Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vosteran infection and constant AgHelp.dll dialog box


  • This topic is locked This topic is locked
16 replies to this topic

#1 bpmcbray

bpmcbray

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 15 January 2015 - 10:10 AM

I thought I had removed Vosteran successfully, but Malwarebytes keeps finding multiples infections on my computer. Also, I am having this dialog box pop up every few minutes: "There was a problem starting C:\Users\Betsy\AppData\Local\ARCADE~1\AgHelp.dll

 

DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.17183
Run by Betsy at 9:26:32 on 2015-01-15
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3982.1101 [GMT -5:00]
.
AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\dwm.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dashost.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnWMI.exe
C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
C:\Program Files\ASUS\P4G\BatteryLife.exe
C:\Windows\system32\taskhostex.exe
C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnCfg.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe
C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
C:\Windows\system32\igfxpers.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x64__8wekyb3d8bbwe\LiveComm.exe
C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.2.9200.17074_none_6233bc1f5106b696\TiWorker.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DsmUserTask.Exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\srtasks.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Dashboard.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uDefault_Page_URL = hxxp://asus13.msn.com
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Webroot Vault: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - 
TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - 
mRun: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE"
mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSPanel.exe /S
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [IJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
mRun: [DBAgent] "C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" /WinStart
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - 
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{1D181DBA-BEE4-459F-93FB-568D7A7AA1EF} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{8963D386-9C7F-4BCA-8B47-40C3147FA66C} : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{8963D386-9C7F-4BCA-8B47-40C3147FA66C}\2456C6B696E6E233642344 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{8963D386-9C7F-4BCA-8B47-40C3147FA66C}\24C616B65672370296051646 : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{8963D386-9C7F-4BCA-8B47-40C3147FA66C}\2656C6B696E6E2138393 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{8963D386-9C7F-4BCA-8B47-40C3147FA66C}\7594E4F556465333 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{8963D386-9C7F-4BCA-8B47-40C3147FA66C}\7594E4F583542444 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{8963D386-9C7F-4BCA-8B47-40C3147FA66C}\77C603F5745756374713 : DHCPNameServer = 192.168.254.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= C:/PROGRA~3/{DA243~1/171~1.0/liro.dll
SSODL: WebCheck - <orphaned>
mASetup: {6B435248-5F4F-4CE9-A533-CB3D8D97A210} - MSIEXEC /i {6B435248-5F4F-4CE9-A533-CB3D8D97A210} ADDLOCAL="Advertised1" REINSTALL="Advertised1"  REINSTALLMODE=ump SETDEFAULTS="1" /qn /quiet
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
mASetup: {A6EADE66-0000-0000-484E-7E8A45000000} - "C:\Windows\SysWOW64\Rundll32.exe" "C:\Program Files (x86)\Adobe\Reader 11.0\Esl\AiodLite.dll",CreateReaderUserSettings
x64-BHO: Webroot Vault: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - 
x64-TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - 
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX3
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - 
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2012-7-5 647736]
R1 ATKWMIACPIIO;ATKWMIACPI Driver;C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-9-7 17536]
R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
R2 ASUS InstantOn;ASUS InstantOn Service;C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe [2012-4-13 277120]
R2 Asus WebStorage Windows Service;Asus WebStorage Windows Service;C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe [2012-12-19 72192]
R2 CatWSw8;CatWSw8;C:\Windows\System32\Drivers\CatWSw864.sys [2015-1-11 42392]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2014-1-21 2466448]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2014-1-21 129856]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2014-1-21 166720]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2015-1-13 1871160]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2015-1-13 969016]
R3 AiCharger;ASUS Charger Driver;C:\Windows\System32\Drivers\AiCharger.sys [2012-9-18 17152]
R3 ATP;ASUS Input Device;C:\Windows\System32\Drivers\AsusTP.sys [2013-9-23 70416]
R3 HIDSwitch;ASUS Wireless Radio Control;C:\Windows\System32\Drivers\AsHIDSwitch64.sys [2013-9-26 21152]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2014-1-21 169752]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\Drivers\IntcDAud.sys [2013-9-26 342528]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\Drivers\mbam.sys [2015-1-13 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\Drivers\MBAMSwissArmy.sys [2015-1-13 129752]
R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\Drivers\RtsBaStor.sys [2014-1-21 298640]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2014-1-21 723088]
R3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\Drivers\mwac.sys [2015-1-13 64216]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\Drivers\usbaapl64.sys [2014-6-10 54784]
S3 WSDScan;WSD Scan Support;C:\Windows\System32\Drivers\WSDScan.sys [2013-4-26 23552]
.
=============== Created Last 30 ================
.
2015-01-15 14:21:38 -------- d-----w- C:\ProgramData\Nero
2015-01-15 14:21:11 -------- d-----w- C:\Program Files (x86)\Seagate
2015-01-15 14:20:36 -------- d-----w- C:\Users\Betsy\AppData\Roaming\Seagate
2015-01-14 16:45:44 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2015-01-14 16:34:06 -------- d-----w- C:\ProgramData\Norton
2015-01-14 16:33:16 -------- d-----w- C:\ProgramData\NortonInstaller
2015-01-14 15:22:17 -------- d-----w- C:\ProgramData\{DA2432E7-8AA6-E361-3B20-93E3EBA2406D}
2015-01-14 14:03:10 -------- d-----w- C:\Windows\pss
2015-01-13 15:27:46 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2015-01-13 15:27:00 93400 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2015-01-13 15:27:00 64216 ----a-w- C:\Windows\System32\drivers\mwac.sys
2015-01-13 15:27:00 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2015-01-13 15:26:59 -------- d-----w- C:\ProgramData\Malwarebytes
2015-01-13 15:26:59 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-13 15:22:57 11870360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{583FEAFA-870D-4533-9165-88BF97F9E2D8}\mpengine.dll
2015-01-13 15:11:52 22528 ----a-w- C:\Users\Betsy\AppData\Local\dsisetup11185152.exe
2015-01-12 00:07:51 42392 ----a-w- C:\Windows\System32\drivers\CatWSw864.sys
2015-01-11 23:55:00 -------- d-----w- C:\Users\Betsy\AppData\Roaming\DigitalSites
2015-01-11 23:54:58 -------- d-----w- C:\Users\Betsy\AppData\Roaming\1H1Q1V1N1N1O1R
2015-01-11 23:53:33 -------- d-----w- C:\Program Files (x86)\Optimizer Pro 3.26
2015-01-11 23:22:43 -------- d-----w- C:\Users\Betsy\AppData\Local\Windows Live
2015-01-11 23:00:54 11870360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2015-01-03 21:36:55 -------- d-----w- C:\Users\Betsy\AppData\Roaming\Embrilliance
2015-01-03 21:30:34 -------- d-----w- C:\Program Files\BriTon Leap
2014-12-28 20:58:34 -------- d-----w- C:\Users\Betsy\AppData\Roaming\SSDir
2014-12-27 14:11:42 -------- d-----w- C:\Users\Betsy\AppData\Roaming\SandSComputing
2014-12-27 14:06:43 -------- d-----w- C:\Program Files (x86)\myeditor
2014-12-27 13:55:44 -------- d-----w- C:\Windows\System32\appraiser
2014-12-27 13:41:42 -------- d-----w- C:\Users\Betsy\AppData\Local\MyEditor v5.00
2014-12-27 13:39:00 -------- d-----w- C:\Program Files\Common Files\S&S Shared
2014-12-27 13:38:55 -------- d-----w- C:\Program Files\S & S Computing
2014-12-26 14:34:12 540688 ----a-w- C:\Windows\System32\d3dx10_39.dll
2014-12-26 14:34:12 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
2014-12-26 14:34:12 1942552 ----a-w- C:\Windows\System32\D3DCompiler_39.dll
2014-12-26 14:34:12 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
2014-12-26 14:34:11 4992520 ----a-w- C:\Windows\System32\D3DX9_39.dll
2014-12-26 14:34:11 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
2014-12-26 14:31:08 -------- d-----w- C:\Users\Betsy\AppData\Local\Downloaded Installations
2014-12-26 14:30:53 -------- d-----w- C:\Program Files (x86)\EmbFontsPlus
2014-12-26 14:29:33 -------- d-----w- C:\Windows\Downloaded Installations
2014-12-26 03:10:58 1188440 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D19321A2-6DB5-4B7E-B17C-CD4F376E0629}\gapaengine.dll
2014-12-17 17:03:10 830464 ----a-w- C:\Windows\System32\appraiser.dll
2014-12-17 17:03:10 192000 ----a-w- C:\Windows\System32\aepic.dll
2014-12-17 17:03:09 1083392 ----a-w- C:\Windows\System32\aeinv.dll
2014-12-17 17:03:08 740864 ----a-w- C:\Windows\System32\invagent.dll
2014-12-17 17:03:08 396288 ----a-w- C:\Windows\System32\devinv.dll
2014-12-17 17:03:08 227328 ----a-w- C:\Windows\System32\aepdu.dll
2014-12-17 17:03:07 412672 ----a-w- C:\Windows\System32\generaltel.dll
.
==================== Find3M  ====================
.
2015-01-15 13:57:16 74 ----a-w- C:\Users\Betsy\AppData\Roaming\sp_data.sys
2014-12-31 11:14:31 298120 ------w- C:\Windows\System32\MpSigStub.exe
2014-11-26 21:11:29 714184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-11-26 21:11:29 106440 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-21 08:38:00 2237952 ----a-w- C:\Windows\System32\wininet.dll
2014-11-21 08:37:51 915968 ----a-w- C:\Windows\System32\uxtheme.dll
2014-11-21 08:37:51 53760 ----a-w- C:\Windows\System32\UXInit.dll
2014-11-21 08:36:24 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2014-11-21 08:36:17 67072 ----a-w- C:\Windows\System32\iesetup.dll
2014-11-21 08:36:17 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2014-11-21 08:35:42 1509376 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-11-21 07:17:51 1762816 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-11-21 07:17:44 44032 ----a-w- C:\Windows\SysWow64\UXInit.dll
2014-11-21 07:16:46 2861568 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-11-21 07:16:42 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-11-21 07:16:42 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2014-11-21 07:16:16 1441280 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-11-21 07:00:18 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2014-11-21 06:54:49 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-11-21 04:30:26 534528 ----a-w- C:\Windows\SysWow64\uxtheme.dll
2014-11-08 11:22:11 238080 ----a-w- C:\Windows\System32\pku2u.dll
2014-11-08 11:21:32 827904 ----a-w- C:\Windows\System32\kerberos.dll
2014-11-08 06:57:15 187904 ----a-w- C:\Windows\SysWow64\pku2u.dll
2014-11-08 06:56:40 666624 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-11-06 06:50:46 1627648 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-11-06 05:03:42 1339392 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-10-30 07:20:58 1890816 ----a-w- C:\Windows\System32\crypt32.dll
2014-10-30 05:22:59 1569792 ----a-w- C:\Windows\SysWow64\crypt32.dll
2014-10-22 03:33:33 581016 ----a-w- C:\Windows\System32\AutoUpdate.exe
2014-03-30 05:48:39 10395072 ----a-w- C:\Program Files (x86)\Common Files\wruninstall.exe
.
============= FINISH:  9:32:41.27 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:56 PM

Posted 15 January 2015 - 10:22 AM

Please download the appropriate version of Farbar Recovery Scan Tool (FRST.exe) from here:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)
save it to your desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 bpmcbray

bpmcbray
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 15 January 2015 - 10:56 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2015
Ran by Betsy (administrator) on MCBET on 15-01-2015 10:47:26
Running from C:\Users\Betsy\Desktop
Loaded Profiles: Betsy (Available profiles: Betsy)
Platform: Windows 8 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
() C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnWMI.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnCfg.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x64__8wekyb3d8bbwe\LiveComm.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DeviceAgent.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13550152 2013-05-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1308232 2013-05-20] (Realtek Semiconductor)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3187360 2013-04-26] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSWebStorage] => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSPanel.exe [3576784 2012-12-19] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [95192 2013-03-08] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2010-09-09] (CANON INC.)
HKLM-x32\...\Run: [DBAgent] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1518664 2014-09-17] (Seagate Technology LLC)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2198726808-4060052579-4016666102-1001\...\Run: [Uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [127080 2014-09-17] (Seagate Technology LLC)
AppInit_DLLs-x32: C:/PROGRA~3/{DA243~1/171~1.0/liro.dll => C:/PROGRA~3/{DA243~1/171~1.0/liro.dll [649216 2015-01-14] ()
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll (ASUS Cloud Corporation.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2198726808-4060052579-4016666102-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus13.msn.com
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll No File
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
 
FireFox:
========
FF ProfilePath: C:\Users\Betsy\AppData\Roaming\Mozilla\Firefox\Profiles\0dw0a6cw.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll No File
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\Betsy\AppData\Roaming\Mozilla\Firefox\Profiles\0dw0a6cw.default\user.js
FF Extension: No Name - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer [Not Found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "https://www.google.com/", "hxxp://vosteran.com/?f=7&a=vst_ggfc_15_03_ch&cd=2XzuyEtN2Y1L1Qzu0EtDtA0FyEzy0DyC0CyDtAtCtC0EyBtAtN0D0Tzu0StCtCtDzytN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StAtBzyzztA0E0A0BtG0AyDyDtAtG0DtCtCtCtGzy0DtBtCtGtBzytAyC0E0EtAzy0CyDyBtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0EtDzzyE0EyC0EyDtG0F0FtAyEtGyE0C0DtAtGzzyB0AyCtGyB0AtAyD0BtB0F0AtAyCyE0D2Q&cr=1954853863&ir="
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-09-06]
CHR Extension: (Google Docs) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-06]
CHR Extension: (Google Drive) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-06]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-06]
CHR Extension: (YouTube) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-06]
CHR Extension: (Google Search) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-06]
CHR Extension: (Google Sheets) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-09-06]
CHR Extension: (Google Wallet) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-06]
CHR Extension: (Gmail) - C:\Users\Betsy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-06]
CHR StartMenuInternet: Google Chrome - chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ASUS InstantOn; C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe [277120 2012-04-13] (ASUS)
R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe [72192 2012-12-19] () [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16000 2014-09-17] (Seagate Technology LLC)
R2 Seagate MobileBackup Service; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [157776 2014-09-17] (Seagate Technology LLC)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16056 2014-03-29] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [70416 2013-09-23] (ASUS Corporation)
R2 CatWSw8; C:\Windows\system32\Drivers\CatWSw864.sys [42392 2014-12-09] (Catalytix Web Services)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-01] ( )
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-15] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2014-11-21] (Malwarebytes Corporation)
U0 msahci; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-15 10:47 - 2015-01-15 10:48 - 00019653 _____ () C:\Users\Betsy\Desktop\FRST.txt
2015-01-15 10:47 - 2015-01-15 10:47 - 00000000 ____D () C:\FRST
2015-01-15 10:45 - 2015-01-15 10:46 - 02125312 _____ (Farbar) C:\Users\Betsy\Desktop\FRST64.exe
2015-01-15 10:32 - 2015-01-15 10:38 - 00000000 ____D () C:\Users\Betsy\Desktop\Font pics
2015-01-15 09:27 - 2015-01-15 09:27 - 00003480 _____ () C:\Windows\System32\Tasks\Betsy DBAgent 2 0
2015-01-15 09:27 - 2015-01-15 09:27 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\Nero
2015-01-15 09:25 - 2015-01-15 09:25 - 00003492 _____ () C:\Windows\System32\Tasks\Seagate_Install_Launch
2015-01-15 09:22 - 2015-01-15 09:22 - 00002717 _____ () C:\Users\Public\Desktop\Seagate Dashboard.lnk
2015-01-15 09:22 - 2015-01-15 09:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Seagate Dashboard
2015-01-15 09:21 - 2015-01-15 09:21 - 00000000 ____D () C:\ProgramData\Nero
2015-01-15 09:21 - 2015-01-15 09:21 - 00000000 ____D () C:\Program Files (x86)\Seagate
2015-01-15 09:20 - 2015-01-15 09:20 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\Seagate
2015-01-15 09:19 - 2015-01-15 09:20 - 00688992 ____R (Swearware) C:\Users\Betsy\Desktop\dds.com
2015-01-15 09:14 - 2015-01-15 09:14 - 00000000 ____D () C:\Windows\System32\Tasks\Leader Technologies
2015-01-15 09:12 - 2015-01-15 09:12 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\Leadertech
2015-01-14 11:34 - 2015-01-15 08:53 - 00000000 ____D () C:\ProgramData\Norton
2015-01-14 10:35 - 2015-01-14 10:42 - 00388608 _____ (Trend Micro Inc.) C:\Users\Betsy\Desktop\HijackThis.exe
2015-01-14 10:25 - 2015-01-14 10:25 - 00003090 _____ () C:\Windows\System32\Tasks\{1ECA8706-B5E3-47BB-BADB-B47483F30F1C}
2015-01-14 10:22 - 2015-01-14 10:22 - 00000000 ____D () C:\ProgramData\{DA2432E7-8AA6-E361-3B20-93E3EBA2406D}
2015-01-14 09:03 - 2015-01-14 09:03 - 00000000 ____D () C:\Windows\pss
2015-01-13 10:54 - 2015-01-15 10:10 - 00000000 ____D () C:\Users\Betsy\Desktop\Wife docs
2015-01-13 10:27 - 2015-01-15 08:55 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-13 10:27 - 2015-01-13 10:27 - 00001068 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-13 10:27 - 2015-01-13 10:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-13 10:27 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-13 10:27 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-13 10:27 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-13 10:26 - 2015-01-13 10:27 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-13 10:26 - 2015-01-13 10:26 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-13 10:11 - 2015-01-13 10:11 - 00022528 _____ () C:\Users\Betsy\AppData\Local\dsisetup11185152.exe
2015-01-13 10:11 - 2015-01-13 10:11 - 00000001 _____ () C:\Users\Betsy\AppData\Local\DSI.DAT
2015-01-11 19:58 - 2015-01-13 10:11 - 00000128 _____ () C:\Users\Betsy\AppData\Roaming\WB.CFG
2015-01-11 19:07 - 2015-01-15 10:45 - 00000342 _____ () C:\Windows\Tasks\AgSupport.job
2015-01-11 19:07 - 2015-01-13 16:10 - 00007632 _____ () C:\Windows\SysWOW64\CatWSPrx.ini
2015-01-11 19:07 - 2015-01-13 16:10 - 00004032 _____ () C:\Windows\SysWOW64\CatWSPrxOff.ini
2015-01-11 19:07 - 2015-01-13 16:10 - 00004032 _____ () C:\Windows\system32\CatWSPrxOff.ini
2015-01-11 19:07 - 2015-01-11 19:07 - 00003238 _____ () C:\Windows\System32\Tasks\AgSupport
2015-01-11 19:07 - 2014-12-09 14:01 - 00042392 _____ (Catalytix Web Services) C:\Windows\system32\Drivers\CatWSw864.sys
2015-01-11 18:59 - 2015-01-11 18:59 - 00000000 ____D () C:\Users\Betsy\Documents\Optimizer Pro
2015-01-11 18:55 - 2015-01-13 16:16 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\DigitalSites
2015-01-11 18:54 - 2015-01-11 18:54 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\1H1Q1V1N1N1O1R
2015-01-11 18:53 - 2015-01-11 19:01 - 00000000 ____D () C:\Program Files (x86)\Optimizer Pro 3.26
2015-01-11 18:52 - 2015-01-11 18:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlvPlayer
2015-01-11 18:22 - 2015-01-13 11:00 - 00000000 ____D () C:\Users\Betsy\AppData\Local\Windows Live
2015-01-10 09:00 - 2015-01-10 10:14 - 00000000 ____D () C:\Users\Betsy\Desktop\Blake's old iPhone pics
2015-01-05 09:06 - 2015-01-15 10:22 - 00000000 ____D () C:\Users\Betsy\Desktop\Embroidery appliques & designs
2015-01-03 16:36 - 2015-01-03 16:36 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\Embrilliance
2015-01-03 16:30 - 2015-01-03 19:25 - 00000000 ____D () C:\Users\Betsy\Documents\Embrilliance
2015-01-03 16:30 - 2015-01-03 16:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Embrilliance
2015-01-03 16:30 - 2015-01-03 16:30 - 00000000 ____D () C:\Program Files\BriTon Leap
2014-12-31 12:43 - 2015-01-11 18:58 - 00000000 ____D () C:\Users\Betsy\Desktop\Betsy
2014-12-31 12:41 - 2015-01-13 16:20 - 00000000 ____D () C:\Users\Betsy\Desktop\Embroidery files
2014-12-29 17:06 - 2014-12-29 17:06 - 00002025 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SewArt64.lnk
2014-12-28 15:58 - 2014-12-28 15:58 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\SSDir
2014-12-28 15:57 - 2014-12-28 15:57 - 00002089 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SewWhat Pro64.lnk
2014-12-27 09:11 - 2014-12-27 09:11 - 00000000 ____D () C:\Users\Betsy\AppData\Roaming\SandSComputing
2014-12-27 09:06 - 2014-12-27 09:06 - 00000000 ____D () C:\Users\Public\MyEditor v5.00
2014-12-27 09:06 - 2014-12-27 09:06 - 00000000 ____D () C:\Users\Public\Documents\my editor Samples
2014-12-27 09:06 - 2014-12-27 09:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\my editor
2014-12-27 09:06 - 2014-12-27 09:06 - 00000000 ____D () C:\Program Files (x86)\myeditor
2014-12-27 08:55 - 2014-12-27 08:55 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-27 08:41 - 2014-12-27 09:07 - 00000000 ____D () C:\Users\Betsy\AppData\Local\MyEditor v5.00
2014-12-27 08:39 - 2014-12-27 08:54 - 00002611 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SewWrite64.lnk
2014-12-27 08:39 - 2014-12-27 08:39 - 00000000 ____D () C:\Program Files\Common Files\S&S Shared
2014-12-27 08:38 - 2014-12-29 17:06 - 00000000 ____D () C:\Program Files\S & S Computing
2014-12-26 09:34 - 2008-07-12 08:18 - 04992520 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_39.dll
2014-12-26 09:34 - 2008-07-12 08:18 - 03851784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
2014-12-26 09:34 - 2008-07-12 08:18 - 01942552 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_39.dll
2014-12-26 09:34 - 2008-07-12 08:18 - 01493528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
2014-12-26 09:34 - 2008-07-12 08:18 - 00540688 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_39.dll
2014-12-26 09:34 - 2008-07-12 08:18 - 00467984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
2014-12-26 09:31 - 2014-12-26 09:31 - 00000000 ____D () C:\Users\Betsy\AppData\Local\Downloaded Installations
2014-12-26 09:30 - 2014-12-26 09:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Embroidery Fonts Plus
2014-12-26 09:30 - 2014-12-26 09:30 - 00000000 ____D () C:\Program Files (x86)\EmbFontsPlus
2014-12-26 09:29 - 2014-12-26 09:29 - 00000000 ____D () C:\Windows\Downloaded Installations
2014-12-17 12:03 - 2014-12-04 20:41 - 00830464 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-17 12:03 - 2014-12-04 20:41 - 00740864 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-17 12:03 - 2014-12-04 20:41 - 00396288 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-17 12:03 - 2014-12-04 20:40 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-17 12:03 - 2014-12-02 20:48 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-17 12:03 - 2014-12-02 20:48 - 00412672 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-17 12:03 - 2014-12-02 20:48 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-15 10:24 - 2014-03-29 15:53 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-15 10:23 - 2012-07-26 02:28 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 10:14 - 2014-03-30 00:26 - 01672141 _____ () C:\Windows\WindowsUpdate.log
2015-01-15 10:04 - 2012-07-26 02:59 - 00000000 ____D () C:\Windows\CbsTemp
2015-01-15 10:00 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\system32\sru
2015-01-15 09:56 - 2014-09-06 15:45 - 00000918 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-15 09:14 - 2012-07-26 02:21 - 00422529 _____ () C:\Windows\setupact.log
2015-01-15 08:57 - 2014-03-30 00:26 - 00000074 _____ () C:\Users\Betsy\AppData\Roaming\sp_data.sys
2015-01-15 08:57 - 2014-03-30 00:26 - 00000000 ____D () C:\Users\Betsy\AppData\Local\VirtualStore
2015-01-15 08:55 - 2014-09-06 15:45 - 00000914 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-15 08:53 - 2012-08-01 20:20 - 00835508 _____ () C:\Windows\PFRO.log
2015-01-15 08:53 - 2012-07-26 02:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-15 08:52 - 2012-07-26 00:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-01-15 08:49 - 2012-07-26 03:12 - 00000000 ___HD () C:\Windows\ELAMBKUP
2015-01-14 11:46 - 2014-01-21 05:55 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-14 10:22 - 2014-09-06 15:49 - 00002145 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-14 09:43 - 2014-11-18 19:47 - 00281624 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-14 09:40 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\WinStore
2015-01-14 09:40 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files\Windows Defender
2015-01-14 09:40 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2015-01-13 16:26 - 2014-03-29 15:53 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-13 12:24 - 2014-07-28 13:50 - 00336896 ___SH () C:\Users\Betsy\Desktop\Thumbs.db
2015-01-13 10:04 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2015-01-11 19:05 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\Resources
2015-01-11 19:02 - 2014-09-06 15:45 - 00003052 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-01-11 19:02 - 2014-09-06 15:45 - 00002816 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-05 18:28 - 2014-11-11 17:27 - 00714176 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-05 18:28 - 2014-11-11 17:27 - 00106440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-03 17:04 - 2014-03-30 00:36 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2198726808-4060052579-4016666102-1001
2014-12-31 06:14 - 2014-09-29 11:09 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-27 08:55 - 2014-08-26 09:14 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-25 22:19 - 2014-07-03 16:37 - 00000000 ____D () C:\Users\Betsy\Desktop\Jamberry
2014-12-17 13:22 - 2014-03-29 20:23 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-17 13:05 - 2014-03-29 20:23 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
Files to move or delete:
====================
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
 
 
Some content of TEMP:
====================
C:\Users\Betsy\AppData\Local\Temp\optprosetup.exe
C:\Users\Betsy\AppData\Local\Temp\WRupdate-317721187.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-03 17:18
 
==================== End Of Log ============================

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:56 PM

Posted 15 January 2015 - 12:37 PM

Download attached fixlist.txt file and save it to the Desktop.

Attached File  FixList.txt   4.21KB   4 downloads

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 bpmcbray

bpmcbray
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 15 January 2015 - 01:53 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2015
Ran by Betsy at 2015-01-15 13:41:18 Run:1
Running from C:\Users\Betsy\Desktop
Loaded Profiles: Betsy (Available profiles: Betsy)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
AppInit_DLLs-x32: C:/PROGRA~3/{DA243~1/171~1.0/liro.dll => C:/PROGRA~3/{DA243~1/171~1.0/liro.dll [649216 2015-01-14] ()
FF user.js: detected! => C:\Users\Betsy\AppData\Roaming\Mozilla\Firefox\Profiles\0dw0a6cw.default\user.js
Task: {0A4B5394-44CC-4C7F-B796-C4855FB646C0} - \Microsoft\Windows\Setup\8.1 auto install No Task File <==== ATTENTION
EmptyTemp:
end
 
 
 
 
 
 
 
 
 
 
*****************
 
"C:/PROGRA~3/{DA243~1/171~1.0/liro.dll" => Value Data removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}" => Key deleted successfully.
HKCR\CLSID\{589B893E-773C-4941-88C2-0DCC718E621C} => Key not found. 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key deleted successfully.
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => Key not found. 
HKU\S-1-5-21-2198726808-4060052579-4016666102-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-2198726808-4060052579-4016666102-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. 
"HKU\S-1-5-21-2198726808-4060052579-4016666102-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}" => Key deleted successfully.
HKCR\CLSID\{589B893E-773C-4941-88C2-0DCC718E621C} => Key not found. 
"HKU\S-1-5-21-2198726808-4060052579-4016666102-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key deleted successfully.
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => Key not found. 
C:\Users\Betsy\AppData\Roaming\Mozilla\Firefox\Profiles\0dw0a6cw.default\user.js => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0A4B5394-44CC-4C7F-B796-C4855FB646C0}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0A4B5394-44CC-4C7F-B796-C4855FB646C0}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\8.1 auto install" => Key deleted successfully.
EmptyTemp: => Removed 6.2 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 13:42:19 ====


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:56 PM

Posted 15 January 2015 - 02:48 PM

Please run the following:


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • If items are found, please select the Clean button
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
NEXT

Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 bpmcbray

bpmcbray
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 15 January 2015 - 03:44 PM

I'm still having the reoccuring dialog box. Also, after restart, when I open my browser, I'm now having a Vosteran Search tab come up along with my home page tab. 

 

Here is the log:

 

 

# AdwCleaner v4.107 - Report created 15/01/2015 at 15:36:16
# Updated 07/01/2015 by Xplode
# Database : 2015-01-13.2 [Live]
# Operating System : Windows 8  (64 bits)
# Username : Betsy - MCBET
# Running from : C:\Users\Betsy\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlvPlayer
Folder Deleted : C:\Program Files (x86)\Optimizer Pro 3.26
Folder Deleted : C:\Users\Betsy\AppData\Roaming\DigitalSites
Folder Deleted : C:\Users\Betsy\Documents\Optimizer Pro
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\superfish.com
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Compete
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\CompeteInc
Key Deleted : HKLM\SOFTWARE\FlvPlayer
Key Deleted : HKLM\SOFTWARE\InstallCore
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Consumer Input Installer
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.17183
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v38.0.2125.111
 
 
*************************
 
AdwCleaner[R0].txt - [1863 octets] - [15/01/2015 15:31:57]
AdwCleaner[S0].txt - [1771 octets] - [15/01/2015 15:36:16]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1831 octets] ##########


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:56 PM

Posted 15 January 2015 - 04:10 PM

which browser and what is the exact message in the dialog box

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 bpmcbray

bpmcbray
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 15 January 2015 - 04:54 PM

Google Chrome. I removed it again under the settings tab in Chrome. 

 

The message: "There was a problem starting C:\Users\Betsy\AppData\Local\ARCADE~1\AgHelp.dll

 

The specified module could not be found."



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:56 PM

Posted 15 January 2015 - 07:08 PM

Download attached fixlist.txt file and save it to the Desktop.

Attached File  FixList.txt   244bytes   5 downloads

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

NEXT

Try resetting Chrome back to default

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

Backup Chrome Bookmarks
http://www.wikihow.com/Export-Bookmarks-from-Chrome

Proceed with the reset once done.

enter the following into the Chrome address bar:

chrome://settings/personal

and at the bottom click on "Advanced Settings"
At the very bottom of the page click on "Reset Browser Settings"

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 bpmcbray

bpmcbray
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 17 January 2015 - 09:45 AM

I reset Chrome - thank you for the instructions on exporting my bookmarks.

 

The log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-01-2015 01
Ran by Betsy at 2015-01-17 09:37:03 Run:2
Running from C:\Users\Betsy\Desktop
Loaded Profiles: Betsy &  (Available profiles: Betsy)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
Task: {1AFFC924-C992-4163-9863-A135BC3658B6} - System32\Tasks\AgSupport => Rundll32.exe C:\Users\Betsy\AppData\Local\ARCADE~1\AgHelp.dll,Start
Task: C:\Windows\Tasks\AgSupport.job => C:\Users\Betsy\AppData\Local\ARCADE~1\AgHelp.dll
end
*****************
 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1AFFC924-C992-4163-9863-A135BC3658B6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1AFFC924-C992-4163-9863-A135BC3658B6}" => Key deleted successfully.
C:\Windows\System32\Tasks\AgSupport => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AgSupport" => Key deleted successfully.
C:\Windows\Tasks\AgSupport.job => Moved successfully.
 
==== End of Fixlog 09:37:03 ====


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:56 PM

Posted 17 January 2015 - 07:39 PM

how is the computer running now, are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 bpmcbray

bpmcbray
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 17 January 2015 - 08:45 PM

The dialog box has stopped. No redirections in Chrome either. I cannot thank you enough! Would you recommend keeping all of the programs you told me to download? 



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:56 PM

Posted 18 January 2015 - 01:07 PM

that's good to hear.

No, the tools we use are specialized tools and are updated constantly. We can always download again if needed.


You can delete the DDS and FRSTlogs and programs from your desktop.


NEXT
  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.
If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome, Firefox and IE
  • AdblockPlus
    • AdblockPlus, Surf the web without annoying ads!
    • Blocks banners, pop-ups and video ads - even on Facebook and YouTube
    • Protects your online privacy
    • Two-click installation, It's free!
    • click the icon that corresponds to your browser and download.
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet
Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 bpmcbray

bpmcbray
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 19 January 2015 - 10:05 AM

Thank you very much. I'm in the process of doing the things suggested right now. Your help is greatly appreciated!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users