18 17:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-09-10 13:06 - 2014-08-18 17:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-09-10 13:06 - 2014-08-18 17:38 - 00289280 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-10 13:06 - 2014-08-18 17:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-09-10 13:06 - 2014-08-18 17:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-09-10 13:06 - 2014-08-18 17:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-09-10 13:06 - 2014-08-18 17:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-09-10 13:06 - 2014-08-18 17:25 - 00727040 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-10 13:06 - 2014-08-18 17:25 - 00707072 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-10 13:06 - 2014-08-18 17:23 - 02104832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-10 13:06 - 2014-08-18 17:23 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-10 13:06 - 2014-08-18 17:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-09-10 13:06 - 2014-08-18 17:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-09-10 13:06 - 2014-08-18 17:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-09-10 13:06 - 2014-08-18 17:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-09-10 13:06 - 2014-08-18 17:16 - 13588480 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-10 13:06 - 2014-08-18 17:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-09-10 13:06 - 2014-08-18 17:15 - 02310656 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-10 13:06 - 2014-08-18 17:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-09-10 13:06 - 2014-08-18 17:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-09-10 13:06 - 2014-08-18 17:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-09-10 13:06 - 2014-08-18 16:55 - 01447424 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-10 13:06 - 2014-08-18 16:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-09-10 13:06 - 2014-08-18 16:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-09-10 13:06 - 2014-08-18 16:38 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-10 13:06 - 2014-08-18 16:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-09-10 12:42 - 2014-09-10 12:42 - 00895120 _____ (Google Inc.) C:\Users\Mike\Downloads\ChromeSetup (1).exe
2014-09-10 12:40 - 2014-09-10 12:40 - 00895120 _____ (Google Inc.) C:\Users\Mike\Downloads\ChromeSetup.exe
2014-09-10 12:15 - 2014-09-10 12:15 - 17538048 _____ (Innovative Solutions ) C:\Users\Mike\Downloads\Advanced_Uninstaller11_48_CNet.exe
2014-09-10 11:13 - 2014-09-10 11:13 - 00347816 _____ (Microsoft Corporation) C:\Users\Mike\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.133379119660602.3.2.Run.exe
2014-09-10 10:55 - 2014-09-10 10:55 - 00347816 _____ (Microsoft Corporation) C:\Users\Mike\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.133379119660602.3.1.Run.exe
2014-09-10 10:37 - 2014-10-09 09:12 - 01729634 _____ () C:\Windows\WindowsUpdate.log
2014-09-10 09:55 - 2014-09-10 09:55 - 00000000 __SHD () C:\found.000
2014-09-10 09:18 - 2014-06-26 22:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-09-10 09:18 - 2014-06-26 21:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2014-09-10 09:08 - 2014-10-06 21:40 - 00000000 ___HD () C:\Users\Public\Temp
2014-09-10 09:07 - 2014-09-10 09:07 - 00007378 _____ () C:\file.exe
2014-09-10 09:07 - 2014-08-12 08:38 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-09-10 09:07 - 2014-08-12 08:38 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-09-10 09:07 - 2014-08-12 08:38 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-09-10 09:05 - 2014-09-10 10:39 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2014-09-10 09:05 - 2014-09-10 09:05 - 00000000 ____D () C:\Users\Mike\AppData\Local\CrashRpt
2014-09-10 08:42 - 2014-09-04 22:10 - 00578048 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-10 08:42 - 2014-09-04 22:05 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-09-10 08:42 - 2014-08-01 07:53 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-09-10 08:42 - 2014-08-01 07:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2014-09-10 08:42 - 2014-07-06 22:06 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-10 08:42 - 2014-07-06 22:06 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-10 08:42 - 2014-07-06 21:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-09-10 08:42 - 2014-07-06 21:40 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-09-10 08:42 - 2014-07-06 21:39 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-09-10 08:42 - 2014-06-23 23:29 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-09-10 08:42 - 2014-06-23 22:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2014-09-10 08:42 - 2014-05-08 05:32 - 03178496 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-09-10 08:42 - 2014-05-08 05:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2014-09-10 08:42 - 2014-01-08 22:22 - 05694464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-09-10 08:42 - 2014-01-03 18:44 - 06574592 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-09-09 23:46 - 2014-09-09 23:57 - 251927629 _____ () C:\Users\Mike\Downloads\A Company Man (2012)_3 - office massacre.mkv
2014-09-09 22:36 - 2013-10-01 22:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2014-09-09 22:36 - 2013-10-01 22:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-09-09 22:36 - 2013-10-01 22:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-09-09 22:36 - 2013-10-01 21:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2014-09-09 22:36 - 2013-10-01 21:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2014-09-09 22:36 - 2013-10-01 21:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-09-09 22:36 - 2013-10-01 21:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2014-09-09 22:36 - 2013-10-01 20:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2014-09-09 22:36 - 2013-10-01 20:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll
2014-09-09 22:36 - 2013-10-01 20:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll
2014-09-09 22:36 - 2013-10-01 20:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2014-09-09 22:36 - 2013-10-01 20:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2014-09-09 22:36 - 2013-10-01 19:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2014-09-09 22:36 - 2013-10-01 19:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-09-09 22:36 - 2013-10-01 19:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll
2014-09-09 22:36 - 2013-10-01 18:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2014-09-09 22:35 - 2012-08-23 10:13 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2014-09-09 22:35 - 2012-08-23 10:10 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2014-09-09 22:35 - 2012-08-23 07:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpendp_winip.dll
2014-09-09 22:35 - 2012-08-23 06:51 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-09 09:14 - 2009-07-14 00:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-09 09:14 - 2009-07-14 00:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-09 09:07 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-09 02:18 - 2010-12-31 11:24 - 00000000 ____D () C:\ProgramData\Recovery
2014-10-07 20:59 - 2009-07-14 01:13 - 00786514 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-07 12:06 - 2010-12-27 15:13 - 00000000 ____D () C:\Program Files (x86)\Google
2014-10-07 08:14 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\System
2014-10-07 08:07 - 2011-08-07 15:59 - 00000000 ____D () C:\Users\Mike\AppData\Local\Adobe
2014-10-07 08:05 - 2010-12-27 15:13 - 00000000 ____D () C:\Program Files\Google
2014-10-07 08:01 - 2010-12-27 15:13 - 00000000 ____D () C:\Users\Mike\AppData\Local\Google
2014-10-07 08:01 - 2010-12-27 15:13 - 00000000 ____D () C:\ProgramData\Google
2014-10-07 02:24 - 2010-12-23 18:10 - 00000000 ____D () C:\Users\Mike\AppData\Local\VirtualStore
2014-10-07 02:21 - 2009-07-14 00:45 - 05040568 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-06 23:35 - 2010-12-23 17:46 - 00115920 _____ () C:\Users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-06 22:59 - 2010-12-24 23:07 - 00000000 ____D () C:\Program Files\Lx_cats
2014-10-06 22:30 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system
2014-10-06 21:16 - 2013-06-30 01:03 - 00000000 ____D () C:\ProgramData\Innovative Solutions
2014-10-05 00:33 - 2010-11-23 00:55 - 00000000 ____D () C:\ProgramData\PDFC
2014-10-04 08:40 - 2011-10-23 23:11 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-10-04 08:40 - 2010-12-24 21:45 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-09-26 01:18 - 2011-01-02 22:11 - 00000824 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-09-26 01:18 - 2011-01-02 22:11 - 00000000 ____D () C:\Program Files\CCleaner
2014-09-25 09:00 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-09-24 14:00 - 2012-03-31 10:23 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-24 14:00 - 2011-06-13 07:13 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-23 23:59 - 2014-07-06 15:56 - 00016384 _____ () C:\Users\Mike\Desktop\Volunteer Schedule lastsix2014.xls
2014-09-22 02:42 - 2010-12-23 17:56 - 00278152 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-09-18 10:02 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
2014-09-15 00:29 - 2010-12-25 11:23 - 00000000 ____D () C:\Users\Mike\AppData\Local\CrashDumps
2014-09-11 22:57 - 2011-07-12 18:21 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-11 22:23 - 2011-01-09 11:05 - 00001102 _____ () C:\Users\Mike\Desktop\Internet Explorer.lnk
2014-09-11 22:23 - 2010-12-23 18:10 - 00000989 _____ () C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-09-11 00:14 - 2013-07-27 08:02 - 00000067 _____ () C:\Users\Mike\AppData\Roaming\WB.CFG
2014-09-10 13:05 - 2011-02-21 01:09 - 00778636 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-09-10 13:04 - 2012-05-01 00:51 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-09-10 13:04 - 2011-07-13 00:36 - 00002119 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-09-10 13:04 - 2011-07-13 00:36 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-09-10 13:04 - 2011-02-21 01:09 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-09-10 13:03 - 2013-08-14 23:34 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-10 12:26 - 2013-06-30 23:19 - 00000000 ____D () C:\Program Files (x86)\Java
2014-09-10 10:07 - 2010-11-23 00:59 - 00000000 ____D () C:\ProgramData\Temp
2014-09-10 09:18 - 2014-05-07 00:15 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-09-10 09:10 - 2013-10-25 11:00 - 00000000 ____D () C:\ProgramData\Oracle
2014-09-09 22:40 - 2009-07-13 23:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-09-09 22:37 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-06 10:31
 
==================== End Of Log ============================

Attached Files



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:03 PM

Posted 10 October 2014 - 07:14 AM

Hello Mike,

 

 

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.  The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".  It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Panda Free Antivirus or Microsoft Security Essentials.

 

 

Also go ahead and uninstall PDF Writer Packages as well.

 

 

Do you know what this file is for?

 

C:\file.exe

 

If you don't recognize the file, please delete it immediately and don't try to run it!

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also please go ahead and reset Internet Explorer, Moziila Firefox and Google Chrome to default:

 

http://support2.microsoft.com/kb/923737

https://support.google.com/chrome/answer/3296214?hl=en

https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

 

Let me know if the problem still persists after the steps above.

 

 

Regards,

Georgi


cXfZ4wS.png


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:03 PM

Posted 15 October 2014 - 12:09 PM

Hello,

 

Do you still need assistance?

 

 

Regards,

Georgi


cXfZ4wS.png


#7 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 15 October 2014 - 09:59 PM

     Sorry for the delay, Georgi, was out of town. Removed Microsoft Security Essentials and followed other instructions, but couldn't run FRST without first removing Panda. Did so (please see Fixlog.txt attached below), have reinstalled Panda, but am sorry to say I'm still being redirected to different sites. Also did not reset Mozilla Firefox as it doesn't appear to be loaded on the computer.

     Appreciate your efforts thus far, and very happy to try anything else you think might be helpful. 

 

                                                                                                                               Thanks.

 

                                                                                                                                Mike

 

 

 

      

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:03 PM

Posted 18 October 2014 - 11:31 AM

Hello Mike,

 

No need to apologize. I was out of town for a couple of days as well so I couldn't reply earlier.

 

 

STEP 1

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

STEP 2

 

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

STEP 3

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 4

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Wait for the prescan to complete and then press the Scan button.
  • When done press the Report button.
  • Please copy and past the results in your next reply.

 

 

STEP 5
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 6

 

 

Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
 

  • Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 7

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 8

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#9 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 19 October 2014 - 05:06 PM

Georgi --

 

     Okay, attached are (I hope) all the logs,etc. as per your latest email. Hope I got them all. Here is the link to pastebin.com with my TDSSKiller log:

 

http://pastebin.com/TGhWQDnk

 

    Sorry, I thought pastebin.com might be a site like bleepingcomputer.com, where folks can get a look at your problem, which is why I wrote the note above the log. The log is all there.

 

    Thanks, Georgi, for all your time and efforts. Happy to hear what you think of all this data, and whatever you might offer for final recommendations.

 

                                                                                                                                           Mike

Attached Files



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:03 PM

Posted 20 October 2014 - 03:19 PM

Hello,

 

Both logs are clean. Do you still experience redirects?

Also, did you set these as a proxyserver?

 

Proxy server on this computer (User)
127.0.0.1:49539

 

And here are a few updating tasks for you:

 

Also your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

  • Download the latest version of Java SE 7.
  • Click the Java SE 7u72 "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-7u72-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java:
     Java™ 7 Update 67
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version. (Vista/Windows 7 users, right click on the jre-7u72-windows-i586.exe and select "Run as an Administrator.")

 

Next please run JavaRa.

  • Please download JavaRa 2.6 and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Choose Remove JRE and since you already uninstalled JAVA skip step 1 and click on the next button.
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please attach the log to your next reply.
  • Close JavaRa by clicking the red cross button.

 

You can choose between 2 variants:

 

1. If you have applications that require Java to be installed on the computer then uninstall the old version of Java and then run JavaRa to remove all remnants and then go ahead and download & install the latest version of Java (Java SE 8).

 

2. If you want to be on the safe side then go ahead and uninstall the old version of Java, then run JavaRa to remove all remnants and then remove all applications that require Java (time to learn to live without Java and find alternatives to the applications that require Java)... Check this article.

 

It's your call. smile.png

 

 

Your Adobe Flash Player is out of date!

Older versions may have vulnerabilities that malware can use to infect your system.

 

software.gif Please download and instal: Adobe Flash Player 15.0.0.189 Final for (Internet Explorer)

software.gif Please download and instal: Adobe Flash Player 15.0.0.189 Final for (Mozilla Firefox)

 

  • The securitycheck log shows that the rest of your critical programs are up to date but It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

 

 
Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

Finally please post a new log from SecurityCheck.

 

 

Regards,

Georgi


cXfZ4wS.png


#11 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 20 October 2014 - 08:33 PM

Georgi --

 

     Have done everything as per last message, and am sorry to say the computer is still redirecting! Unbelievable, after all we've done, isn't it?

 

     I've attached the JavRa and Security Check logs, as instructed. I've got no idea what the proxy server is about -- we certainly didn't set anything intentionally. I'd downloaded Hitman eariler, and have noticed that, when it does a quickscan each morning when the computer is first turned on, two seemingly identical proxy entries come up each time (along with FRST 64) -- have included a log of that as well.

 

     I really appreciate all of your efforts, Georgi. Might you have any other ideas, or are we at the end of the line?

 

                                                                                                                               Thanks,

 

                                                                                                                               Mike 

 

 

Attached Files



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:03 PM

Posted 21 October 2014 - 01:26 AM

Hello,

 

  • Please download MiniToolBox.exe by Farbar save it to your desktop and run it.
  • Checkmark all boxes.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

 

Next let's give Combofix a try:

 

  • Now please download Combofix from here.
     
  • Save it to your Desktop.
     
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
     
  • Double click it & follow the prompts.
     
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
     
  • Click on Yes, to continue scanning for malware.
     
  • When finished, it will produce a log for you.
     
  • Please include the C:\ComboFix.txt in your next reply.
     
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

 

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.

 

 

This should remove the proxy. Also please let me know if the redirects occur only in Google Chrome or in every browser?

 

 

Regards,

Georgi


cXfZ4wS.png


#13 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 21 October 2014 - 10:07 AM

Georgi --

 

     Downloaded and ran MiniToolBox and Combofix, logs attached, then ran Hitman (which keeps turning up the proxy). Proxy stuff still appears to be on there, no? 

 

 


Georgi --

 

     Downloaded and ran MiniToolBox and Combofix, logs attached, then ran Hitman (which keeps turning up the proxy). Proxy stuff still appears to be on there, no? 

 

 



#14 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 21 October 2014 - 10:12 AM

Georgi --

 

     Downloaded and ran MiniToolBox and Combofix, logs attached, then ran Hitman (which keeps turning up the proxy). Proxy stuff still appears to be on there, no? Have attached that as well.

 

     Sorry - mistakenly hit send without the attachments -- here you go. Boy, this is stubborn. Thanks for being stubborn yourself...

 

                                                                                                                         Mike

Attached Files



#15 getmeanadvil

getmeanadvil
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 21 October 2014 - 12:08 PM

Georgi --

 

     Hey. Great news -- computer is no longer redirecting, and, on the Hitman proxy, I finally noticed the two entries were both "traces" and that I hadn't hit "repair." Did so, and they disappeared as well Unless you can think of anything else I should be doing, either now or as a preventative, the problem appears to be fixed.

 

     Thanks for your help. Owe you a couple beers...

 

                                                                                                                    Mike






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users