Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Virut.Gen.D-148 FOUND, Avast compromised, System Restore acting weird.


  • This topic is locked This topic is locked
16 replies to this topic

#1 Alyab123

Alyab123

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 03 November 2014 - 10:45 PM

DDS.txt is pasted after this explanation which became a bit lengthy. I wanted to give you the order of events that I think are relevant. For reasons I explained there's 2 DDS.txt and two attach.txt. I apologize if this was unnecessary. The first reports are renamed with a "1". The contents were not touched. The updated reports were not changed at all.
 
I am using Windows XP
I was using browsers Firefox or Palemoon, likely most recent versions.
I have NoScript installed on both browsers.
I am currently using chrome for this communication.
I have Avast Free loaded and running on start up (After all other processes; startup was taking too long without this).
I have Online Armor firewall running on start up.
 
I restarted my PC after possibly a week or more of only putting it to sleep.
I recently downloaded a bunch of programs in an attempt to create PDF files.
My version of word is old (97), and can't produce these.
I "checked each program/utility" online for safety issues in a number of places. All showed as Safe according to reports.
All downloads were from the original homepage of said program.
One program was called cutepdf.  Another was LibreOffice. LibreOffice installation connected to the web and installed something that Online Armor considered a keylogger. I allowed all things Libre tried to do, because it is a very well known program, which Online Armor did not recognize, for some reason.
Before that I had installed AbleWord V2. I used this program many times. This is the only program that had limited information on safety review sites, because it is relatively new. But those sites that did have information showed it as safe. There's additional programs that I assume will show up on your reports.
 
When I opened my PC (not sure if user with limited or admin privileges), I proceeded to use AbleWord V2, MSword 97, and Adobe Reader repeatedly, as well as other programs. I NEVER open IE8. I think it did in fact open a few times when I tried to open an XPS file. Palemoon tried to update to 25.0.0, but failed. Upon investigation, I concluded that perhaps that is because palemoon is no longer supporting XP.
I proceeded to use Palemoon somewhat, but largely moved to Firefox.
At some point I noticed that Avast was stuck at 3% during a scheduled scan.
When I tried to open Avast, my password did not work. The dots that normally show up as I entered the password were replaced by some other random character.
 
I ran MBAM free and it didn't find anything.
I ran SuperAntispyware free under "user administrator account" and it found two instances of the same adware/tracker pups: 
www.byopfinder.com [ C:\DOCUMENTS AND SETTINGS\BAILA\APPLICATION DATA\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\Z87OT6LW.RESET PALE MOON\COOKIES.SQLITE ] which I deleted.
 
I don't remember how I got Avast GUI to open - maybe in Safe Mode? 
At a certain point, I restarted in safe mode. 
Avast shields - web and file were disabled, and could not be turned on.
Avast now showed to be stuck at 5% of a scan. It did not respond to stop or pause.
I could not shut down Avast except by killing the process in task manager (even in Safe Mode).
If I recall correctly, MBAM scan didn't run correctly - (I don't remember what reason was given)
 
While still in Safe Mode, I ran Emisoft emergency Kit scanner.exe 9.0.0.4412 off a flashdrive, without updating anything, because I was in Safe Mode, unable to connect to web. Last previous report is dated October 3. I probably ran it as a routine check-up, which I do occasionally.
It found Value: HKEY_USERS\S-1-5-21-1454471165-1844237615-839522115-1062\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS  detected: Setting.NoFolderOptions (A)
 
It quarantined HKEY_USERS\S-1-5-21-1454471165-1844237615-839522115-1062\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS  but identified it as "no risk".
 
I ran ClamWinPortable.exe off a flashdrive. not updated possibly since last May, according to available log.
ClamAv found and quarantined: C:\System Volume Information\_restore99F1AA40-3620-43B6-A011-AA2B9C4CE24F\RP237\A0052560.dll: W32.Virut.Gen.D-148 FOUND
Many, many files (at least 100) could not be scanned due to "permission denied". A bunch of those (not all) were .js files in "AdwCleaner\backup\C\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\EXAMPLE: Permission denied". At first I started going in and deleting the files that allowed me to. Many said I did not have permission. I definitely did delete some "prefs.js" files. 
 
All virus scans I did were FULL scans. 
 
Before trying anything else, I did a system restore to 3 days ago, before the last 2 installations: cutepdf, and LibreOffice. 
 
Upon restart, I first opened a limited user account, and got no message from the system restore utility. I switched to an admin user account, and a window opened saying it successfully restored to October 31st, and had a link to "details" of some sort. The information in that link said that it had renamed a bunch of files.
Neither firefox nor palemoon will start. they both say they "couldn't load 'xpcom'.
Avast Free is no longer locked, but there is a minor quirk in it: The scan history detailed reports window is not responding appropriately to the mouse. I don't know if this has anything to do with the virus.
 
I came to this site, and ran DDS.com. Then I wrote most of the above email, and I went back to system restore, to see which files were "renamed". The link is no longer there. System Restore now shows no record of the restoration it said it had done successfully! The Restore Operation is not showing up in Ccleaner either. This change obviously happened while I was checking some things to put in this email, since I see that Attach.txt, still shows the restoration. But CutePDF, and LibreOffice are NO LONGER INSTALLED.
 
I decided  to run DDS.com again, and paste and send the files immediately, in case anything changed. The SECOND DDS.txt report is pasted BELOW the first, renamed DDS1.txt. I renamed the first Attach.txt to 1Attach.txt.  Apparently the second Attach.txt also shows there's a restoration point. But it's not showing in System Restore or Ccleaner.
 
 
 
DDS1.txt  (first time)
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Pessy at 18:34:24 on 2014-11-03
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.858 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled* 
.
============== Running Processes ================
.
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Online Armor\oaui.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://startpage.com/
uProxyOverride = <local>
BHO: AutorunsDisabled - <orphaned>
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - <orphaned>
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245387491250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341524095046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
TCP: NameServer = 192.168.8.1
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : NameServer = 208.67.220.220,208.67.222.222
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : DHCPNameServer = 192.168.8.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - c:\program files\online armor\oaevent.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.111\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\pessy\application data\mozilla\firefox\profiles\7j8qck4p.default-1401079308601\
FF - prefs.js: browser.search.selectedEngine - Startpage (SSL)
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=22679f1cf5a58cd828e3179705e7b677
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\google\update\1.3.25.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_189.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-6-30 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-6-30 192352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2014-6-30 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2014-6-30 414520]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2014-1-24 90200]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2014-5-11 210360]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2014-5-11 44984]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2014-5-11 34856]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2014-5-11 31912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-6-30 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-6-30 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-6-30 50344]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2014-1-24 1715416]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2014-5-11 584864]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2014-5-11 4457688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-1-7 33616]
S4 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-18 13560]
.
=============== Created Last 30 ================
.
2014-11-03 22:37:08 5938 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\Repository
2014-11-03 22:25:40 -------- d-----w- c:\program files\Pale Moon
2014-10-31 19:09:56 -------- d-----w- c:\documents and settings\pessy\application data\LibreOffice
2014-10-31 18:43:34 -------- d-----w- c:\program files\LibreOffice 4
2014-10-31 18:25:21 -------- d-----w- c:\program files\Acro Software
2014-10-31 18:21:09 -------- d-----w- c:\program files\GPLGS
2014-10-28 18:58:59 3756656 ----a-w- c:\program files\mozilla firefox\updated\mozjs.dll
2014-10-28 08:52:44 -------- d-----w- c:\documents and settings\pessy\local settings\application data\AbleWord
2014-10-28 08:52:33 -------- d-----w- c:\documents and settings\pessy\application data\AbleWord
2014-10-28 08:50:59 -------- d-----w- c:\program files\AbleWord
2014-10-28 07:06:59 -------- d-----w- C:\$NtUninstallXPSEP$
2014-10-28 07:06:31 14048 ------w- c:\windows\system32\spmsg2.dll
2014-10-27 23:18:49 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2014-10-22 20:05:40 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-22 20:05:40 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2014-10-28 19:55:15 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-01 15:11:18 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 15:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-03 04:25:30 377920 ----a-w- c:\program files\aswclear.exe
2010-07-28 19:47:44 199544 ----a-w- c:\program files\Tcpvcon.exe
2010-07-08 04:31:22 22951 ----a-w- c:\program files\CIS Clean-up Tool.bat
.
============= FINISH: 18:36:35.50 ===============
 
 
DDS.txt (second time)
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Pessy at 22:13:52 on 2014-11-03
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.878 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled* 
.
============== Running Processes ================
.
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Online Armor\oaui.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://startpage.com/
uProxyOverride = <local>
BHO: AutorunsDisabled - <orphaned>
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CCleaner Monitoring] "c:\program files\ccleaner\CCleaner.exe" /MONITOR
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - <orphaned>
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245387491250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341524095046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
TCP: NameServer = 192.168.8.1
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : NameServer = 208.67.220.220,208.67.222.222
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : DHCPNameServer = 192.168.8.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - c:\program files\online armor\oaevent.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.111\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\pessy\application data\mozilla\firefox\profiles\7j8qck4p.default-1401079308601\
FF - prefs.js: browser.search.selectedEngine - Startpage (SSL)
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=22679f1cf5a58cd828e3179705e7b677
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\google\update\1.3.25.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_189.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-6-30 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-6-30 192352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2014-6-30 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2014-6-30 414520]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2014-1-24 90200]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2014-5-11 210360]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2014-5-11 44984]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2014-5-11 34856]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2014-5-11 31912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-6-30 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-6-30 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-6-30 50344]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2014-1-24 1715416]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2014-5-11 584864]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2014-5-11 4457688]
R3 cleanhlp;cleanhlp;e:\emisoft emergency\bin\cleanhlp32.sys [2014-8-20 50200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-1-7 33616]
S4 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-18 13560]
.
=============== Created Last 30 ================
.
2014-11-03 22:37:08 5938 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\Repository
2014-11-03 22:25:40 -------- d-----w- c:\program files\Pale Moon
2014-10-31 19:09:56 -------- d-----w- c:\documents and settings\pessy\application data\LibreOffice
2014-10-31 18:43:34 -------- d-----w- c:\program files\LibreOffice 4
2014-10-31 18:25:21 -------- d-----w- c:\program files\Acro Software
2014-10-31 18:21:09 -------- d-----w- c:\program files\GPLGS
2014-10-28 18:58:59 3756656 ----a-w- c:\program files\mozilla firefox\updated\mozjs.dll
2014-10-28 08:52:44 -------- d-----w- c:\documents and settings\pessy\local settings\application data\AbleWord
2014-10-28 08:52:33 -------- d-----w- c:\documents and settings\pessy\application data\AbleWord
2014-10-28 08:50:59 -------- d-----w- c:\program files\AbleWord
2014-10-28 07:06:59 -------- d-----w- C:\$NtUninstallXPSEP$
2014-10-28 07:06:31 14048 ------w- c:\windows\system32\spmsg2.dll
2014-10-27 23:18:49 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2014-10-22 20:05:40 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-22 20:05:40 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2014-10-28 19:55:15 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-01 15:11:18 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 15:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-03 04:25:30 377920 ----a-w- c:\program files\aswclear.exe
2010-07-28 19:47:44 199544 ----a-w- c:\program files\Tcpvcon.exe
2010-07-08 04:31:22 22951 ----a-w- c:\program files\CIS Clean-up Tool.bat
.
============= FINISH: 22:16:18.03 ===============
 

Attached Files


Edited by Alyab123, 03 November 2014 - 10:52 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 AM

Posted 09 November 2014 - 10:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/554610 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 10 November 2014 - 02:16 AM

I wrote out a comprehensive background in my initial post. 
 
Some additional information: My Dell Dimension 521 came with XP installed. The disk I have is a "re-installation" disk. I believe there is a way (for someone in the know) to use it for a completed re-installation, but that is not the primarily option that is presented. The disk triggers a "repair XP" process, not a re-installation. I therefore do not know how/if a particular file would be found.
Of course it is the latest and last update of XP3.
 
Admittedly, waiting for help made me impatient, and I did do some cleaning up. I uninstalled two programs that I don't need: "Should I remove it", and "compatibility pack for Office 2007". I also seem to have downloaded and installed foxit reader on Nov 4.  I am, in fact still hoping to find a reputable software that I can use to create a PDF that can have formatted text added to it. It seems strange that I would have downloaded and installed a pdf reader while waiting for help from this forum. But this whole thing has been confusing, and perhaps I did intentionally download it. I installed autoruns, since I am struggling to use chrome, and understand what it is doing. I don't think it is the right browser for my system's capacity. 
 
Although my Avast antivirus did start running again after my system restore on Nov 3, system restore does not show the restoration I did. The programs I removed during that restoration are still removed, and the DDS txt files show that a restoration did take place. The system restore interface shows no restoration on Nov 3! Here are screenshots that don't show the restoration?!
 
systemrestorepoints_zps8d599b21.jpg
 
As if nothing even happened on Nov 3, the day I did the restoration, both above in system restore, and below in Cleaner. I have definitely not deleted any restore points manually in either program.
 
Ccleanerrestorepoints_zps7100c580.jpg
 
 
 
At the time, restoration indicated it had "changed names of files" and the names changed seemed odd. Like random individual letters, or two letter combinations replacing files with normal names. After that system restore, firefox stopped working. Before I try to install and re-install firefox, (and PaleMoon) which stopped working after the system restoration, I came here for help. 
 
The number of files that have become unable to be scanned by anti-malware software, due to "permission denied" seems to keep growing, and what I used to think was insignificant is now much more worrisome to me. In avast History/Scan logs GUI, I can no longer see the names of the files that are not being scanned because I accidentally narrowed (with my mouse) the column with this list, and the program no longer allows my mouse to drag the column wider, so I can actually read the list; which is simply strange behavior. The GUI automatically opens after a scan, despite the fact that that option is not ticked in the General Settings options. I wonder if my Virus Protection may be corrupt in some way, and perhaps the quarantined malware is "hiding" in a way that is not detected, and can still infiltrate anything I try to re-install. 
 
My next step would be a system restore to an earlier date, but I really don't know what's going on, so I do not want to do anything else significant, without first checking if my computer is truly clean. The "quarantined virus", was in a system volume information restore point. I don't know if that has affected anything else. 
 
As recommended, I turned off  my virus and firewall software while I created these files, and disconnected my modem. It seems that may have limited some of the information in the reports?? I hope it's ok, but I altered the account user name in the reports for privacy. (I know, I didn't think of that previously)
 
DDS.txt (I hope it's OK that I edited my user account name for privacy, and I altered the IP address that showed up in the attach.txt file for the same reason) I didn't think of this previously.
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by P**** at 23:23:36 on 2014-11-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.392 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Disabled* 
 

============== Running Processes ================
.
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://startpage.com/
uProxyOverride = <local>
BHO: AutorunsDisabled - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - <orphaned>
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245387491250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341524095046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : NameServer = 208.67.220.220,208.67.222.222
Handler: AutorunsDisabled - <Clsid value has no data>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - c:\program files\online armor\oaevent.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\p****\application data\mozilla\firefox\profiles\7j8qck4p.default-1401079308601\
FF - prefs.js: browser.search.selectedEngine - Startpage (SSL)
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=22679f1cf5a58cd828e3179705e7b677
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\google\update\1.3.25.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_189.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-6-30 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-6-30 206248]
R0 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\397B2E2F.sys [2014-11-6 114904]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2014-6-30 787800]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2014-6-30 422760]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2014-1-24 90200]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2014-5-11 210360]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2014-5-11 34856]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2014-5-11 31912]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-6-30 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2014-6-30 70384]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-6-30 50344]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2014-1-24 1715416]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2014-5-11 584864]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2014-5-11 44984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2014-5-11 4457688]
S3 cleanhlp;cleanhlp;e:\emisoft emergency\bin\cleanhlp32.sys [2014-8-20 50200]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
S4 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-1-7 33616]
S4 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-18 13560]
S4 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S4 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
.
=============== Created Last 30 ================
.
2014-11-09 08:59:01 -------- d-----w- C:\autoruns
2014-11-06 07:44:44 114904 ----a-w- c:\windows\system32\drivers\397B2E2F.sys
2014-11-05 07:44:55 43152 ----a-w- c:\windows\avastSS.scr
2014-11-04 13:50:13 -------- d-----w- c:\documents and settings\p****\local settings\application data\Foxit Reader
2014-11-04 13:40:14 -------- d-----w- c:\documents and settings\p****\application data\Foxit Software
2014-11-03 22:37:08 5938 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\Repository
2014-11-03 22:25:40 -------- d-----w- c:\program files\Pale Moon
2014-10-31 19:09:56 -------- d-----w- c:\documents and settings\p****\application data\LibreOffice
2014-10-31 18:25:21 -------- d-----w- c:\program files\Acro Software
2014-10-31 18:21:09 -------- d-----w- c:\program files\GPLGS
2014-10-28 18:58:59 3756656 ----a-w- c:\program files\mozilla firefox\updated\mozjs.dll
2014-10-28 08:52:44 -------- d-----w- c:\documents and settings\p****\local settings\application data\AbleWord
2014-10-28 08:52:33 -------- d-----w- c:\documents and settings\p****\application data\AbleWord
2014-10-28 08:50:59 -------- d-----w- c:\program files\AbleWord
2014-10-28 07:06:59 -------- d-----w- C:\$NtUninstallXPSEP$
2014-10-28 07:06:31 14048 ------w- c:\windows\system32\spmsg2.dll
2014-10-27 23:18:49 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2014-10-22 20:05:40 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-22 20:05:40 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2014-11-06 07:21:14 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-05 07:45:43 787800 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-11-05 07:45:43 70384 ----a-w- c:\windows\system32\drivers\aswmonflt.sys
2014-11-05 07:45:00 206248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-11-05 07:44:59 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-11-05 07:44:59 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-10-01 15:11:18 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 15:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-03 04:25:30 377920 ----a-w- c:\program files\aswclear.exe
2010-07-28 19:47:44 199544 ----a-w- c:\program files\Tcpvcon.exe
2010-07-08 04:31:22 22951 ----a-w- c:\program files\CIS Clean-up Tool.bat
.
============= FINISH: 23:24:57.15 ===============
 
 
 
 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:47 AM

Posted 13 November 2014 - 01:29 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

What the the present issues with this computer?

Wait for further instructions.

#5 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 14 November 2014 - 03:02 AM

Hello Nasdaq, and thank you for helping me.

I downloaded adwcleaner and ran the scan. There were two "extensions" for chrome, one for each of the two user accounts I've been using, with long multi-lettered and numbered names under "folders". Under registry, there were about 5 entries, non of which I understood. No txt report opened... but I didn't realize this. I went ahead and hit clean. The indicator got stuck about a tenth or less of the way across; it was stuck at the "removing folders" stage. I thought it may take longer to work, so I left, and came back in 45 minutes. The indicator had not moved. Everything was frozen. I noticed my Online Armor was closed. (That may have been because I accidentally hit something when I was clicking the mouse around the frozen screen to see if anything wasn't frozen).  I had to do a "hard" shut down, and here I am. Some of the icons on my screen were moved, into the align to grid set-up but not all. I don't remember setting "align to grid". But that is not something I can say 100%. There is no log file for adwcleaner in C:\. I did not run adwcleaner again, so I don't know if anything was actually cleaned.

 

Now I have some admissions to make.

I felt something is still wrong with my PC, but I still was using it, because I really needed to... mostly to keep checking bleeping computer for a response from a live person! I used some forums, because I needed help with chrome, which I had never used before. I went to an Avast forum, because my Avast had updated itself, and I wasn't sure if the new gui was valid. I described it, and I was told the change I described was valid. I started using an alternate email address to stay in touch with people that I needed immediately, since I do not want to reveal my google password while on this computer. I changed the password on my mother's PC, and opened up some alternate random email accounts. I accessed chrome forums, because I am now stuck with chrome, which is completely unfamiliar to me, and made some changes, added some extensions, and followed some other bits of advice. I couldn't access google's own chrome help forum, because it requires me to "sign in" which I am not doing. I found myself reverting to accessing a few blogs that I frequent as well. I needed to create and edit some documents, so I used doc, pdf, and jpg creating software on my PC. The wait was becoming a problem. I have another PC with windows 7 waiting for me, but I need to clean this one out in order to transfer important files. I don't have enough electrical outlets to keep both set up at the same time. Besides I only have one monitor, and I'd have to plug it in to the PCs back and forth - and I guess the modem too, which is ridiculous.

 

Finally, LAST NIGHT, (Nov 12) less than 18 hours before you posted your response.... with lots of misgivings, I finally decided to approach MajorGeeks for help. I figured I would accept help from whomever responded sooner with a live person, and let the other site know that I was getting help elsewhere. I checked constantly if I had a response here at bleepingcomputer-but I still did not. The read all their instructions, and the "prep" included running malware-bytes which I have on my PC and often run anyway. I figured that was innocuous. It found nothing. I realized that I would not even be able to properly explain, 10 days later what problems my PC has. At that point, I was not 100% sure there was anything wrong with my PC any more. Avast was running on schedule, and not finding anything, besides having "no permission" to scan a host of files - which perhaps I was using, since I was running chrome while Avast was running. Super-antispyware found a few pups, and I deleted them. I ran Ccleaner on both user accounts that have been active, to possibly give chrome a boost - which probably was not the best idea if I thought I might still have an infection. Firefox and Palemoon still don't open, but it's possible that I just need to re-install them. Chrome is not working well on my PC. I did not proceed with any other preparations at MajorGeeks. I never even started a thread there.

 

Instead, I ran ClamWinPortable.exe off my flashdrive again, which is the program that originally named and quarantined the virus back when I first posted here. . ClamWinPortable insisted on updating, but it couldn't, so I ran it the way it was. I started out in a limited user account. It occured to me to switch to an administrator account. I think I stopped the scan, switched, and tried again. It updsated, and I ended up with a second instance of ClamWinPortable.exe, in a ClamWinPortable folder, nested in the original ClamWinFolder folder where the program I had used first resided. I proceeded to run the scan with the new download. Avast alerted me to suspicious activity a few times all based in ClamAv. I created exclusions, assuming that the two anti-viruses were counteracting each other. Despite the exclusions, Avast again alerted me to files that were being accessed by ClamAv processes, and quarantined them. Each time, Avast blocked files that clamAV was scanning, or possibly temporarily creating, and put them in the "viruschest", despite my previous "add an exclusion" action. I wanted to upload those files to Virustotal, to double check if they were really problems, or whether this was continuously  a matter of competing programs. "Restoring" the files to upload them, just caused Avast to block and put them in the viruschest again. Finally, I disconnected avast for 10 minutes, and uploaded the files that Avast had quarantined. One of them was considered problematic only by 2 programs listed, including ClamAV. The other was considered problematic by 50% of the programs listed on Virustotal.com. So there really may be a problem. Meanwhile, I let ClamWinPortable run again, letting avast block, and quarantine whatever it wanted.

 

ClamWinPortable found one file inside its own quarantine from Nov 3, plus two additional files, that have been sitting innocently in my downloads folder for a long time. Either those two are false positives, or they were infected by something else on my PC.

 

The report I have from about 4 AM Nov 13, shows that the new ClamWinPortable.exe scanned at least 3 times! Each time It quarantined and re-quarantined files that were already quarantined: I don't have the report from the evening of Nov 12, that shows when the USB installer files were actually first quarantined. 

 

D:\ClamWinPortable\Data\quarantine\A0052560.dll.infected: moved to 'D:\ClamWinPortable\ClamWinPortable\Data\quarantine\A0052560.dll.infected'
D:\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.3.exe.infected: moved to 'D:\ClamWinPortable\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.3.exe.infected'
D:\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.4.exe.infected: moved to 'D:\ClamWinPortable\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.4.exe.infected'
D:\ClamWinPortable\ClamWinPortable\Data\quarantine\A0052560.dll.infected not moved/copied since already in quarantine
D:\ClamWinPortable\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.3.exe.infected not moved/copied since already in quarantine
D:\ClamWinPortable\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.4.exe.infected not moved/copied since already in quarantine
 
Basically, the report "thinks" it found 6 infected files. Really there were only three, and they originated from normal files on my hard drive.
D:\ClamWinPortable\Data\quarantine\A0052560.dll.infected: W32.Virut.Gen.D-148 FOUND
D:\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.3.exe.infected: Win.Adware.Domaiq-135 FOUND
D:\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.4.exe.infected: Win.Adware.Domaiq-135 FOUND
D:\ClamWinPortable\ClamWinPortable\Data\quarantine\A0052560.dll.infected: W32.Virut.Gen.D-148 FOUND
D:\ClamWinPortable\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.3.exe.infected: Win.Adware.Domaiq-135 FOUND
D:\ClamWinPortable\ClamWinPortable\Data\quarantine\Universal-USB-Installer-1.9.5.4.exe.infected: Win.Adware.Domaiq-135 FOUND
 

Avast has put the following, and a bunch of other similar alpha-numerical temp files, that ClamAv created each time it rescanned, in its virus chest:

11/13/2014 4:19:13 AM C:\Documents and Settings\Pessy\Local Settings\Temp\clamav-75efd6ef609d1a9c4ea903e907154aed.00000b3c.clamtmp [L] Win32:Evo-gen [Susp] (0)
File was successfully moved to chest...
11/13/2014 7:04:58 AM D:\ClamWinPortable\Data\db\clamav-8125c91b6db11542c99466a0c4bd96c8.00000984.clamtmp\clamav-b87c31dd2c8632780430ddab1d13a819.00000984.clamtmp\daily.ndb [L] JS:ScriptSH-inf [Trj] (0)
File was successfully moved to chest...
 
Now that I have done all those things... you have responded!  20/20 hindsight... I should have waited before running the virus protection again. Regardless, this is the situation now. It seems like everything works, besides firefox and palemoon. The restoration that I did on Nov 3 doesn't show up. I don't know if system restore is corrupt, or I would have tried restoring to an even earlier point, before I even started this thread.  Avast never finds anything. ClamWinPortable has found something, And as I've said above, I couldn't do the clean part of Adwcleaner: Everything froze at "removing folders" and as far as I know it didn't create a report. I do not know if there is dormant malware on my PC, or now on my flashdrive. 
 
In light of all this, I ran DDS again, so you have updated information. I am not going to re-try adwcleaner without your recommendation, and I'm going to wait for further instructions before I run farbar. For now, my flashdrive is still connected. I don't know if these scans reflect that fact or not. Please let me know if I should remove it. 
 
DDS.txt
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Pessy at 17:50:44 on 2014-11-13
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1494 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled* 
.
============== Running Processes ================
.
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Online Armor\oaui.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://startpage.com/
uProxyOverride = <local>
BHO: AutorunsDisabled - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - <orphaned>
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245387491250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341524095046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
TCP: NameServer = 192.168.8.1
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : NameServer = 208.67.220.220,208.67.222.222
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : DHCPNameServer = 192.168.8.1
Handler: AutorunsDisabled - <Clsid value has no data>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - c:\program files\online armor\oaevent.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\pessy\application data\mozilla\firefox\profiles\7j8qck4p.default-1401079308601\
FF - prefs.js: browser.search.selectedEngine - Startpage (SSL)
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=22679f1cf5a58cd828e3179705e7b677
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\google\update\1.3.25.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_189.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-6-30 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-6-30 206248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2014-6-30 787800]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2014-6-30 422760]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2014-1-24 90200]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2014-5-11 210360]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2014-5-11 44984]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2014-5-11 34856]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2014-5-11 31912]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-6-30 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2014-6-30 70384]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-6-30 50344]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2014-1-24 1715416]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2014-5-11 584864]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2014-5-11 4457688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cleanhlp;cleanhlp;\??\e:\emisoft emergency\bin\cleanhlp32.sys --> e:\emisoft emergency\bin\cleanhlp32.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
S4 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-1-7 33616]
S4 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-18 13560]
S4 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S4 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
.
=============== Created Last 30 ================
.
2014-11-09 08:59:01 -------- d-----w- C:\autoruns
2014-11-06 07:44:44 114904 ----a-w- c:\windows\system32\drivers\397B2E2F.sys
2014-11-05 07:44:55 43152 ----a-w- c:\windows\avastSS.scr
2014-11-04 13:50:13 -------- d-----w- c:\documents and settings\pessy\local settings\application data\Foxit Reader
2014-11-04 13:40:14 -------- d-----w- c:\documents and settings\pessy\application data\Foxit Software
2014-11-03 22:37:08 5938 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2014-11-03 22:28:44 -------- d-----w- c:\windows\system32\wbem\Repository
2014-11-03 22:25:40 -------- d-----w- c:\program files\Pale Moon
2014-10-31 19:09:56 -------- d-----w- c:\documents and settings\pessy\application data\LibreOffice
2014-10-31 18:25:21 -------- d-----w- c:\program files\Acro Software
2014-10-31 18:21:09 -------- d-----w- c:\program files\GPLGS
2014-10-28 18:58:59 3756656 ----a-w- c:\program files\mozilla firefox\updated\mozjs.dll
2014-10-28 08:52:44 -------- d-----w- c:\documents and settings\pessy\local settings\application data\AbleWord
2014-10-28 08:52:33 -------- d-----w- c:\documents and settings\pessy\application data\AbleWord
2014-10-28 08:50:59 -------- d-----w- c:\program files\AbleWord
2014-10-28 07:06:59 -------- d-----w- C:\$NtUninstallXPSEP$
2014-10-28 07:06:31 14048 ------w- c:\windows\system32\spmsg2.dll
2014-10-27 23:18:49 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2014-10-22 20:05:40 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-22 20:05:40 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2014-11-13 17:59:56 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-05 07:45:43 787800 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-11-05 07:45:43 70384 ----a-w- c:\windows\system32\drivers\aswmonflt.sys
2014-11-05 07:45:00 206248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-11-05 07:44:59 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-11-05 07:44:59 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-10-01 15:11:18 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 15:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-03 04:25:30 377920 ----a-w- c:\program files\aswclear.exe
2010-07-28 19:47:44 199544 ----a-w- c:\program files\Tcpvcon.exe
2010-07-08 04:31:22 22951 ----a-w- c:\program files\CIS Clean-up Tool.bat
.
============= FINISH: 17:53:30.50 ===============
 

 

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:47 AM

Posted 14 November 2014 - 10:28 AM

For now please post the Farbar logs for my review.

I can the give you a fix to remove all that is bad.

#7 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 14 November 2014 - 12:03 PM

Oops. We just crossed each other. I booted my PC about less than 2 hours ago. You hadn't posted your reply yet, and I changed my mind and decided it couldn't hurt to try AdwCleaner again. It scanned, produced the report, but froze in the clean process at "deleting folders" again. I also actually saw my Online Armor firewall icon disappear from the tray. The rest of the screen  froze again within a minute. I decided to try to run adwCleaner in Safe Mode. This worked, and here is the report: 

 

# AdwCleaner v4.101 - Report created 14/11/2014 at 10:29:22
# Updated 09/11/2014 by Xplode
# Database : 2014-11-07.1 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Pessy - BAILA
# Running from : C:\Documents and Settings\Pessy\Desktop\adwcleaner_4.101.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
[!] Folder Deleted : C:\Documents and Settings\Baila\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna
[!] Folder Deleted : C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E00DE9B9-B128-4C39-B732-B5D85013FA48}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Mozilla Firefox v34.0 (x86 en-US)
 
 
-\\ Pale Moon v25.0.1 (en-US)
 
 
-\\ Google Chrome v38.0.2125.111
 
 
*************************
 
AdwCleaner[R10].txt - [3543 octets] - [03/06/2014 07:20:11]
AdwCleaner[R11].txt - [2784 octets] - [03/06/2014 07:43:04]
AdwCleaner[R12].txt - [2736 octets] - [13/11/2014 16:59:48]
AdwCleaner[R13].txt - [2856 octets] - [14/11/2014 10:07:22]
AdwCleaner[R14].txt - [2976 octets] - [14/11/2014 10:25:38]
AdwCleaner[R2].txt - [4998 octets] - [14/05/2014 03:27:22]
AdwCleaner[R3].txt - [5058 octets] - [14/05/2014 03:31:24]
AdwCleaner[R4].txt - [4067 octets] - [14/05/2014 04:43:26]
AdwCleaner[R5].txt - [3469 octets] - [29/05/2014 21:40:39]
AdwCleaner[R6].txt - [3759 octets] - [02/06/2014 22:23:39]
AdwCleaner[R7].txt - [2361 octets] - [02/06/2014 22:45:06]
AdwCleaner[R8].txt - [2481 octets] - [02/06/2014 23:01:33]
AdwCleaner[R9].txt - [2541 octets] - [02/06/2014 23:10:43]
AdwCleaner[S1].txt - [5126 octets] - [14/05/2014 04:22:14]
AdwCleaner[S2].txt - [3327 octets] - [02/06/2014 22:26:38]
AdwCleaner[S3].txt - [1771 octets] - [02/06/2014 22:46:55]
AdwCleaner[S4].txt - [2602 octets] - [02/06/2014 23:11:22]
AdwCleaner[S5].txt - [2673 octets] - [03/06/2014 07:27:16]
AdwCleaner[S6].txt - [2844 octets] - [03/06/2014 07:45:01]
AdwCleaner[S7].txt - [388 octets] - [13/11/2014 17:07:04]
AdwCleaner[S8].txt - [388 octets] - [14/11/2014 10:17:52]
AdwCleaner[S9].txt - [2920 octets] - [14/11/2014 10:29:22]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S9].txt - [2980 octets] ##########
 
 
1.Although I downloaded AdwCleaner fresh, I see that I have many previous reports in the folder that remained from previous times I was asked to run AdwCleaner. Is there any reason not to delete them?
2. As you can see, the folders I deleted with adwCleaner were in chrome/extensions. All (5) of my chrome extensions are still "enabled" and seem to be working. Except, when I click on a new tab, it tries to open chrome-extension://icpg.... with the message 'page not found'. Apparently the "new tab direct" extension is what I "cleaned" with adwCleaner. Chrome still shows it installed, with my preferred new tab address still properly set. I suppose I need to manually delete it from chrome? Can I re-install that extension after I remove it? I haven't seen any references to it being problematic in any chrome discussions online.
 
I restarted my PC, and I downloaded and ran Frst..exe.
 
Here are the log contents:
 
FRST.txt
 
can result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01
Ran by Pessy (administrator) on BAILA on 14-11-2014 11:09:10
Running from C:\Documents and Settings\Pessy\Desktop\bleeping computer help
Loaded Profile: Pessy (Available profiles: Baila & Pessy & esti & Admin & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Emsisoft GmbH) C:\Program Files\Online Armor\oacat.exe
(Emsisoft GmbH) C:\Program Files\Online Armor\oasrv.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Blue Coat Systems, Inc.) C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
(Microsoft Corporation) C:\WINDOWS\system32\snmp.exe
(Emsisoft GmbH) C:\Program Files\Online Armor\oaui.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Emsisoft GmbH) C:\Program Files\Online Armor\oahlp.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [@OnlineArmor GUI] => C:\Program Files\Online Armor\oaui.exe [7558464 2013-10-11] (Emsisoft GmbH)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5223016 2014-11-05] (AVAST Software)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://startpage.com/
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKCU - DefaultScope {CE08AAE8-6956-4BB8-939A-36D1D682C4FC} URL = http://startpage.com/do/search?query={searchTerms}&nossl=1&cat=web&pl=ie&language=english
SearchScopes: HKCU - {CE08AAE8-6956-4BB8-939A-36D1D682C4FC} URL = http://startpage.com/do/search?query={searchTerms}&nossl=1&cat=web&pl=ie&language=english
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
Handler: AutorunsDisabled\ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
ShellExecuteHooks: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - C:\Program Files\Online Armor\oaevent.dll [1033968 2013-10-11] (Emsisoft GmbH)
Tcpip\Parameters: [DhcpNameServer] 192.168.8.1
Tcpip\..\Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A}: [NameServer] 208.67.220.220,208.67.222.222
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601
FF DefaultSearchEngine: Startpage (SSL)
FF SelectedSearchEngine: Startpage (SSL)
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll No File
FF Plugin: @real.com/nppl3260;version=6.0.12.450 -> C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\ixquick-https.xml
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\startpage-ssl.xml
FF Extension: Avira Browser Safety - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\Extensions\abs@avira(2).com [2014-09-14]
FF Extension: DoNotTrackMe: Online Privacy Protection - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\Extensions\[email protected]<script type="text/javascript"> /* */ </script> [2014-07-15]
FF Extension: WOT - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-05-26]
FF Extension: NoScript - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-05-26]
FF Extension: Adblock Edge - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2014-05-25]
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-23]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-06-30]
 
Chrome: 
=======
CHR DefaultSearchKeyword: Default -> startpage.com
CHR DefaultSuggestURL: Default -> 
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\internal-nacl-plugin No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
CHR Profile: C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-05-14]
CHR Extension: (Google Drive) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-14]
CHR Extension: (YouTube) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-05-14]
CHR Extension: (Adblock Plus) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-11-04]
CHR Extension: (Google Search) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-05-14]
CHR Extension: (DoNotTrackMe: Online Privacy Protection) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\epanfjkfahimkgomnigadpkobaefekcd [2014-07-31]
CHR Extension: (ScriptBlock) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hcdjknjpbnhdoabbngpmfekaecnpajba [2014-11-03]
CHR Extension: (New Tab Redirect) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2014-11-14]
CHR Extension: (Webutation) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nfclfmabiojpommfcalfdgjjeaahnjbj [2014-07-31]
CHR Extension: (Gmail) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-05-14]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-05]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
R2 6to4; C:\WINDOWS\System32\6to4svc.dll [100864 2010-02-11] (Microsoft Corporation)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-05] (AVAST Software)
R2 bckwfs; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [1715416 2014-01-24] (Blue Coat Systems, Inc.)
R2 OAcat; C:\Program Files\Online Armor\OAcat.exe [584864 2013-10-11] (Emsisoft GmbH)
S4 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S4 RoxWatch9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [159744 2006-11-05] (Sonic Solutions) [File not signed]
R2 SvcOnlineArmor; C:\Program Files\Online Armor\oasrv.exe [4457688 2013-10-11] (Emsisoft GmbH)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AmdPPM; C:\WINDOWS\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2014-11-05] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2014-11-05] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55240 2014-11-05] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-11-05] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787800 2014-11-05] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [422760 2014-11-05] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57928 2014-11-05] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [206248 2014-11-05] ()
R1 bckd; C:\WINDOWS\System32\drivers\bckd.sys [90200 2014-01-24] (Blue Coat Systems, Inc.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S4 gfiark; C:\WINDOWS\System32\drivers\gfiark.sys [33616 2012-12-17] (GFI Software)
S4 gfibto; C:\WINDOWS\System32\drivers\gfibto.sys [13560 2013-06-30] (GFI Software)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R1 OADevice; C:\WINDOWS\system32\drivers\OADriver.sys [210360 2013-10-11] ()
R1 oahlpXX; C:\WINDOWS\system32\drivers\oahlp32.sys [44984 2013-10-11] ()
R1 OAmon; C:\WINDOWS\system32\drivers\OAmon.sys [34856 2013-10-11] (Emsisoft)
R1 OAnet; C:\WINDOWS\system32\drivers\OAnet.sys [31912 2013-10-11] (Emsisoft)
S4 PAC7302; C:\WINDOWS\System32\DRIVERS\PAC7302.SYS [458752 2007-11-08] (PixArt Imaging Inc.) [File not signed]
S4 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [36528 2006-07-24] (Sonic Solutions) [File not signed]
S4 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S4 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1171464 2006-07-27] (SigmaTel, Inc.)
R1 Tcpip6; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
S3 cleanhlp; \??\E:\emisoft emergency\bin\cleanhlp32.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-14 11:07 - 2014-11-14 11:09 - 00000000 ____D () C:\FRST
2014-11-13 16:55 - 2014-11-13 16:55 - 02140160 _____ () C:\Documents and Settings\Pessy\Desktop\adwcleaner_4.101.exe
2014-11-13 05:03 - 2014-11-13 16:20 - 00000782 _____ () C:\WINDOWS\setupapi.log
2014-11-13 04:58 - 2014-11-13 05:00 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Avast
2014-11-10 06:38 - 2014-11-10 06:41 - 00000000 ____D () C:\Documents and Settings\Pessy\Start Menu\Programs\autoruns
2014-11-09 19:20 - 2014-11-14 11:09 - 00000000 ____D () C:\Documents and Settings\Pessy\Desktop\bleeping computer help
2014-11-09 04:13 - 2014-11-09 04:13 - 00000903 _____ () C:\Documents and Settings\Baila\Desktop\Shortcut to procexp.exe.lnk
2014-11-09 04:11 - 2014-11-09 04:14 - 00000000 ____D () C:\Documents and Settings\Baila\Start Menu\Programs\autoruns
2014-11-09 03:59 - 2014-11-09 03:59 - 00000000 ____D () C:\autoruns
2014-11-06 02:44 - 2014-11-06 02:44 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\397B2E2F.sys
2014-11-05 02:45 - 2014-11-05 02:45 - 00001731 _____ () C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2014-11-05 02:45 - 2014-11-05 02:44 - 00291352 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2014-11-05 02:44 - 2014-11-05 02:44 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2014-11-04 10:02 - 2014-11-04 10:02 - 00390316 _____ () C:\Documents and Settings\Pessy\My Documents\test pdf.xps
2014-11-04 09:11 - 2014-11-04 09:11 - 00000000 ____D () C:\Documents and Settings\LocalService\Application Data\Foxit Software
2014-11-04 08:50 - 2014-11-04 11:07 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Foxit Reader
2014-11-04 08:40 - 2014-11-04 11:06 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Foxit Software
2014-11-03 17:37 - 2014-11-03 17:37 - 00005938 _____ () C:\WINDOWS\system32\PerfStringBackup.TMP
2014-11-03 17:27 - 2014-11-03 17:28 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-11-03 17:25 - 2014-11-03 17:26 - 00000000 ____D () C:\Program Files\Pale Moon
2014-11-03 03:11 - 2014-11-03 03:11 - 00035262 _____ () C:\WINDOWS\Administrator.acl
2014-10-31 14:09 - 2014-10-31 14:09 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\LibreOffice
2014-10-31 13:25 - 2014-10-31 13:25 - 00000000 ____D () C:\Program Files\Acro Software
2014-10-31 13:21 - 2014-11-03 17:26 - 00000000 ____D () C:\Program Files\GPLGS
2014-10-30 22:42 - 2014-10-31 06:20 - 00000000 ____D () C:\Documents and Settings\Baila\My Documents\HRA and Mbi-WPD
2014-10-29 05:23 - 2014-11-11 08:24 - 00000000 ____D () C:\Documents and Settings\Baila\My Documents\Impact Energy
2014-10-28 18:37 - 2014-10-28 18:37 - 00000000 ____D () C:\Documents and Settings\Baila\Local Settings\Application Data\AbleWord
2014-10-28 16:23 - 2014-10-28 16:23 - 00000000 ____D () C:\Documents and Settings\Baila\Application Data\AbleWord
2014-10-28 03:52 - 2014-10-28 03:52 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\AbleWord
2014-10-28 03:52 - 2014-10-28 03:52 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\AbleWord
2014-10-28 03:51 - 2014-10-28 03:51 - 00001540 _____ () C:\Documents and Settings\Pessy\Desktop\AbleWord.lnk
2014-10-28 03:51 - 2014-10-28 03:51 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AbleWord V2
2014-10-28 03:50 - 2014-10-28 03:51 - 00000000 ____D () C:\Program Files\AbleWord
2014-10-28 02:06 - 2014-10-28 02:06 - 00001392 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\XPS Viewer EP.lnk
2014-10-28 02:06 - 2014-10-28 02:06 - 00001386 _____ () C:\Documents and Settings\All Users\Desktop\XPS Viewer EP.lnk
2014-10-28 02:06 - 2014-10-28 02:06 - 00000000 __HDC () C:\WINDOWS\$NtUninstallXpsEP$
2014-10-28 02:06 - 2014-10-28 02:06 - 00000000 ____D () C:\$NtUninstallXPSEP$
2014-10-28 02:06 - 2010-10-05 12:56 - 00014048 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsg2.dll
2014-10-28 00:15 - 2014-10-28 00:15 - 00060920 _____ () C:\Documents and Settings\Pessy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-10-27 22:39 - 2014-10-27 22:39 - 00001734 _____ () C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk
2014-10-24 04:41 - 2014-11-12 08:01 - 00000664 _____ () C:\Documents and Settings\Baila\Local Settings\Application Data\d3d9caps.tmp
2014-10-22 15:05 - 2014-10-22 15:05 - 00701104 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-10-22 15:05 - 2014-10-22 15:05 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-14 11:09 - 2014-05-13 05:17 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Temp
2014-11-14 10:50 - 2014-08-21 03:24 - 01194646 _____ () C:\WINDOWS\WindowsUpdate.log
2014-11-14 10:49 - 2014-06-30 03:40 - 00000364 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2014-11-14 10:49 - 2003-07-16 11:46 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-11-14 10:48 - 2014-08-21 03:27 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-11-14 10:48 - 2014-08-21 03:27 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-11-14 10:48 - 2009-06-15 08:44 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-11-14 10:46 - 2014-05-13 04:16 - 00000178 ___SH () C:\Documents and Settings\Pessy\ntuser.ini
2014-11-14 10:43 - 2014-05-14 03:27 - 00000000 ____D () C:\AdwCleaner
2014-11-14 10:38 - 2014-08-21 03:27 - 00032632 _____ () C:\WINDOWS\SchedLgU.Txt
2014-11-14 10:37 - 2014-05-04 22:05 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-11-14 10:36 - 2014-05-30 13:05 - 00001669 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-14 10:35 - 2014-05-04 22:05 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-13 17:42 - 2013-06-30 12:43 - 00000000 ____D () C:\Documents and Settings\Baila\Local Settings\temp
2014-11-13 15:30 - 2013-12-12 15:31 - 00000258 _____ () C:\WINDOWS\Tasks\Synchronize.job
2014-11-13 07:21 - 2013-07-08 00:03 - 00000284 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2014-11-13 02:38 - 2009-06-15 09:12 - 00000178 ___SH () C:\Documents and Settings\Baila\ntuser.ini
2014-11-13 02:34 - 2009-06-15 09:12 - 00000000 ____D () C:\Documents and Settings\Baila
2014-11-13 01:31 - 2013-07-11 21:24 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-11-13 01:27 - 2014-05-13 04:16 - 00000000 ____D () C:\Documents and Settings\Pessy
2014-11-13 01:21 - 2013-07-03 21:22 - 00000682 _____ () C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2014-11-13 01:20 - 2013-07-03 21:22 - 00000000 ____D () C:\Program Files\CCleaner
2014-11-13 01:17 - 2014-05-14 03:24 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Google
2014-11-13 01:14 - 2009-06-21 21:48 - 100445232 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-11-13 01:13 - 2013-12-16 19:06 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-11-11 05:59 - 2014-05-30 01:39 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Paint.NET
2014-11-11 04:54 - 2009-07-01 11:48 - 00000000 ____D () C:\Documents and Settings\Baila\My Documents\BUSINESS
2014-11-10 06:08 - 2014-05-13 06:17 - 00000000 ____D () C:\Documents and Settings\esti\Local Settings\Temp
2014-11-09 04:16 - 2013-08-15 22:58 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-09 04:16 - 2013-08-15 22:58 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-09 04:08 - 2013-07-03 21:48 - 00000000 ____D () C:\Program Files\autoruns
2014-11-05 02:45 - 2014-06-30 03:40 - 00787800 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsnx.sys
2014-11-05 02:45 - 2014-06-30 03:40 - 00422760 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsp.sys
2014-11-05 02:45 - 2014-06-30 03:40 - 00206248 _____ () C:\WINDOWS\system32\Drivers\aswVmm.sys
2014-11-05 02:45 - 2014-06-30 03:40 - 00070384 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswmonflt.sys
2014-11-05 02:45 - 2014-06-30 03:40 - 00057928 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2014-11-05 02:44 - 2014-06-30 03:40 - 00055240 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswrdr.sys
2014-11-05 02:44 - 2014-06-30 03:40 - 00049944 _____ () C:\WINDOWS\system32\Drivers\aswRvrt.sys
2014-11-05 02:44 - 2014-06-30 03:40 - 00024184 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
2014-11-04 10:16 - 2014-04-08 23:39 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-11-04 06:59 - 2014-05-13 04:59 - 00000394 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to Shared Documents.lnk
2014-11-04 03:51 - 2013-07-14 19:43 - 00000000 ____D () C:\Program Files\Reason
2014-11-04 03:26 - 2014-02-05 04:31 - 00000000 ____D () C:\Program Files\Blue Coat K9 Web Protection
2014-11-04 02:54 - 2009-06-19 12:05 - 00000000 ____D () C:\Program Files\Microsoft Office
2014-11-04 02:54 - 2009-06-14 20:03 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-11-03 17:47 - 2014-05-13 04:13 - 00000178 ___SH () C:\Documents and Settings\esti\ntuser.ini
2014-11-03 17:30 - 2014-10-03 08:08 - 00270192 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-11-03 17:29 - 2014-05-29 13:55 - 00000000 ____D () C:\Documents and Settings\Admin
2014-11-03 17:29 - 2014-05-13 04:13 - 00000000 ____D () C:\Documents and Settings\esti
2014-11-03 17:29 - 2014-01-14 04:42 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA
2014-11-03 17:29 - 2009-06-15 09:10 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-11-03 17:29 - 2009-06-15 09:10 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-11-03 17:28 - 2009-06-15 08:42 - 00000000 ____D () C:\WINDOWS\Registration
2014-11-03 17:27 - 2012-06-28 21:04 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-03 17:22 - 2009-06-26 00:53 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom
2014-11-03 03:05 - 2009-06-14 19:58 - 00000000 ____D () C:\WINDOWS\Help
2014-11-03 02:27 - 2013-06-30 12:43 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-10-31 06:18 - 2009-07-01 11:48 - 00000000 ____D () C:\Documents and Settings\Baila\My Documents\Correspondence
2014-10-28 16:22 - 2009-06-30 19:36 - 00060920 ____C () C:\Documents and Settings\Baila\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-10-28 08:01 - 2003-07-16 11:45 - 00000929 _____ () C:\WINDOWS\win.ini
2014-10-28 04:25 - 2013-06-30 04:50 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2014-10-28 02:14 - 2014-05-11 16:20 - 00000000 ____D () C:\Program Files\Online Armor
2014-10-27 22:39 - 2009-07-06 01:29 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe
2014-10-24 07:06 - 2014-05-30 13:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-24 04:24 - 2012-09-04 15:23 - 00000000 ____D () C:\Documents and Settings\Baila\Local Settings\Application Data\Temp
2014-10-22 15:06 - 2014-10-03 05:10 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Adobe
2014-10-22 14:58 - 2014-08-29 03:05 - 00000000 ____D () C:\Documents and Settings\Baila\Local Settings\Application Data\Adobe
2014-10-21 03:08 - 2014-07-23 04:50 - 00000695 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Pale Moon.lnk
2014-10-21 03:08 - 2014-07-23 04:50 - 00000689 _____ () C:\Documents and Settings\All Users\Desktop\Pale Moon.lnk
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================
 
Please let me know if I should remove my flashdrive, which has the ClamWinPortable progam (and its related files. reports, logs, and quarantine folder on it.)

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:47 AM

Posted 14 November 2014 - 02:08 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://startpage.com/
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKCU - DefaultScope {CE08AAE8-6956-4BB8-939A-36D1D682C4FC} URL = http://startpage.com/do/search?query={searchTerms}&nossl=1&cat=web&pl=ie&language=english
SearchScopes: HKCU - {CE08AAE8-6956-4BB8-939A-36D1D682C4FC} URL = http://startpage.com/do/search?query={searchTerms}&nossl=1&cat=web&pl=ie&language=english
FF NewTab: https://startpage.com/do/mypage.pl?prf=22679f1cf5a58cd828e3179705e7b677
FF DefaultSearchEngine: Startpage (SSL)
FF SelectedSearchEngine: Startpage (SSL)
FF Homepage: https://startpage.com/do/mypage.pl?prf=22679f1cf5a58cd828e3179705e7b677
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll No File
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\ixquick-https.xml
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\startpage-ssl.xml
CHR HomePage: Default -> https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
CHR StartupUrls: Default -> "https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c"
CHR DefaultSearchKeyword: Default -> startpage.com
CHR DefaultSearchURL: Default -> https://startpage.com/do/search?query={searchTerms}&cat=web&pl=chrome&language=english
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\internal-nacl-plugin No File
CHR Extension: (New Tab Redirect) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2014-11-14]
S3 cleanhlp; \??\E:\emisoft emergency\bin\cleanhlp32.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#9 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 14 November 2014 - 02:17 PM

Before I run the fix:

 

I see you are going to touch the startpage search engine. I understand that many people get that installed by accident, against their will.  I actually intentionally chose to set that page as my homepage/startpage/new tab/and default search. Do you believe it compromises my computer to use it? Why?

 

I can run the fix, and then reset it to an updated startpage setting, if there is no true reason not to use it.

 

As per the running of the PC: I can't tell. It is slow to load, but I assumed that is because it's old, and I only have 1 gb of Ram. I also believe too many processes start up and hide in the background - even though they don't show up in the task manager. They may be windows processes, they show up in autoruns, but I'm not sure what they are and what they do. That kind of stuff I can work on once I know the PC is clean. I know I "had" something within the last 2 weeks, that unset my Avast - that's how this all started.

 

Thank you.


Edited by Alyab123, 14 November 2014 - 02:25 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:47 AM

Posted 14 November 2014 - 02:19 PM

I would fix it and reset it when all is well.

#11 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 14 November 2014 - 04:09 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-11-2014 01
Ran by Pessy at 2014-11-14 15:42:51 Run:1
Running from C:\Documents and Settings\Pessy\Desktop\bleeping computer help
Loaded Profile: Pessy (Available profiles: Baila & Pessy & esti & Admin & Administrator)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://startpage.com/
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKCU - DefaultScope {CE08AAE8-6956-4BB8-939A-36D1D682C4FC} URL = http://startpage.com/do/search?query={searchTerms}&nossl=1&cat=web&pl=ie&language=english
SearchScopes: HKCU - {CE08AAE8-6956-4BB8-939A-36D1D682C4FC} URL = http://startpage.com/do/search?query={searchTerms}&nossl=1&cat=web&pl=ie&language=english
FF DefaultSearchEngine: Startpage (SSL)
FF SelectedSearchEngine: Startpage (SSL)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll No File
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\ixquick-https.xml
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\startpage-ssl.xml
CHR DefaultSearchKeyword: Default -> startpage.com
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\internal-nacl-plugin No File
CHR Extension: (New Tab Redirect) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2014-11-14]
S3 cleanhlp; \??\E:\emisoft emergency\bin\cleanhlp32.sys [X]
 
End
*****************
 
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CE08AAE8-6956-4BB8-939A-36D1D682C4FC}" => Key deleted successfully.
"HKCR\CLSID\{CE08AAE8-6956-4BB8-939A-36D1D682C4FC}" => Key not found.
Firefox newtab deleted successfully.
Firefox DefaultSearchEngine deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox homepage deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5" => Key deleted successfully.
C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\ixquick-https.xml => Moved successfully.
C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\7j8qck4p.default-1401079308601\searchplugins\startpage-ssl.xml => Moved successfully.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
Chrome DefaultSearchKeyword deleted successfully.
Chrome DefaultSearchURL deleted successfully.
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\internal-nacl-plugin No File not found.
C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna => Moved successfully.
cleanhlp => Service deleted successfully.
 
==== End of Fixlog ====
 

 Results of screen317's Security Check version 0.99.89  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
avast! Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 CCleaner     
 Adobe Flash Player 15.0.0.189  
 Adobe Reader XI  
 Mozilla Firefox (34.0) 
 Google Chrome 38.0.2125.104  
 Google Chrome 38.0.2125.111  
 Google Chrome plugins...  
````````Process Check: objlist.exe by Laurent````````
 Tall Emu Online Armor OAcat.exe 
 Tall Emu Online Armor oasrv.exe 
 Tall Emu Online Armor oaui.exe 
 Tall Emu Online Armor OAhlp.exe 
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 
thanks so much.
 
I'll be back on sunday, G-d willing.
(the flashdrive was not in when I did these last two scans. so ClamWinPortable folder isn't connected... is that ok?)
 
 

Edited by Alyab123, 14 November 2014 - 04:11 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:47 AM

Posted 15 November 2014 - 08:57 AM

(the flashdrive was not in when I did these last two scans. so ClamWinPortable folder isn't connected... is that ok?)


That's OK.

The security check log is clean.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#13 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 18 November 2014 - 02:20 AM

Thank you very much Nasdaq

 

I thought I this posted yesterday, but apparently it never went through.

 

Now that your utilities show my PC as "clean", I want to know if I did indeed have a virus and what it was. Something obviously de-activated my Avast on Nov 2. My system restoration on Novemeber 3, still does not show up in the system restore application, nor in Ccleaner, although it clearly shows up in your attach.txt report above from dds.exe. My firefox and Palemoon programs still do not work. I just want to have some idea what caused these things. I have Avast running live, as well a K-9 internet protection which is a very sensitive filter that also has live malware protection. I regularly scan with Malwarebytes and Superantispyware. And I'm using Online Armor (free) firewall live. 

 

Maybe my settings are wrong. I would like to know what actually happened, so that I can approach the support resources for help of those applications for help. Most of the changes we did seemed to revolve around chrome, and my personal settings for the home page, and new tab page for my browsers. I have used this home page and default new tab, and search engine for a very long time on both firefox and Palemoon browsers. I wasn't even using chrome before I contacted bleeping computer!  I have read all the documentation about security. I just want to know if all those scans and utilities did indeed show any signs of any identifiable problem. Or did my system restore of Nov. 3 somehow wipe out all records of what had actually taken place?

 

Thank you.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:47 AM

Posted 18 November 2014 - 10:38 AM

What was found and removed were PUP (Potentially Unwanted Program) installed without your consent.
The programs do change your browsers and security to operate without you knowledge.

I will leave this topic open for 5 days if you see something suspicious please let me know.

#15 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 19 November 2014 - 01:38 AM

Are you saying those were PUPs that were not found by Superantispyware scans and Avast, or that they had already "made trouble", by the time I did an Superantispyware scan? Because Superantispyware did find a couple of pups almost everytime I scanned, and it automatically quarantined them. 

 

I am having a consistent problem with Avast saying some files could not be scanned "error: archive is password protected". Unfortunately, Avast still has at least one problem: I can not adjust the layout of the detailed scan reports in the GUI. I accidentally slid the column divider to the left, so I can not see what files are in the list that could not be scanned. It's possible that there's a log, or report somewhere of my daily scans, where this information is legible. Still it is strange that the GUI will not allow me to move the column divider back to the right, so the list is visible. I looked in application data and found some sort of log that  says that there is a consistent during many of my scheduled scans. I will have to go to Avast for help with this.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users