Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still infected, bowsers hijacked, uninstall programs not working etc


  • This topic is locked This topic is locked
76 replies to this topic

#1 sweb

sweb

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 29 December 2014 - 07:23 PM

I was being helped but as asked to post herewith the previous thread listed here

http://www.bleepingcomputer.com/forums/t/558715/i-think-im-infected-please-help/page-5
I believe my browsers havbe been hi jacked

upon starting up today

i received this popup window

https://www.sendspace.com/file/ubkgh5

 

here are the 2 dds logs I was asked to post

https://www.sendspace.com/file/gbmtx1

 

https://www.sendspace.com/file/hkoei3

 

 

there were 2 pop up ads that looked suspicious.\

One that said 'your silverlight plugs are out of date......
and another that said

firfox is out of date

firefox was spelled incorrectly
heres a screen shot of that

https://www.sendspace.com/file/o6x25y

 

 



BC AdBot (Login to Remove)

 


#2 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 02 January 2015 - 05:45 PM

Bump



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 03 January 2015 - 10:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#4 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 03 January 2015 - 08:41 PM

Hi here is the MBAM log

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 1/3/2015

Scan Time: 5:25:06 PM

Logfile: MBAM.txt

Administrator: Yes

 

Version: 2.00.4.1028

Malware Database: v2015.01.03.12

Rootkit Database: v2014.12.30.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows Vista Service Pack 2

CPU: x86

File System: NTFS

User: sw13

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 301143

Time Elapsed: 13 min, 46 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 4

PUP.Optional.WebInstrNew.A, C:\Windows\System32\drivers\Msft_Kernel_webinstrNew_01009.Wdf, Delete-on-Reboot, ,

PUP.Optional.DownloadAdmin, C:\ProgramData\Optimizer\program\windows_firefoxupdateweb.exe, Quarantined, [98693732f98340f6365999bf3ac650b0],

PUP.Optional.Unizeto, C:\ProgramData\Windows VXM\program\flash.exe, Quarantined, [4ab761083844b97dd4f204f223de8977],

PUP.Optional.Amonetize, C:\ProgramData\Windows VXM\program\slivelight__8497_i1417570635_il327.exe, Quarantined, [db26d4954a321026a8fbb8437b86b24e],

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)



#5 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 03 January 2015 - 08:54 PM

Adw log

# AdwCleaner v4.106 - Report created 03/01/2015 at 17:46:32

# Updated 21/12/2014 by Xplode

# Database : 2015-01-03.1 [Live]

# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)

# Username : sw13 - SW13-PC

# Running from : C:\Users\sw13\Desktop\adwcleaner_4.106.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Scheduled Tasks ] *****

 

Task Found : AmiUpdXp

Task Found : EPUpdater

Task Found : RocketTab Update Task

Task Found : RocketTab

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{BC0BF363-63AB-4FF7-8EF1-AE0D7F711B24}

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v9.0.8112.16599

 

 

-\\ Mozilla Firefox v34.0.5 (x86 en-US)

 

 

-\\ Google Chrome v39.0.2171.95

 

 

*************************

 

AdwCleaner[R0].txt - [892 octets] - [03/01/2015 17:46:32]

 

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [951 octets] ##########



#6 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 03 January 2015 - 09:09 PM

here are the Farbar logs

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-01-2015 03
Ran by sw13 (administrator) on SW13-PC on 03-01-2015 17:54:04
Running from C:\Users\sw13\Desktop\FARBAR
Loaded Profile: sw13 (Available profiles: sw13)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(MicroStudio) C:\Program Files\Windows Network Accelerater\v3\winvxm.exe
(MicroTools) C:\Program Files\YouTube Downloader Services\P2\youtubeserv.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [335872 2003-06-05] (ATI Technologies, Inc.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\Real\RealPlayer\update\realsched.exe [295512 2013-06-05] (RealNetworks, Inc.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [InstallerLauncher] => "C:\Users\sw13\AppData\Local\Temp\GZ_INSTALL_0\setuplauncher.exe" /run:"C:\Users\sw13\AppData\Local\Temp\GZ_INSTALL_0\Installer.exe" <===== ATTENTION
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-30] (Piriform Ltd)
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\RunOnce: [Adobe Speed Launcher] => 1420335915
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.solsticeweb.com/
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11

FireFox:
========
FF ProfilePath: C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\nzg5m93n.default-1417753046420
FF Homepage: hxxp://mail.solsticeweb.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.2 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.2.32 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF Extension: WOT - C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\nzg5m93n.default-1417753046420\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-12-18]
FF Extension: Adblock Plus - C:\Users\sw13\AppData\Roaming\Mozilla\Firefox\Profiles\nzg5m93n.default-1417753046420\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-12-10]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-05-14]
FF HKLM\...\Firefox\Extensions: [{FCE04E1F-9378-4f39-96F6-5689A9159E45}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-06-05]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://mail.solsticeweb.com/"
CHR Profile: C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-04]
CHR Extension: (Google Wallet) - C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-31]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-04-16]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 Ati HotKey Poller; C:\Windows\system32\Ati2evxx.exe [282624 2003-06-02] ()
S2 ATI Smart; C:\Windows\System32\ati2sgag.exe [114688 2003-06-05] () [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-16] ()
R2 WindowsVNT_R3; C:\Program Files\Windows Network Accelerater\v3\winvxm.exe [2973600 2014-10-20] (MicroStudio) [File not signed]
R2 YouTubeDownload_P2; C:\Program Files\YouTube Downloader Services\P2\youtubeserv.exe [2967160 2014-11-01] (MicroTools)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-03 17:53 - 2015-01-03 17:54 - 00000000 ____D () C:\Users\sw13\Desktop\FARBAR
2015-01-03 17:53 - 2015-01-03 17:54 - 00000000 ____D () C:\FRST
2015-01-03 17:46 - 2015-01-03 17:50 - 00000000 ____D () C:\AdwCleaner
2015-01-03 17:45 - 2015-01-03 17:45 - 02173952 _____ () C:\Users\sw13\Desktop\adwcleaner_4.106.exe
2015-01-03 17:43 - 2015-01-03 17:43 - 00000872 _____ () C:\Windows\PFRO.log
2015-01-03 17:42 - 2015-01-03 17:42 - 00000000 ____D () C:\965697c21c2e64d5f5db2dc88ff952
2015-01-03 17:41 - 2015-01-03 17:41 - 00001551 _____ () C:\Users\sw13\Desktop\MBAM.txt
2015-01-03 17:23 - 2015-01-03 17:23 - 00000899 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-29 16:16 - 2014-12-29 16:16 - 00002583 _____ () C:\Users\sw13\Desktop\attach.txt
2014-12-26 09:32 - 2014-12-26 09:32 - 00024003 _____ () C:\Users\sw13\Desktop\bookmarks.html
2014-12-16 15:38 - 2014-12-16 15:38 - 00001932 _____ () C:\DelFix.txt
2014-12-16 12:46 - 2014-12-16 14:20 - 00000000 ____D () C:\Users\sw13\Downloads\myuninst
2014-12-16 12:45 - 2014-12-16 12:45 - 00045129 _____ () C:\Users\sw13\Downloads\myuninst.zip
2014-12-15 09:17 - 2014-11-06 17:33 - 00974848 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-15 09:17 - 2014-11-03 16:19 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-15 09:03 - 2014-12-02 18:06 - 00278528 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-12-10 09:31 - 2014-12-10 09:31 - 00000000 ____D () C:\ProgramData\McAfee
2014-12-10 09:07 - 2014-11-24 12:44 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2014-12-10 09:07 - 2014-11-24 12:41 - 12369920 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-10 09:07 - 2014-11-24 12:40 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-10 09:07 - 2014-11-24 12:37 - 09740800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-10 09:07 - 2014-11-24 12:35 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-10 09:07 - 2014-11-24 12:35 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-10 09:07 - 2014-11-24 12:34 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-10 09:07 - 2014-11-24 12:34 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-12-10 09:07 - 2014-11-24 12:33 - 01802752 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-10 09:07 - 2014-11-24 12:33 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-12-10 09:07 - 2014-11-24 12:33 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-10 09:07 - 2014-11-24 12:33 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-10 09:07 - 2014-11-24 12:33 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-10 09:07 - 2014-11-24 12:33 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-10 09:07 - 2014-11-24 12:33 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-12-10 09:07 - 2014-11-24 12:32 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-10 09:07 - 2014-11-24 12:32 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-10 09:07 - 2014-11-24 12:32 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-10 09:07 - 2014-11-24 12:32 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-10 09:07 - 2014-11-24 12:32 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-10 09:07 - 2014-11-24 12:32 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-12-10 09:07 - 2014-11-24 12:32 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-12-09 10:51 - 2014-12-09 10:52 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-12-09 09:43 - 2014-12-09 09:43 - 00000000 ____D () C:\ProgramData\Sophos
2014-12-09 09:41 - 2014-12-09 15:15 - 00002577 _____ () C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2014-12-09 09:41 - 2014-12-09 09:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2014-12-09 09:41 - 2014-12-09 09:41 - 00000000 ____D () C:\Program Files\Sophos
2014-12-09 09:38 - 2014-12-09 09:38 - 104417629 _____ (Sophos Limited) C:\Users\sw13\Downloads\Sophos Virus Removal Tool.exe
2014-12-08 10:44 - 2014-12-08 10:57 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-08 10:41 - 2014-12-08 10:41 - 16448208 _____ (Malwarebytes Corp.) C:\Users\sw13\Downloads\mbar-1.08.2.1001.exe
2014-12-08 10:23 - 2015-01-03 17:24 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-08 10:23 - 2015-01-03 17:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-08 10:22 - 2015-01-03 17:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-08 10:22 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-08 10:22 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-08 10:22 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-08 10:21 - 2014-12-08 10:21 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\sw13\Downloads\mbam-setup-2.0.4.1028.exe
2014-12-08 10:12 - 2015-01-03 17:46 - 00000000 ____D () C:\Users\sw13\Desktop\bleepingcomputer
2014-12-04 21:49 - 2014-12-04 21:49 - 00044991 _____ () C:\ProgramData\1417758518.bdinstall.bin
2014-12-04 21:49 - 2014-12-04 21:49 - 00002127 _____ () C:\Windows\epplauncher.mif
2014-12-04 21:43 - 2014-12-04 21:43 - 00040386 _____ () C:\ProgramData\1417758208.3960.bin
2014-12-04 21:43 - 2014-12-04 21:43 - 00002047 _____ () C:\ProgramData\1417758208.1012.bin
2014-12-04 21:43 - 2014-12-04 21:43 - 00000189 _____ () C:\ProgramData\1417758208.3864.bin
2014-12-04 21:43 - 2014-12-04 21:43 - 00000000 ____D () C:\Users\sw13\AppData\Roaming\QuickScan
2014-12-04 11:37 - 2014-12-04 11:37 - 00001687 _____ () C:\ProgramData\tempimage.bmp
2014-12-04 10:49 - 2014-12-08 10:33 - 00000000 ____D () C:\Users\sw13\AppData\Local\14023
2014-12-04 10:44 - 2014-12-04 10:44 - 00000000 ____D () C:\Users\sw13\AppData\Local\Desktop_Dock
2014-12-04 10:39 - 2014-12-04 10:39 - 00000000 ____D () C:\ProgramData\Cerber AntiVirus

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-03 17:52 - 2013-05-14 19:11 - 00000680 _____ () C:\Users\sw13\AppData\Local\d3d9caps.dat
2015-01-03 17:52 - 2006-11-02 04:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-03 17:52 - 2006-11-02 04:47 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-03 17:48 - 2008-01-20 17:35 - 01077041 _____ () C:\Windows\WindowsUpdate.log
2015-01-03 17:43 - 2014-01-31 14:14 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-03 17:43 - 2006-11-02 05:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-03 17:42 - 2006-11-02 05:01 - 00032588 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-03 17:21 - 2014-01-31 14:14 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-03 17:20 - 2013-05-20 12:25 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-22 09:57 - 2006-11-02 03:18 - 00000000 ____D () C:\Windows\rescache
2014-12-19 12:18 - 2006-11-02 04:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2014-12-16 15:38 - 2014-11-11 11:05 - 00000000 ____D () C:\Windows\ERUNT
2014-12-15 09:19 - 2013-05-15 17:23 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-15 09:14 - 2013-08-15 16:04 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-15 09:07 - 2006-11-02 02:24 - 109818608 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-12-12 15:32 - 2014-01-31 14:14 - 00001927 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-12-12 15:09 - 2013-05-20 11:35 - 00002425 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2014-12-10 09:51 - 2013-05-20 12:19 - 00000000 ____D () C:\Users\sw13\AppData\Local\Deployment
2014-12-10 09:31 - 2013-05-20 12:11 - 00000000 ____D () C:\Users\sw13\AppData\Local\Adobe
2014-12-10 08:56 - 2014-11-19 14:30 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-12-09 11:01 - 2013-05-20 12:25 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-12-09 11:01 - 2013-05-20 12:25 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-12-08 10:35 - 2006-11-02 03:18 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-12-08 10:33 - 2014-12-01 10:45 - 00000000 ____D () C:\Users\sw13\AppData\Local\StartPoint
2014-12-04 20:17 - 2014-12-01 12:06 - 00000000 ____D () C:\Users\sw13\Desktop\Old Firefox Data
2014-12-04 11:42 - 2014-10-28 08:01 - 00000000 ____D () C:\Program Files\ScreenSaverGift

Some content of TEMP:
====================
C:\Users\sw13\AppData\Local\Temp\Quarantine.exe
C:\Users\sw13\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-03 17:50

==================== End Of Log ============================


addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-01-2015 03
Ran by sw13 at 2015-01-03 17:56:27
Running from C:\Users\sw13\Desktop\FARBAR
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ATI Display Driver (HKLM\...\ATI Display Driver) (Version:  - )
Celsus - Production (HKU\S-1-5-21-3318673867-2705152334-234800118-1000\...\4e8983d9705245fb) (Version: 1.1.16408.1449 - Capital IQ)
Eclipse VoX 4.2 (HKLM\...\{27067C64-3491-439F-BC38-59E0E45B12B4}) (Version: 4.2.1.10 - Singularity Software, Inc.)
Express Scribe (HKLM\...\Scribe) (Version:  - NCH Software)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3318673867-2705152334-234800118-1000_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\localserver32 -> C:\ProgramData\Windows VXM\program\flash.exe No File

==================== Restore Points  =========================

16-12-2014 15:38:15 End of disinfection
17-12-2014 11:17:21 Scheduled Checkpoint
18-12-2014 10:50:07 Scheduled Checkpoint
19-12-2014 11:31:57 Windows Update
19-12-2014 12:17:50 Windows Modules Installer
22-12-2014 11:39:48 Scheduled Checkpoint
24-12-2014 08:42:20 Windows Update
26-12-2014 10:21:48 Scheduled Checkpoint
29-12-2014 14:36:40 Windows Update
03-01-2015 17:37:28 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 02:23 - 2006-09-18 13:41 - 00000761 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {09B0509B-9915-4A66-94C5-3688343897EA} - System32\Tasks\NCH Software\ScribeReminder => C:\Program Files\NCH Software\Scribe\Scribe.exe
Task: {288A3C61-2E9C-4F26-9A11-DBE26D62ECFD} - System32\Tasks\BBQLeads => C:\Program Files\bbqleads\ScheduledTask.exe
Task: {34A0AC6F-181F-4F47-87E7-F52B53CD22DE} - \RocketTab No Task File <==== ATTENTION
Task: {3F574337-1AE2-46E8-8616-F6B1983ACC2B} - \AmiUpdXp No Task File <==== ATTENTION
Task: {6620F5B8-D7BF-4D42-BF66-81D24737679D} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {87138C53-6EB3-4B80-B6D7-4E8F3120EA1E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-30] (Piriform Ltd)
Task: {9B59B993-1AD7-43FE-8F71-51898785FDE5} - System32\Tasks\HPCustParticipation HP Officejet 4630 series => C:\Program Files\HP\HP Officejet 4630 series\Bin\HPCustPartic.exe [2014-03-06] (Hewlett-Packard Co.)
Task: {9D17011A-71D4-4479-BC87-03C78C406723} - \EPUpdater No Task File <==== ATTENTION
Task: {9D3BA9F9-8AEF-4C47-B598-8418D692D36C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-31] (Google Inc.)
Task: {B2956309-8D7D-4A3C-AC53-641626864A0E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-31] (Google Inc.)
Task: {B69991CE-E56B-4716-8E5F-A2EB30D3BB7F} - System32\Tasks\{C1437BBA-4D65-4681-93A2-E8C9466952F4} => pcalua.exe -a D:\MSsetup.exe -d D:\
Task: {CA6EF537-25D6-4F65-B920-60D80A0F9FC0} - System32\Tasks\StartPoint => C:\Users\sw13\AppData\Local\StartPoint\startpoint\1.3.17.0\startpoint.exe
Task: {D9970FE4-197A-43F0-BC72-791D576B807E} - \RocketTab Update Task No Task File <==== ATTENTION
Task: {DE48EF34-E6BE-4E79-A0D2-7887E758C9EE} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-09] (Adobe Systems Incorporated)
Task: {E892C798-ACCE-476E-85AC-439DA86A16D0} - System32\Tasks\{D45827CD-A16D-4C01-91FA-8847798699AC} => pcalua.exe -a "C:\Users\sw13\AppData\Local\Temp\Temp1_ATI VGA Driver.ZIP\ATI\Setup.exe"
Task: {E8A3BD27-AE83-4402-B86C-1D17007E403B} - System32\Tasks\StartPoint Updater => C:\Users\sw13\AppData\Local\StartPoint\startpoint\1.3.17.0\startup.exe
Task: {FBBF2A1C-0DD7-4973-B91E-7665D071A9F8} - System32\Tasks\{F0548D54-1B27-4926-9FE4-1E586EBCC1D2} => pcalua.exe -a "E:\CAPITALIQ\Training\02 Software\Eclipse Installer\ecldevup.exe" -d "E:\CAPITALIQ\Training\02 Software\Eclipse Installer"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-05-21 08:31 - 2012-10-04 18:50 - 00088688 _____ () C:\Windows\System32\cpwmon2k.dll
2013-04-16 02:07 - 2013-04-16 02:07 - 00039056 _____ () C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
2014-12-09 10:51 - 2014-12-09 10:52 - 03758192 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: DPS => 2
MSCONFIG\Services: RasAuto => 3
MSCONFIG\Services: RasMan => 3
MSCONFIG\Services: SessionEnv => 3
MSCONFIG\Services: TermService => 2
MSCONFIG\Services: WdiServiceHost => 3
MSCONFIG\Services: WdiSystemHost => 3
MSCONFIG\Services: WerSvc => 2
MSCONFIG\Services: WPCSvc => 3

========================= Accounts: ==========================

Administrator (S-1-5-21-3318673867-2705152334-234800118-500 - Administrator - Disabled)
Guest (S-1-5-21-3318673867-2705152334-234800118-501 - Limited - Enabled)
sw13 (S-1-5-21-3318673867-2705152334-234800118-1000 - Administrator - Enabled) => C:\Users\sw13

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/03/2015 05:45:10 PM) (Source: MsiInstaller) (EventID: 11606) (User: NT AUTHORITY)
Description: Product: Adobe Refresh Manager -- Error 1606.Could not access network location %APPDATA%\.

Error: (01/03/2015 05:45:10 PM) (Source: MsiInstaller) (EventID: 11606) (User: NT AUTHORITY)
Description: Product: Adobe Refresh Manager -- Error 1606.Could not access network location %APPDATA%\.

Error: (01/03/2015 05:44:55 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/03/2015 05:43:45 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (12/29/2014 02:40:55 PM) (Source: MsiInstaller) (EventID: 11606) (User: NT AUTHORITY)
Description: Product: Adobe Refresh Manager -- Error 1606.Could not access network location %APPDATA%\.

Error: (12/29/2014 02:40:55 PM) (Source: MsiInstaller) (EventID: 11606) (User: NT AUTHORITY)
Description: Product: Adobe Refresh Manager -- Error 1606.Could not access network location %APPDATA%\.

Error: (12/29/2014 02:36:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/26/2014 09:30:57 AM) (Source: MsiInstaller) (EventID: 11606) (User: NT AUTHORITY)
Description: Product: Adobe Refresh Manager -- Error 1606.Could not access network location %APPDATA%\.

Error: (12/26/2014 09:30:57 AM) (Source: MsiInstaller) (EventID: 11606) (User: NT AUTHORITY)
Description: Product: Adobe Refresh Manager -- Error 1606.Could not access network location %APPDATA%\.

Error: (12/26/2014 09:29:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (01/03/2015 05:42:06 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version:

    Update Source: %NT AUTHORITY15

    Update Stage: 4.6.0305.00

    Source Path: 4.6.0305.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/03/2015 05:42:03 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.191.1131.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.6.0305.00

    Source Path: 4.6.0305.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (12/29/2014 02:38:40 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Google Update Service (gupdate)%%1053

Error: (12/29/2014 02:38:40 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Google Update Service (gupdate)

Error: (12/29/2014 02:38:10 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Windows Font Cache Service%%1053

Error: (12/29/2014 02:38:10 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Windows Font Cache Service

Error: (12/29/2014 02:37:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Microsoft .NET Framework NGEN v4.0.30319_X86

Error: (12/29/2014 02:34:41 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 2:53:25 PM on 12/27/2014 was unexpected.


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2015-01-03 17:56:10.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:09.912
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:09.506
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:09.116
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:08.149
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:07.790
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:07.400
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:56:07.042
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:29:53.537
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-03 17:29:53.194
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Pentium® Dual CPU E2140 @ 1.60GHz
Percentage of memory in use: 52%
Total physical RAM: 2036.24 MB
Available physical RAM: 960.28 MB
Total Pagefile: 5037.52 MB
Available Pagefile: 3823.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1910.8 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.05 GB) (Free:106.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (USB DISK) (Removable) (Total:7.2 GB) (Free:1.17 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149.1 GB) (Disk ID: 2369B484)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7.2 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=7.2 GB) - (Type=0C)

==================== End Of Log ============================



#7 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 03 January 2015 - 09:12 PM

in the programs/features window+

under Uninstall or change a program

when i click on a particular program, the uninstall doesnt show up in the menu bar

 

still when i opened firefox today there were 2 pop up ads that looked suspicious.\
1 said

firfox is out of date

but firefox was spelled incorrectly
heres a screen shot of that

https://www.sendspace.com/file/o6x25y



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 04 January 2015 - 08:51 AM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\...\Run: [] => [X]
HKLM\...\Run: [InstallerLauncher] => "C:\Users\sw13\AppData\Local\Temp\GZ_INSTALL_0\setuplauncher.exe" /run:"C:\Users\sw13\AppData\Local\Temp\GZ_INSTALL_0\Installer.exe" <===== ATTENTION
HKU\S-1-5-21-3318673867-2705152334-234800118-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR Extension: (Google Wallet) - C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-31]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
Task: {34A0AC6F-181F-4F47-87E7-F52B53CD22DE} - \RocketTab No Task File <==== ATTENTION
Task: {3F574337-1AE2-46E8-8616-F6B1983ACC2B} - \AmiUpdXp No Task File <==== ATTENTION
Task: {9D17011A-71D4-4479-BC87-03C78C406723} - \EPUpdater No Task File <==== ATTENTION
Task: {D9970FE4-197A-43F0-BC72-791D576B807E} - \RocketTab Update Task No Task File <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#9 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 05 January 2015 - 11:50 AM

Ok running those now

1 other thing I have noticed is each time I open firefox

it appears as if something is downloading

however when i click arrow for

'Display the progress of ongoing downloads'

it shows

Windows-KB890830-V5.18.exe

Failed -- microsoft.com --


here is the fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-01-2015 03

Ran by sw13 at 2015-01-05 08:45:08 Run:1

Running from C:\Users\sw13\Desktop\FARBAR

Loaded Profile: sw13 (Available profiles: sw13)

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

start

 

CloseProcesses:

 

HKLM\...\Run: [] => [X]

HKLM\...\Run: [InstallerLauncher] => "C:\Users\sw13\AppData\Local\Temp\GZ_INSTALL_0\setuplauncher.exe" /run:"C:\Users\sw13\AppData\Local\Temp\GZ_INSTALL_0\Installer.exe" <===== ATTENTION

HKU\S-1-5-21-3318673867-2705152334-234800118-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)

CHR Extension: (Google Wallet) - C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-31]

S3 IpInIp; system32\DRIVERS\ipinip.sys [X]

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

Task: {34A0AC6F-181F-4F47-87E7-F52B53CD22DE} - \RocketTab No Task File <==== ATTENTION

Task: {3F574337-1AE2-46E8-8616-F6B1983ACC2B} - \AmiUpdXp No Task File <==== ATTENTION

Task: {9D17011A-71D4-4479-BC87-03C78C406723} - \EPUpdater No Task File <==== ATTENTION

Task: {D9970FE4-197A-43F0-BC72-791D576B807E} - \RocketTab Update Task No Task File <==== ATTENTION

 

End

*****************

 

Processes closed successfully.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\InstallerLauncher => value deleted successfully.

"HKU\S-1-5-21-3318673867-2705152334-234800118-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => Moved successfully.

C:\Users\sw13\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.

IpInIp => Service deleted successfully.

NwlnkFlt => Service deleted successfully.

NwlnkFwd => Service deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{34A0AC6F-181F-4F47-87E7-F52B53CD22DE}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{34A0AC6F-181F-4F47-87E7-F52B53CD22DE}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RocketTab" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3F574337-1AE2-46E8-8616-F6B1983ACC2B}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F574337-1AE2-46E8-8616-F6B1983ACC2B}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AmiUpdXp" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9D17011A-71D4-4479-BC87-03C78C406723}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D17011A-71D4-4479-BC87-03C78C406723}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\EPUpdater" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D9970FE4-197A-43F0-BC72-791D576B807E}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9970FE4-197A-43F0-BC72-791D576B807E}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RocketTab Update Task" => Key deleted successfully.

 

 

The system needed a reboot.

 

==== End of Fixlog 08:45:20 ====



#10 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 05 January 2015 - 11:56 AM

Here is the checkup.txt log

 

Results of screen317's Security Check version 0.99.93  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 5 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
  Adobe Flash Player     15.0.0.246 Flash Player out of Date!  
 Google Chrome (39.0.2171.71)
 Google Chrome (39.0.2171.95)
 Google Chrome (plugins...)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 05 January 2015 - 02:27 PM

1

other thing I have noticed is each time I open firefox
it appears as if something is downloading
however when i click arrow for
'Display the progress of ongoing downloads'
it shows
Windows-KB890830-V5.18.exe
Failed -- microsoft.com --


That is the Microsoft Windows Malicious Software Removal Tool

http://support.microsoft.com/kb/890830

Try the fix suggested here.
http://forums.mozillazine.org/viewtopic.php?f=38&t=2876675

===

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
===

How is the computer running now?

#12 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 06 January 2015 - 02:59 PM

Ok

seems to be running ok

I did however notice that still in the programs features window

all of the programs are not listed there, including all of the scanners etc that I have downloaded during this thread and the previous thread. the only one i see is the Malwarebytes antimalware software
none of the other ones like ccleaner, securitycheck, adwcleaner, sophos virus removal etc
are listed there



#13 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 06 January 2015 - 11:30 PM

I received another fraudulent poup today

it said New version zip plus is found!

here is a screen shot of the ad

https://www.sendspace.com/file/n4iogo



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 AM

Posted 07 January 2015 - 09:57 AM

Did you install Zip plus in the past?

If not do not accept the new version.

However it could very well be that when you installed the myuninst program and that a zip program (or extractor) was installed and used?

I found this on your log.
C:\Users\sw13\Downloads\myuninst <- this is a folder
C:\Users\sw13\Downloads\myuninst.zip


Where did you download this program from?

Keep me posted.

#15 sweb

sweb
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 07 January 2015 - 01:28 PM

Hi

Yes ok I installed that myuninst on 12/16 as recommended by the person helping me in the other thread.

What should I do?

 

And Today I received the 'firfox is outdated'  popup ad again when I open Firefox browser

https://www.sendspace.com/file/o6x25y






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users